Sorry, Barry. I should have included the problematic text. here it is: 4.7. DMARC Policy Discovery
If the set produced by the DNS Tree Walk contains no DMARC policy record (i.e., any indication that there is no such record as opposed to a transient DNS error), Mail Receivers MUST NOT apply the DMARC mechanism to the message. The purpose of DMARC is (or should be) to help evaluators make better disposition decisions, because when they do, senders of wanted messages will benefit from improved delivery as a result of the improved decision making, DMARC uses available information to produce a result of "Authenticated" or "Not Authenticated". Sometimes, the message can be reliably categorized as "Authenticated" or "Not Authenticated" without reference to the specifics of a domain owner policy. "Authenticated" is certain if the RFC5322.From address matches the domain which generated SPF PASS domain or a domain which generated DKIM PASS. Conversely "Not Authenticated" is certain if no domains match at the right-most two labels. But this language says that the evaluator must not consider results certain, even if DMARC's logic clearly indicates that they are certain, when the policy is missing. If "Authenticated" and "Not Authenticated" are not allowed, then the result becomes "Unknown." This design is asking the evaluator to do something which defies common sense and defies his own self-interest. If an illogical design causes an evaluator to make sub-optimal disposition decisions, then it hurts the domain owner also. Does this clarify the issue? Doug Foster On Thu, Aug 4, 2022 at 10:19 AM Barry Leiba <[email protected]> wrote: > I'm trying to figure out exactly where in the document the text you're > commenting about is, but you haven't said and it's not clear to me. > Can you cite the specific text and say in what section it is? > > Barry > > On Wed, Aug 3, 2022 at 11:41 PM Douglas Foster > <[email protected]> wrote: > > > > > > Consider: A message has a verified DKIM or SPF domain which exactly > matches the RFC5322.From domain. > > > > In this case, the only applicable information in a policy record is the > reporting address(es). But the specification does not require evaluators > to send reports and does not require domain owners to request reports, so > these three situations are functionally equivalent: > > > > 1) The reporting address is not used because the evaluator does not send > reports. > > 2) The reporting address is not used because the policy does not provide > an address. > > 3) The reporting address is not used because a policy has not been > published. > > > > However, our specification says that for the third option, the evaluator > must ignore the exact-match verification and therefore treat the message as > having authentication status "unknown". This makes no sense. > > > > More generally, I object to any imposition of "must" on an evaluator. > His only "must" is to act in his own best interest to protect himself from > harm. Ignoring obviously favorable data is not in his interest. > > > > Doug Foster > > _______________________________________________ > > dmarc mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
