> On Aug 13, 2020, at 3:09 PM, Douglas E. Foster
> <[email protected]> wrote:
>
>
> Yours is the better answer!
>
> DF
>
>
> -------- Original message --------
> From: Dotzero <[email protected]>
> Date: 8/13/20 5:54 PM (GMT-05:00)
> To: [email protected]
> Subject: Re: [dmarc-ietf] draft-crocker-dmarc-author-00 ?
>
>
>
>> On Thu, Aug 13, 2020 at 5:43 PM Kurt Andersen (b) <[email protected]> wrote:
>>> On Thu, Aug 13, 2020 at 2:33 PM Doug Foster
>>> <[email protected]> wrote:
>>
>>> The current DMARC architecture supports authorizing a vendor to mail on
>>> behalf of their clients if the client includes them in their SPF policy or
>>> delegates a DKIM scope to them and they use it..
>>>
>>>
>>>
>>> I agree that SPF is too limiting (including hard limits on complexity), and
>>> DKIM is too complex for an uncooperative vendor.
>>>
>>>
>>>
>>> In most cases, a solution would be a controlled third-party signature
>>> authorization along the lines of RFC 6541.
>>>
>>> The client would configure the authorization in his own DNS and the and the
>>> vendor would only need to sign with their own DKIM signature.
>>>
>>
How would this resolve the alignment failures with regard to the RFC5321.from
(SPF from) with the organizational domain?
And I think the vendors motivation is not putting dev and support resources.
Does this delegation scheme solve that problem?
>> If "DKIM is too complex for [this] uncooperative vendor", why would having
>> the "vendor...sign with...DKIM" be workable?
The vendors for whom it would would work already make getting DKIM signing set
up easy so there’s no problem to be solved.
For the others there’s not much incentive to devote resources and not much risk
to the vendor to mitigate. No incentive and little risk means not on radar
unless you care about doing things right. Inbox providers could up the anti
more and there’s been some movement in that area.
>
> Wrong answer. If the vendor is uncooperative then fire the vendor. 4-5 years
> ago it was difficult to find vendors who were willing to deal with DKIM and
> able to do a good job in implementing. The common mantra was "how does this
> fit into my business model". These days I would consider it table stakes.
I see your point but the vast majority of customers Of said vendors aren’t
aware there’s a problem until there is. But make authentication and alignment
easy and part of setup as the best vendors do puts people on the right path
without hassles, barriers and disincentives.
Fire the vendor isn’t always that easy if you’re locked in and you’ve got shit
to do. We’re talking about stone masons, accountants, non profit organizations,
home inspectors, SaaS companies, and all the other people who have stuff to get
done.
Yeah, I’ve helped clients fire plenty of vendors but I’m just saying it is not
first on one’s to do list most days.
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
