On Thu, Jun 18, 2015 at 1:36 AM, Kurt Andersen (b) <kb...@drkurt.com> wrote:
> Matthew, > > I would suggest talking to the folks at Agari and Dmarcian (both are > linked from dmarc.org/resources). I intentionally kept the presentation > away from endorsing any particular vendors - partly because they change > over time and partly because I think that's the right thing to do at a > general tech conference. > > The advice that others have provided about the risks of asserting any > policy more rigorous than p=none for the entirety of an EDU domain is well > founded. If you have particular email streams which require higher levels > of protection, such as financial statements or account/personal > information, then the best practice is to send those from a subdomain which > has the higher policy bar (quarantine or reject). As suggested, no personal > mail should be part of that stream and you may have to deal with a > recipient base (students) who are somewhat more likely to make use of email > forwarding, hence falling into one of the higher risk groups for DMARC > failures. > > If you have a phishing problem, I would do the opposite. I would protect the organizational level with p=reject as the policy would apply to all subdomains (existing or non-existing), and carve out exceptions for sub domains with users. This may need a reorganization of your mail streams Also I note many EDU environments use MS-Exchange for student/staff, and many mailboxes are set to forward emails. Unfortunately MS-Exchange does not preserve well DKIM when forwarding except in the latest releases. You may want to upgrade to latest. Note, many mailing list software have now a DMARC compatibility mode, but some regards it as the mark of the evil and then make strange signs just at the mention of it.... Some ongoing documentation of issues and possible solutions: http://datatracker.ietf.org/doc/draft-ietf-dmarc-interoperability/
_______________________________________________ mailop mailing list mailop@mailop.org http://chilli.nosignal.org/mailman/listinfo/mailop
