In summary: “Report senders SHOULD attempt delivery via SMTP using STARTTLS to all receivers. Transmitting these reports via a secured session is preferrable.”
I don’t think we should add this in, but receivers could deploy DANE/MTA-STS if they wanted to ensure senders who honor those will use TLS. -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast From: dmarc <[email protected]> On Behalf Of Hector Santos Sent: Wednesday, April 26, 2023 4:29 PM To: Scott Kitterman <[email protected]> Cc: IETF DMARC WG <[email protected]> Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-aggregate-reporting-10.txt On Apr 26, 2023, at 3:50 PM, Scott Kitterman <[email protected]<mailto:[email protected]>> wrote: I think it would be crazy in 2023 not to use STARTTLS is offered. +1 Personally I interpreted it more as employ a secure transport and think through if you really want to be sending the report if you can't. I think there's some room for interpretation and I think that's fine. I believe connectivity is independent of the application. All connections SHOULD assume the highest possible security available today. For unsolicited email, the presumption would be: Port 25 STARTTLS If I was start performing reports (and I think I will), that is how I would begin, naturally, with outbound SMTP clients with optional TLS if offered. Sorry if I was not focused with the main question, — HLS
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
