On Thu 15/May/2014 17:13:05 +0200 Dave Crocker wrote:
2. There is nothing that requires mailing lists to make adjustment.
Arguably, it is better for mailing lists NOT to make adjustments, so
that those affected users can consider the efficacy of their current
account.
I'm disappointed. I know p=reject, like dkim=discardable before it,
was meant to be used by domains that "don't have individual human
users". I cannot help comparing it to SPF's -all. In fact, DMARC's
overview[1] suggests that the monitoring step be followed by policy
adjustment. Looking at DMARC reports, one can guess whether an
authentication failure originates from abuse or from a possibly
forwarded mailing list post. Setting a strict policy would kill both.
OTOH DMARC is perfectly useless with p=none.
What does it take to set up a "human" domain, then? It's way harder
than a web site. Several organizations give up working out their own
way to configuring a mail server. Google do an excellent job at
filtering. Besides marking as spam and email authentication, they
deploy literally hundreds of signals, whose relative importance is
dynamic and determined on complex algorithms[2], which are definitely
beyond the reach of an average company with a smallish IT dept.
Now, being forced to outsource email has obvious privacy issues. I
want to ask whether the onset of giant, all-monitoring, central email
plants is part of "the basic design assumptions of Internet email".
If not, we ought to consider putting the restoring of a well-defined,
simple email functionality among the Internet 2020 goals. Can DMARC
generalization be regarded as a spontaneous move in that direction?
It requires adjustments in mailing lists and other niches such as WSJ
send-an-article and gmail sending. But what are the alternatives?
Ale
[1] How Senders Deploy DMARC in 5-Easy Steps, bottom section in
http://www.dmarc.org/overview.html
[2] summary of a talk with Sri Somanchi on Gmail's Anti-Spam Team
http://www.campaignmonitor.com/blog/post/4196/gmail-focus-on-engagement