> On Oct 27, 2022, at 4:16 PM, Douglas Foster > <[email protected]> wrote: > > > Murray raised the issue of a signature which produces PASS, but lacks trust > because it is constructed with weak coverage, such as omitting the Subject or > including an L=valuie clause. > > DKIM was designed to be flexible so that it could be used for many purposes. > DMARC is a specific purpose and therefore it needs a more specific > definition of what a signature should and should not contain. I am > proposing that we ensure that all signatures used for DMARC follow a content > standard so that all compliant signatures are equally trustworthy.
DMARC’s function is to protect domains from unauthorized spoofing. The effort, time. and money to implement enforcing DMARC policies protect against attacks with consequences ranging from an annoyance to catastrophic. While DMARC’s obscure even amongst techies, when someone groks DMARC they’re all in. They come to trust DMARC. I think DMARC has a good reputation. That good reputation is key to DMARC’s steady climb toward nearly universal adoption. What could shake that trust? Gaps, even those caused by a sender failing to sign the proper headers, will be blamed on DMARC. SPF and DKIM are supporting characters. DMARC’s the star and where the buck stops. So while I don’t know if weak signatures is within DMARC’s scope, it’s worth considering if DMARC’s scope has to evolve a bit. I don’t know if it’s realistic or even a good idea for this group to come to a working consensus on DMARC not accepting half assed DKIM signatures but it’s worth thinking about. Neil _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
