On Fri, Dec 6, 2024 at 7:20 AM Douglas Foster <
[email protected]> wrote:
> [snip]
> RFC 7489 makes the recipient dependent upon that sender's participation in
> DMARC. This is unacceptable. No stranger should be given the authority
> to lower my security defenses.
>
>
I vehemently disagree with this assertion; RFC 7489 and DMARCbis do no such
thing, and operators everywhere are free to live by the tenet of "my
network, my rules" just as they always have and always did before DMARC
existed.
A valid DMARC record that applies to the RFC5322.From domain in an email
message provides an additional data point to the mailbox provider that the
provider can use in its disposition decision. That data point allows the
message to be placed on one of two piles for further sorting:
- Stuff using this RFC5322.From domain that passed DMARC checks
- Stuff using this RFC5322.From domain that did not pass DMARC checks
The lack of a valid DMARC record that applies to the RFC5322.From domain in
an email message means that additional data point isn't officially
available to the mailbox provider. The mailbox provider may certainly apply
the DMARC mechanism to the message ("my network, my rules") with the
proviso that the owner of the RFC5322.From domain has made no assertion
that such mail might pass DMARC, as there's no DMARC record, so caveat
emptor, Assuming that the DMARC mechanism is not applied when there is no
DMARC record means that the message can only be place on one pile, pending
further sorting:
- Stuff using this RFC5322.From domain
In both cases, further sorting of messages will include a host of other
data points as deemed necessary by the mailbox provider in order to fulfill
their primary goal of ensuring that their customers receive all mail that
they want to receive, while keeping from their customers as much unwanted
mail as possible.
Mailbox providers were successful in rejecting many billions of messages
per day prior to the release of RFC 7489, and they continue to reject many
billions of messages today independent of any DMARC checking. Some large
mailbox providers are now requiring the existence of a valid DMARC record
for the RFC5322.From domain in order for some classes of mail to be
candidates for acceptance, but to the best of my knowledge, no mailbox
provider anywhere is treating the non-existence of a valid DMARC record for
a message as a reason to throw up their hands and proclaim themselves
unable to take any defensive steps against that message. To the contrary,
I'd wager that if anything, mailbox providers are reasoning that lack of a
DMARC record might, if anything, be a reason to be more suspicious of a
message, not less so.
--
Todd Herr
Some Guy in VA LLC
[email protected]
703-220-4153
Book Time With Me: https://calendar.app.google/tGDuDzbThBdTp3Wx8
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
