On Friday, May 15, 2020 2:26:24 PM EDT Seth Blank wrote: > https://trac.ietf.org/trac/dmarc/ticket/63 > > A published DMARC record that consists solely of "v=DMARC1; p=none" is > syntactically valid, but is semantically equivalent to having no record at > all. > > >From an ecosystem perspective, especially in Europe, data has been shared > > showing an increasing number of domains putting in bare p=none records, and > then claiming that they are implementing DMARC and have some layer of > protection against spoofing of their domain. > > Explicitly making this case invalid would remove confusion from the > ecosystem, and allow any checker that is up to spec to properly flag a bare > p=none record as being the same as not having a record at all. > > Should we make it invalid to have p=none without a reporting address?
I'll bite: No. This is unrelated to interoperability and unlikely to actually improve anything (this reminds me of the occasional suggestions to make v=spf1 +all special for SPF records). Let's imagine a world where a domain that wants to claim they do DMARC in accordance with the latest RFC 7489bis takes their "v=DMARC1; p=none" record and adds an RUA reporting address to it to comply. Then they never set up the email address and the RUA reports all bounce. It's compliant, right? So then people demand a fix to require the address to be accept mail. We spend two years doing that and then that same domain starts accepting mail to the RUA address, but they route it to /dev/null. Then people complain about the waste of bandwidth associated with sending reports that get thrown away... There's really no end to this. Let's not start down the path. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
