On Thu 15/May/2014 17:13:05 +0200 Dave Crocker wrote: > > 2. There is nothing that requires mailing lists to make adjustment. > Arguably, it is better for mailing lists NOT to make adjustments, so > that those affected users can consider the efficacy of their current > account. I'm disappointed. I know p=reject, like dkim=discardable before it, was meant to be used by domains that "don't have individual human users". I cannot help comparing it to SPF's -all. In fact, DMARC's overview[1] suggests that the monitoring step be followed by policy adjustment. Looking at DMARC reports, one can guess whether an authentication failure originates from abuse or from a possibly forwarded mailing list post. Setting a strict policy would kill both. OTOH DMARC is perfectly useless with p=none. What does it take to set up a "human" domain, then? It's way harder than a web site. Several organizations give up working out their own way to configuring a mail server. Google do an excellent job at filtering. Besides marking as spam and email authentication, they deploy literally hundreds of signals, whose relative importance is dynamic and determined on complex algorithms[2], which are definitely beyond the reach of an average company with a smallish IT dept. Now, being forced to outsource email has obvious privacy issues. I want to ask whether the onset of giant, all-monitoring, central email plants is part of "the basic design assumptions of Internet email". If not, we ought to consider putting the restoring of a well-defined, simple email functionality among the Internet 2020 goals. Can DMARC generalization be regarded as a spontaneous move in that direction? It requires adjustments in mailing lists and other niches such as WSJ send-an-article and gmail sending. But what are the alternatives? Ale [1] How Senders Deploy DMARC in 5-Easy Steps, bottom section in http://www.dmarc.org/overview.html [2] summary of a talk with Sri Somanchi on Gmail's Anti-Spam Team http://www.campaignmonitor.com/blog/post/4196/gmail-focus-on-engagement