Jim Fenton writes: > Hi, Dave - > > On 12/19/2014 02:30 PM, Dave Crocker wrote: > > [2.4 Out of Scope] > >> Bullet 10: Again, DMARC doesn't do authentication, even for domains; it > >> relies on other authentication mechanisms. > > I originally thought this, too, but in fact DMARC does do authentication: > > > > DMARC asserts authenticity of the rfc5322.From field domain name. > > That's a distinct semantic increment over anything SPF or DKIM do on > > their own. > > What it does is different enough from SPF and DKIM that I think it's > overloading the term "authentication" to use it again here. It doesn't > contribute to a clear understanding. It looks at the results of SPF and > DKIM, which operate at the domain level, so this bullet isn't really > necessary.
It's important to be precise about these concepts. As I read RFC 4949, Dave is correct. It's true that most of the heavy lifting was done by SPF or DKIM, and in that sense DMARC is very different. Nevertheless, it's the fact that DMARC authenticates the domain of the address in From that makes it useful. And problematic: it is that claim of authentication that justifies use of "p=reject". It had better be in the document. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
