Does this scenario correctly characterize how organizations may be unable to move past p=none with breaking things?
Before DMARC -------------------- a) A vendor application detects an event, looks up in a database for sender name (client contact) and recipient list. b) The application connects to a mail server via IMAP, and sends the message using something like application@vendordomain for the SMTP from and cllentcontact@clientdomain as the Message from. The client domain becomes especially important if the recipients are in a different domain than the client. An example might be an HVAC system operated by a vendor, on behalf of the building manager, which needs to communicate with the building tenants.. The message passes SPF based on the SMTP From address in the vendor domain. The client domain is not enforced. All of this can be implemented with generic off-the-shelf technology. Then the client wants to implement DMARC ---------------------------------------------------------- d) The client develops a list of all of its third-party mailers and tells the third parties to begin applying the client's DKIM signature to their messages. This adds a boatload of complexity to the vendor's application, since he needs a different applied signature for each client. It requires either major changes to the application, a more sophisticated mail server, or a special box simply to sit in front of the mail server to detect and apply the correct signature. None of these seem like generic off-the-shelf solutions. I would not know where to buy that capability if I needed it today. e) If the client attempts to comply, it may take a long time and add a lot of cost. If the client cannot comply, switching vendors is also complex and time consuming. So in the end, a hypothetical U.S. government agency may end up telling Homeland Security that it cannot meet the DMARC deadline because of an application that runs in Peoria Illinois which cannot implement DKIM delegation signing. Of course, if that does not fly, the p=reject goes into effect anyway and the folks in Peoria hope that the intended recipients will implement an exception in their incoming gateway. In sum, DMARC participation is not fully in the control of the organization that wants to implement it. We need to make DMARC participation a process where the participating organization has control over its own success and carries the costs of becoming compliant. DKIM scope delegation does not get us there. DF
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
