Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

[Alessandro Vesely <vesely@tana.it>]

On Tue 28/Mar/2023 10:15:04 +0200 Barry Leiba wrote:
> I raised this issue in the DMARC session in Vienna, and have let it
> sit for a while so as not to derail other discussion.  As we're pretty
> close to finished with the DMARCbis document, I'd like to raise it
> again, this time with specific proposed text for us to discuss.
> 
> And so:
> 
> OLD
> 
>     5.5.6.  Decide If and When to Update DMARC Policy
> 
>     Once the Domain Owner is satisfied that it is properly authenticating
>     all of its mail, then it is time to decide if it is appropriate to
>     change the p= value in its DMARC record to p=quarantine or p=reject.
>     Depending on its cadence for sending mail, it may take many months of
>     consuming DMARC aggregate reports before a Domain Owner reaches the
>     point where it is sure that it is properly authenticating all of its
>     mail, and the decision on which p= value to use will depend on its
>     needs.
> 
> NEW
> 
>     5.5.6.  Decide If and When to Update DMARC Policy
> 
>     Once the Domain Owner is satisfied that it is properly authenticating
>     all of its mail, then it is time to decide if it is appropriate to
>     change the p= value in its DMARC record to p=quarantine or p=reject.
>     Depending on its cadence for sending mail, it may take many months of
>     consuming DMARC aggregate reports before a Domain Owner reaches the
>     point where it is sure that it is properly authenticating all of its
>     mail, and the decision on which p= value to use will depend on its
>     needs.
> 
>     It is important to understand that many domains may never use
>     policies of “quarantine” or “reject”, and that these policies are
>     intended not as goals, but as policies available for use when they
>     are appropriate.  In particular, “reject” is not intended for
>     deployment in domains with users who send routine email, and its
>     deployment in such domains can disrupt indirect mail flows and cause
>     damage to operation of mailing lists and other forwarding services.
>     This is discussed in [RFC7960] and in Section 5.8, below.  The
>     “reject” policy is best reserved for domains that send only
>     transactional email that is not intended to be posted to mailing
>     lists.
> 
>     To be explicitly clear: domains used for general-purpose email MUST
>     NOT deploy a DMARC policy of p=reject.
> 
> END
> 
> I'm well aware that the MUST will *not* be followed by everyone, and
> that some domain owners will feel that they need to use p=reject,
> regardless.  I think that's fine: the standard should specify what's
> right for interoperability, and I believe that improper use of
> p=reject is extremely harmful to interoperability... so "MUST" is
> correct here.  And no one will be arrested or fined for choosing not
> to follow it.  We should still say it, nonetheless.


I think I grasped Pete's point that MUST is appropriate here even if some 
domain owners do otherwise.  If we wanted to say "MUST unless" then we ought to 
say SHOULD, but this is not the case.

General purpose domains, and some well known freemail providers, should never 
have set strict policies.  Yet, they did.  No clear wording is going to be able 
to correct that practice.  Cannot push the genius back into the bottle.

I'd mention indirect mail flows explicitly, rather than referring to generic 
interoperability problems.  But several mailing list adopted expedients in 
order to overcome those problems.  Furthermore, there are experimental 
protocols that address the issue maintaining the end-to-end nature of existing 
identifier fields, and more are going to come.  It is possible that a future 
ecosystem will support strict DMARC policies for everyone.  Thus it is a "MUST 
until" rather than unless.  Is that compliant with RFC 2119?


Best
Ale
--