[dmarc-discuss] DMARC woes - forwarding signed / encrypted e-mail

Douglas Otis doug.mtview at gmail.com
Mon Jun 2 11:33:41 PDT 2014


On Jun 2, 2014, at 10:32 AM, Elizabeth Zwicky via dmarc-discuss <dmarc-discuss at dmarc.org> wrote:

> 
> Google has always overridden DMARC for some mailing lists, a usage which is
> explicitly allowed in the DMARC spec. I for one don't find it surprising
> that
> they added ietf.org -- and presumably some other lists -- to the set of
> mailing 
> lists they do that for after there was worldwide press coverage of this
> case.

Dear Elizabeth,

The TPA-Label scheme permits the Trusted Domain (email provider) to examine their own DMARC feedback compared against domains in their outbound traffic.  This comparison, when combined with domain reputation, should allow domains to be authorized as being within the federation of servers protecting federated identities (From header field).  A flag was just added to signal a policy failure that a domain has been excluded from the federation to suppress any further processing once a decision is made.  The domains within the federation can be communicated within a single DNS transaction using a single and highly cacheable resource.

While large providers such as Yahoo and Google might be able to determine which third-partys are likely okay, ensuring the cooperation of rejecting rogue servers is important and is not being achieved.  Currently, users are forced to check spam folders to find otherwise legitimate messages, so even degrading reject to quarantine represents an outcome that is still placing users at risk.  

http://tools.ietf.org/html/draft-otis-tpa-label

Regards,
Douglas Otis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20140602/6bc39f95/attachment.html>


More information about the dmarc-discuss mailing list