"Jon" == Jon Kyme <jrk(_at_)merseymail(_dot_)com> writes:
Jon> It's not clear that this is true. Administration of the
Jon> domain "organization.tld" must be centralised. I guess
Jon> subdomains might be delegated.
Note that I'm not talking about who administers the DNS -- this will
typically be the IT department. I'm talking about administration in a
broader organizataional management terms.
In the case where subdomains are used the problem doesn't arise. If
an organization uses user(_at_)department(_dot_)organization(_dot_)tld then
it's easy
to publish different policies for different departments (whether or
not the departmental domains are delegated).
The problem is that when users are working from home or travelling and
(say) using facilities in a hotel, they may be in the habit of simply
pointing their SMTP client at the SMTP server of their home or hotel
ISP and sending mail that way. As soon as the organization publishes
MARID records, such mail will start bouncing if the recipient does
MARID checks.
Worse, if the organization uses any mechanism for verifying that
bounces correspond to messages originated by them, then these bounces
will appear to be invalid, so the user will just silently have some of
their outgoing mail fail.
Furthermore, some ISPs apparently block port 25 outgoing, and I'm led
to believe that some even transpartently proxy port 25 to force all
mail through the ISPs MTAs. In these cases the user will need to use
port 587 mail submission, which may require changing to a different
MUA.
Deploying MARID hence requires getting acceptance organization-wide
that users must always send out mail using only the corporate MTAs.
Where this isn't current practice, it may be difficult to get
agreement on this.
Ensuring that all outgoing mail goes through the corporate MTAs is not
a difficult problem to solve, but it doesn't come for free and in some
cases will necessitate changes in working practices. Getting
agreement between all departments that the benefits of MARID justify
these changes may be difficult. Getting an edict from senior
corporate management that all departments must comply would seem
unlikely, without a strong business case.
In that case, MARID deployment will simply be stalled. Allowing
per-user records allows those departments which are unwilling to adapt
to be exempted from MARID, and to continue to send mail through any
MTA. Those departments that are happy to change their working
practices (or which already work this way) can be included in the
scheme.
-roy