[dmarc-discuss] Is DMARC the right place for SMTP-TLS policy and reporting?

Roland Turner roland.turner at trustsphere.com
Wed Jun 20 01:02:28 PDT 2012


On 20/06/2012 13:11, Chris Lamont Mankowski wrote:

> I think DMARC can cause great things in MUAs to occur, and I'm elated 
> it's being proposed but see that incorporating TLS policy and 
> reporting as an essential component before anything is displayed to 
> the end user as being secure.

I think that DMARC has no relevance whatever to MUAs... Establishing an 
EV CERT type agreement may be a worthy goal, but DMARC has 
little/nothing to add to this process.

More to the point: what is that you think that DMARC reporting can 
actually add? TLS is only relevant on direct deliveries (i.e. not on 
forwarded messages), so the sender already knows exactly what happened 
(what was sent, what protocols were used, what identity was asserted by 
the server, ...). If an FSI is sufficiently paranoid to care about this 
but has contracted it out to an ESP then (a) they'll already have 
feedback on this as part of the contract and (b) unsanctioned ESPs and 
unexpected forwarding can _*already*_ be spotted immediately in existing 
DMARC aggregate reports. DMARC already does exactly what you need...

- Roland

-- 
   Roland Turner | Director, Labs
   TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
   Mobile: +65 96700022 | Skype: roland.turner
   roland.turner at trustsphere.com | http://www.trustsphere.com/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://medusa.blackops.org/pipermail/dmarc-discuss/attachments/20120620/d21e9bd2/attachment.htm>


More information about the dmarc-discuss mailing list