I am suggesting less reporting, not trying to obligate more. Let's try to understand the issue this way: Would the following Facebook post be wise or foolish?
"My house has 4 doors, and when I leave home, 3 of them are securely locked.' Is there any unwanted information disclosure? Doug On Wed, Nov 16, 2022, 6:23 AM Laura Atkins <[email protected]> wrote: > > > On 16 Nov 2022, at 10:54, John R. Levine <[email protected]> wrote: > > On Tue, 15 Nov 2022, Douglas Foster wrote: > > If a server farm hosts DomainA and DomainB, and I only get DMARC aggregate > reports when I send to DomainA, then I can conclude that DomainB is not > evaluating DMARC and is therefore more vulnerable to impersonation attacks > than DomainA. > > > You can conclude whatever you want, but all you know is that they don't > send reports. You don't know whether they are looking at DMARC and for > some "security" reason don't send them. > > > Seconding this. There was a major mailbox provider who host both free > consumer domains and a lot of corporate domains that didn’t send DMARC > reports. They were, in fact, evaluating DMARC, but they did not send > reports back. (I believe they are now, but it took a while). > > In any event, the point of IETF standards is to tell people how to > interoperate. It is not our job to try to save people from themselves. If > someone doesn't want to use DMARC, that's up to them, not to us or to you. > > > I don’t think it’s a good idea to obligate organizations to send reports > if they choose to evaluate DMARC. > > laura > > -- > The Delivery Experts > > Laura Atkins > Word to the Wise > [email protected] > > Email Delivery Blog: http://wordtothewise.com/blog > > > > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
