On Apr 20, 2014, at 12:43 PM, Hector Santos <hsantos@xxxxxxxx> wrote: > On 4/20/2014 2:25 PM, Douglas Otis wrote: >> >> That said, DMARC was never intended to address needs beyond the >> narrow scope of high value transactional email. > > And unfortunately, this attitude was always wrong. Hate to say, but "I told you so." What the design attitude says is this: > > If the domain is high value, then only applied policy. > For all others, ignore it. Dear Hector, You missed an important term, "transactional". Transactional email is normally NOT relayed through things like mailing-lists for example. "high value" are messages likely to invoke responses which in turn invites a high level of phishing. In such limited scenarios, DMARC makes very good sense. > Rather than try to honor policy to keep the security high, we are looking for ways to circumvent it. Ignoring Policy no longer works. Locking the From header field to a specific source for general user mail clearly does not work and those asserting DMARC policy should know better. If this continues, at some point many will ignore DMARC when it costs more than it is worth. I too think we can do better, but the senders should be expected to do the heavy lifting. Only they know which third-party services their users send messages. The TPA strategy is based on the premise third-party paths can be quickly verified by the recipients without a steep user learning curve. TPA also creates little impact on how email is normally handled. Email security should be structured to support a federated service and not depend on peer to peer communications. Regards, Douglas otis