> On 19 Apr 2023, at 14:20, John Levine <jo...@taugh.com> wrote: > > It appears that Jesse Thompson <z...@fastmail.com> said: >> -=-=-=-=-=- >> >> On Mon, Apr 17, 2023, at 8:37 AM, Laura Atkins wrote: >>> Should the IETF make the interoperability recommendation that SaaS >>> providers who send mail on behalf of companies support >> aligned authentication? That means custom SPF domains and custom DKIM >> signatures. >>> >>> And if they can’t, then do we make a different recommendation regarding >>> spoofed mail that evades a company’s DMARC policy? >> >> +1 to this question. It's entirely unclear to ESPs whether they're allowed >> to spoof a domain that has no DMARC policy. ESPs >> can furthermore conclude that Domain Owners who publish p=reject|quarantine >> are violating DMARCbis, and subsequentlly the >> domain's policy declaration is invalid, and can be ignored. > > Please see my previous comment about trying to enumerate every dumb thing > people might do. > > I very strenuously do not want us trying to guess how ESPs think nor offering > them advice beyond > the interop advice we offer everyone else.
That was my question: is it an interop issue that ESPs (whether they be your traditional ESP or a SaaS provider that sends mail on behalf of their customers) cannot support custom domains in the SPF and DKIM and thus cannot support DMARC? Many of the current companies have made the decision that supporting DMARC is too hard, and so what they do is use their own domain for DMARC (some publish restrictive polices and some don’t). > In this specific case, if the company publishes p=reject, and they hire an > ESP, and the company > is too inept to figure out how to let the ESP send aligned mail, well, yeah, > then the company's > actual policy is clearly not their published policy, and the ESP can do > whatever it wants. So > let's not go there. To me it’s not so much the company can’t delegate authentication - it’s how many SaaS providers (some of which are ESPs and some of which are 3rd parties that send through ESPs) are incapable of supporting DMARC alignment. Not it’s hard, not it’s challenging, but simply … can’t. They cannot sign with foreign DKIM domains, and they cannot support different domains for SPF authentication. Should DMARCbis make the recommendation that if you are providing mail services that you SHOULD be able to support corporate customers using DMARC? laura -- The Delivery Experts Laura Atkins Word to the Wise la...@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
