[dmarc-discuss] Is DMARC the right place for SMTP-TLS policy and reporting?
msk at fb.com
Wed Jun 20 13:15:40 PDT 2012
If you're talking about a mechanism to advertise that you will only accept SMTP with TLS, then you're stirring a memory in me that someone's doing this at the IETF now, but I can't recall the specifics. Perhaps someone else on the list has a better memory than I do. You can also, of course, just tell your MTAs not to allow unencrypted unauthenticated connections, and hope clients will wise up.
If you're talking about adding the capability to include TLS details in the aggregate DMARC report, we could discuss adding it as an optional field in the reports in the –03 version of the draft.
From: Chris Lamont Mankowski <makerofthings77 at gmail.com<mailto:makerofthings77 at gmail.com>>
Date: Wed, 20 Jun 2012 15:07:55 -0400
To: d <msk at fb.com<mailto:msk at fb.com>>
Cc: "dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>" <dmarc-discuss at dmarc.org<mailto:dmarc-discuss at dmarc.org>>
Subject: Re: [dmarc-discuss] Is DMARC the right place for SMTP-TLS policy and reporting?
Agreed, for the scenarios we outlined TLS is comparable to SPF for Authentication. SPF is easier, and it is more broadly adopted for the purposes of message authentication.
True, shared IP situations will use a VPN to connect to the central MTA.
Aside: Isn't a VPN using TLS under the covers? It seems like the industry put some Duct Tape on the RFC's to accommodate the gap TLS auth covers. It's a heavyweight solution that is widely deployed in those situations and is a pain to set up and maintain. Any more thoughts I have on this is probably is out of scope for DMARC so I'll stop here.
Ignoring the authentication part of TLS, does anyone see value in reporting on encryption policy a.k.a. Enforced TLS? If so, where would you suggest such a feature live? (DMARC, something else...)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dmarc-discuss