[dmarc-discuss] "p=none" vs. "p=quarantine; pct=0"

Jonathan Kamens jkamens at quantopian.com
Tue Oct 9 07:59:15 PDT 2018


As I'm sure the folks on this list are aware, apparently some ESPs and 
software maintainers have chosen to behave differently when forwarding 
emails (most notably to mailing lists) depending on whether the sender's 
domain DMARC policy is nonexistent or *p=none*, vs. *p=quarantine* or 
*p=reject*.

In particular, the ones that I know about are Google Groups and GNU 
Mailman, both of which have decided to rewrite From: lines when they see 
*p=quarantine* or *p=reject* but leave them intact when they see no 
DMARC policy or a policy with *p=none*.

I find this bewildering and frustrating both for domains attempting to 
roll out DMARC and for the administrators of mail servers attempting to 
enforce it on incoming emails.

 From the outbound email point of view, what good does it do to get 
aggregate reports telling you messages forwarded through mailing lists 
weren't DMARC compliant when you can't do anything about it and when 
messages sent through those same mailing lists will magically become 
compliant when you switch from *p=none* to *p=quarantine*? This is 
especially true since you can't actually /know/ that those messages are 
going to magically become compliant, because you can't know which 
mailing list platforms play this game.

 From the inbound email point of view, having just deployed the current 
beta release of OpenDMARC on my personal (not Quantopian's) mail server 
(Incidentally, an aside: is anybody actually /maintaining/ OpenDMARC? 
There are multiple significant bugs in it that have been reported with 
patches on Github and the maintainers there have been radio silent for 
months), I am carefully monitoring the logs, both to confirm that it is 
behaving properly and so that I can detect and report any problems to 
the OpenDMARC maintainers (I've already submitted several bug reports 
and patches). Several times a week I get a "/domain/ fail" log message 
from OpenDMARC and I have to investigate it, only to discover that the 
only reason for the failure is because someone on my server received a 
message through a mailing list and the sender domain's DMARC policy is 
*p=none*.

I see people behaving badly here in both directions. In my opinion, 
servers that do message forwarding should rewrite headers for DMARC 
compliance whenever there is a DMARC policy, not just when the policy is 
*p=quarantine* or *p=reject*. And on the other end, given that the 
servers that do forwarding /aren't/ behaving that way, nobody should be 
using *p=none* in their policy; they should instead use *p=quarantine; 
pct=0* to force their headers to be rewritten during forwarding.

Am I missing something here?

   Jonathan Kamens


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://dmarc.org/pipermail/dmarc-discuss/attachments/20181009/ab3d3545/attachment.html>


More information about the dmarc-discuss mailing list