Opened 17 months ago

#122 new defect

New policy: p=validate

Reported by: vesely@… Owned by:
Priority: minor Milestone: Deliverable #2 (DMARC improvements to better support indirect email flows)
Component: dmarc-bis Version:
Severity: - Keywords:



This new policy is weaker than p=quarantine, but stronger than p=none.

Receivers who routinely forward messages by loosely authenticated subscribers —that is, mailing list managers— are asked by this policy to reject if DMARC check fails. Other receivers, including final receivers, are asked to ignore any outcome of DMARC check, as if p=none.

Mentions on dmarc-ietf mailing list

I'd rather propose to add another p= level, in between p=none and p=quarantine. I'd want receivers to reject my mail if it fails authentication, but only on the first hop. In particular, I'd want mailing lists (whether or not doing From: munging) to reject unauthenticated messages claiming to come from me. (And, given that it's hard to specify "first hop", it would be fine to word such policy as "reject by MLMs only".)

I propose an intermediate value, p=validate. It is meant for first hops only, and mediators in particular. A mediator should reject posts failing DMARC check if p=validate. Normal receivers should ignore p=validate unless they know they're routinely going to resend the message to external users (i.e. unless they're mediators.)

I wish there was an intermediate policy, call it p=mlm-validate, that directs a third party to reject if not authenticated, while final recipients can accept it as if p=none.

I'll post one further message on this topic today.

Change History (0)

Note: See TracTickets for help on using tickets.