|
|
|
|
|
|
by matteocontrini
557 days ago
|
|
|
Yeah, that was one of the controversial parts. I updated that paragraph to be more precise. The draft says: >It is therefore critical that Mail Receivers *MUST NOT* reject incoming messages solely on the basis of a "p=reject" policy by the sending domain. Mail Receivers must use the DMARC policy as part of their disposition decision, along with other knowledge and analysis. "Other knowledge and analysis" here might refer to observed sending patterns for properly-authenticated mail using the sending domain, content filtering, etc. In the absence of other knowledge and analysis, Mail Receivers *MUST* treat such failing mail as if the policy were "p=quarantine" rather than "p=reject". So basically `p=reject` doesn't actually mean reject anymore and receivers should instead treat it as quarantine by default. The document then goes on by saying "nobody will listen to us anyway", which is an interesting thing to read in what will be a Proposed Standard: >In practice, despite this advice, few Mail Receivers apply any mitigation techniques when receiving indirect mail flows, few organizations consider the effect of DMARC policies on their users' indirect mail, and it is unlikely that any advice in this document will change that. |
|
|
And they are right because their recommendations about handling a reject policy are idiotic.
Orgs want a real reject policy, full stop. If we wanted our email to be quarantined... We would fucking set it a quarantine.
This is seriously one of the stupidest things I've read, in a spec, in a long time. It's right up there with whatever dumbass decided BIMI VMCs must not be used for reputation.
VMCs require a verification of personhood, trademark, and a non trivial momentary investment. But why use this reputation being served up on a silver platter to email providers when we can instead keep using our blackbox of IP reputation that already hasn't been working well for a decade.