On Apr 20, 2014, at 12:43 PM, Hector Santos <hsantos(_at_)isdg(_dot_)net> wrote:
On 4/20/2014 2:25 PM, Douglas Otis wrote:
That said, DMARC was never intended to address needs beyond the
narrow scope of high value transactional email.
And unfortunately, this attitude was always wrong. Hate to say, but "I told
you so." What the design attitude says is this:
If the domain is high value, then only applied policy.
For all others, ignore it.
Dear Hector,
You missed an important term, "transactional". Transactional email is normally
NOT relayed through things like mailing-lists for example.
"high value" are messages likely to invoke responses which in turn invites a
high level of phishing. In such limited scenarios, DMARC makes very good sense.
Rather than try to honor policy to keep the security high, we are looking for
ways to circumvent it. Ignoring Policy no longer works.
Locking the From header field to a specific source for general user mail
clearly does not work and those asserting DMARC policy should know better. If
this continues, at some point many will ignore DMARC when it costs more than it
is worth. I too think we can do better, but the senders should be expected to
do the heavy lifting. Only they know which third-party services their users
send messages. The TPA strategy is based on the premise third-party paths can
be quickly verified by the recipients without a steep user learning curve. TPA
also creates little impact on how email is normally handled.
Email security should be structured to support a federated service and not
depend on peer to peer communications.
Regards,
Douglas otis