> On Oct 19, 2022, at 5:42 PM, Neil Anuskiewicz <[email protected]> wrote: > > > >> On Oct 19, 2022, at 6:59 AM, Scott Kitterman <[email protected]> wrote: >> >> >> >>>> On October 19, 2022 12:44:16 PM UTC, Dotzero <[email protected]> wrote: >>> On Tue, Oct 18, 2022 at 11:18 PM Scott Kitterman <[email protected]> >>> wrote: >>> >>>> >>>> >>>> On October 18, 2022 10:16:44 PM UTC, Neil Anuskiewicz < >>>> [email protected]> wrote: >>>>> >>>>> >>>>>> On Oct 2, 2022, at 11:01 AM, Douglas Foster < >>>> [email protected]> wrote: >>>>>> >>>>>> >>>>>> In many cases, an evaluator can determine a DMARC PASS result without >>>> evaluating every available identifier. >>>>>> If a message has SPF PASS with acceptable alignment, the evaluator has >>>> no need to evaluate any DKIM signatures to know that the message produces >>>> DMARC PASS. >>>>> I think it’s critical to DMARC that receivers do things like evaluate and >>>> report on DKIM whether or not SPF passes and is alignment. Without this, it >>>> would make it harder for senders to notice and remediate gaps in their >>>> authentication. Since there’s not a downside (that I know of), I’d say this >>>> should be a MUST if at all possible. >>>> >>>> >>>> What is the interoperability problem that happens if evaluators don't do >>>> that? >>>> >>>> Scott K >>>> >>> >>> Scott, What is the interoperability problem is evaluators didn't provide >>> reports at all? Reporting isn't a "must" for interoperability but it >>> certainly helps improve outcomes instead of senders flying blind. >> >> I read the email as suggesting a MUST for reporting both SPF and DKIM >> results if you report results at all, which would, I think lead to exactly >> the situation you're concerned about. I'm skeptical of any kind of MUST >> around reporting since that's generally reserved for things that impact >> interoperability. I do agree it should be encouraged. >> >> Mostly, at the moment, I'm trying to understand the proposed change and the >> rationale. > > I think the reactions were to the tone that that seemed to suggest that the > importance of reporting was being downplayed. MUST is too strong and strongly > encouraged is sufficient. The standards system relies on people making a good > faith effort. To me, Doug’s comments came off as wanting to weaken the > language which concerned me. > > Reporting is key for DMARC to work as a system so any hint of weakening that > language or even could be interpreted as such caught my attention. I think > Doug clarified his position as addressing specific cases not a weakening of > the reporting language. > > DMARC is about the interests of the system but following the standard > strengthens the system within which the sender or receiver operates. Even if > one wasn’t interested in the health of system in and of itself, reporting > benefits the admin as it increases security and reduces broken > authentication. A *LOT* of Senders use reporting data as part of the process > of fixing their own and third party senders they wish to allow or spoof, > discovering errant shadow IT, etc. > > Reporting is or core importance for everyone if for no other reason than to > avoid headaches. Thanks.
s/allow or spoof/allow to spoof/ _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
