Does it makes sense for the DMARC policy to not only set policy and report
on DKIM and SPF but also how the client authenticates via TLS?
As it stands today, many companies are setting up independent TLS
connections between peers to accommodate the various PII laws that require
encryption of data in transit, and there is no central location to place
The DKIM RFC describes how some deployments may have a DKIM selector per
user to accommodate traveling laptops (or something to that effect). If we
were to include TLS certificate information in a policy, that could allow
SPF to be just as portable. And keeping in the spirit of DMARC, no PKI
is needed if the implementation used certificates in DNS (TLSA)
I've seen a few posts that talk about MUAs displaying DMARC-verified
messages with a golden key illustrating it's sent secure. I understand
that MUAs are out of scope for the DMARC spec, but I want to mention that
feature will be confusing to my end users and customers as it stands today.
I'm in the financial vertical and work with HIPPA data and other
material relevant to advisory services,benefits, life insurance. As a
result we are required to encrypt all data in transport.
In fact, I've worked with representatives from DMARC's sponsors (Bank of
America, and Fidelity among others) to set up Enforced TLS between our
companies (NFP). The reason for this was to increase security in lieu of a
portal-based-encryption such as Voltage or Zixmail. Many of our end users
and customers noticed how the contents of the message changed and they
aren't requiring a login to a separate website for PII data. They thought
TLS made the contents insecure in transit, when this isn't the case.
So what are your thoughts? Should DMARC also incorporate some level of TLS
encryption policy and reporting, especially considering the outcome of the
policy will be reflected in the MUA? Should something else be created such
It makes sense to bring this up here and now because the right MTA
developers are addressing message authentication via DNS policy, and TLS is
used for message authentication when the subject name is trusted and
aligned with RFC5322.From.
Thanks for your consideration,
Chris Lamont Mankowski
NOTE WELL: This list operates according to