[dmarc-discuss] Is DMARC the right place for SMTP-TLS policy and reporting?
roland.turner at trustsphere.com
Wed Jun 20 01:02:28 PDT 2012
On 20/06/2012 13:11, Chris Lamont Mankowski wrote:
> I think DMARC can cause great things in MUAs to occur, and I'm elated
> it's being proposed but see that incorporating TLS policy and
> reporting as an essential component before anything is displayed to
> the end user as being secure.
I think that DMARC has no relevance whatever to MUAs... Establishing an
EV CERT type agreement may be a worthy goal, but DMARC has
little/nothing to add to this process.
More to the point: what is that you think that DMARC reporting can
actually add? TLS is only relevant on direct deliveries (i.e. not on
forwarded messages), so the sender already knows exactly what happened
(what was sent, what protocols were used, what identity was asserted by
the server, ...). If an FSI is sufficiently paranoid to care about this
but has contracted it out to an ESP then (a) they'll already have
feedback on this as part of the contract and (b) unsanctioned ESPs and
unexpected forwarding can _*already*_ be spotted immediately in existing
DMARC aggregate reports. DMARC already does exactly what you need...
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
roland.turner at trustsphere.com | http://www.trustsphere.com/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dmarc-discuss