[dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"
jkamens at quantopian.com
Tue Oct 9 07:59:15 PDT 2018
As I'm sure the folks on this list are aware, apparently some ESPs and
software maintainers have chosen to behave differently when forwarding
emails (most notably to mailing lists) depending on whether the sender's
domain DMARC policy is nonexistent or *p=none*, vs. *p=quarantine* or
In particular, the ones that I know about are Google Groups and GNU
Mailman, both of which have decided to rewrite From: lines when they see
*p=quarantine* or *p=reject* but leave them intact when they see no
DMARC policy or a policy with *p=none*.
I find this bewildering and frustrating both for domains attempting to
roll out DMARC and for the administrators of mail servers attempting to
enforce it on incoming emails.
From the outbound email point of view, what good does it do to get
aggregate reports telling you messages forwarded through mailing lists
weren't DMARC compliant when you can't do anything about it and when
messages sent through those same mailing lists will magically become
compliant when you switch from *p=none* to *p=quarantine*? This is
especially true since you can't actually /know/ that those messages are
going to magically become compliant, because you can't know which
mailing list platforms play this game.
From the inbound email point of view, having just deployed the current
beta release of OpenDMARC on my personal (not Quantopian's) mail server
(Incidentally, an aside: is anybody actually /maintaining/ OpenDMARC?
There are multiple significant bugs in it that have been reported with
patches on Github and the maintainers there have been radio silent for
months), I am carefully monitoring the logs, both to confirm that it is
behaving properly and so that I can detect and report any problems to
the OpenDMARC maintainers (I've already submitted several bug reports
and patches). Several times a week I get a "/domain/ fail" log message
from OpenDMARC and I have to investigate it, only to discover that the
only reason for the failure is because someone on my server received a
message through a mailing list and the sender domain's DMARC policy is
I see people behaving badly here in both directions. In my opinion,
servers that do message forwarding should rewrite headers for DMARC
compliance whenever there is a DMARC policy, not just when the policy is
*p=quarantine* or *p=reject*. And on the other end, given that the
servers that do forwarding /aren't/ behaving that way, nobody should be
using *p=none* in their policy; they should instead use *p=quarantine;
pct=0* to force their headers to be rewritten during forwarding.
Am I missing something here?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dmarc-discuss