Re: [dmarc-ietf] Ticket #39 - remove p=quarantine

Дилян Палаузов <> Thu, 03 December 2020 19:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B93EA3A07B3 for <>; Thu, 3 Dec 2020 11:11:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (4096-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iE4bjEZ7d2O0 for <>; Thu, 3 Dec 2020 11:11:20 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 55EEE3A074B for <>; Thu, 3 Dec 2020 11:11:19 -0800 (PST)
Authentication-Results:; auth=pass (LOGIN)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; s=k4096; t=1607022676;; bh=JIS1rtHHpYfx9EuisOB168LQiUYvJJ5JdcNeJXC0TQE=; h=Subject:From:To:Date:In-Reply-To:References; b=qDSXLgUISDWEUL2+8V3aLC44MG4dAOPltfs0skt9XZ3pzb6KzZS7Y0+BC/Ic0Kiew RBXLenq+UJUd6p8a6zzy3NmhBYi6h3FdZE0Ug19/G1rxwHZEbZ78MDbMKf5O58a8eD eWjEXJpzs54nlCJQkclt3y7hbxX4+PMrmEj+Z3nBL5dU+L5AC487Sy25RsnVXWpJs+ ZMcpRKFIEOWsN8HU69exSo63CBTG+Qp6GXz+vc6SYGKIqLQxNviDTmyHhPiYIcPPfy gSqLwCgeF7mI2QTDRiejN+LA9VLgLI5oARC6f8ncblseYzGwb9lmE8CxXv30oW22kQ NMiXOb+8Crb84W1tze6FWL5D6LY9tlwFwz96pmAOsCqKJ0Rlfk3PFVOxBzFUCVMN6x Mg6id3bmt4hbbqFqj+YoJ2AxPooqvOJUITZWftZ4ExmBHjpQs845+BUurrgy+2SReT rlLNZSkHx3lS9cc8P7g5YuVYremzBjzmnkaVkoftzYlwzC41OTNhqix+FO6T10mA40 X19A/UrYXIwjKc+H28ky0bfJjTk5c+E5wkvUwymsGfpEOefqoeyMRFRSp2m+58YGBz I2NnkpZQv6TCbZ49P5i5VDRKZacZ7LVYypTKo5KGdzIdFVS1XOELx5pq9R756pyqU5 VEC5xlBdUUQ75ReCfJNsIQes=
Authentication-Results:; dkim=none
Received: from [] ( [] (may be forged)) (authenticated bits=0) by (8.15.2/8.15.2) with ESMTPSA id 0B3JAtBQ3175681 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Thu, 3 Dec 2020 19:11:15 GMT
Message-ID: <>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <>
To: Dave Crocker <>, John R Levine <>,
Date: Thu, 03 Dec 2020 21:10:51 +0200
In-Reply-To: <>
References: <> <> <>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.39.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #39 - remove p=quarantine
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2020 19:11:23 -0000

Post Scriptum: DMARC can say one of two things:
-- all mails for a domain are DKIM-signed and aligned, according to the
domain owner
-- not all mails for a domain are DKIM-signed and aligned (e.g. when
the DMARC policy is absent, or p=none) according to the domain owner

Does the DMARC specification need to propose what to do with emails in
the first case above, when the DKIM-signature is not-valid/aligned? 
Some people will say yes.  I say no: there is no need to give one of
two possible advices on this (and there is no means to enforce the

Anyway, as I said I do not expect any consensus on this.

Please consider including in the DMARC specificaiton a discussion on
what is reasonable, e.g as outlined in the email below, and elaborate
pros and cons on r=reject and r=quarantine.

As the topic is controversal, it shall be presented as controversal in
the specification.

I do not follow the discussions here, I suppose that by now is
addressed, that „p=quarantine;pct=0“ should be interperted as „do MLM-
mungling”, and p=none to mean „no MLM mungling”.

From: Vladimir Dubrovin <>
To: Dotzero <>om>, Vladimir Dubrovin
CC: IETF DMARC WG <>rg>, Дилян Палаузов
Subject: Re: [dmarc-ietf] Abolishing DMARC policy quarantine
Date: Fri, 14 Jun 2019 19:25:02 +0300

Nope, I mean 2 different things. 

1. Why quarantine is useful (with pct=0).  

For example this mailing list ( performs From rewrite
(aka From munging), e.g. is replaced with It's because has a
strict DMARC policy (reject). is not overwritten,
because has p=none and only overwrites From only for
domains with "quarantine" and "reject" policies. It's quite common

If you are implementing DMARC for a new domain (let's say,
you usually start with "p=none". With p=none you receive reports for
failed DMARC for different lists, like Before switching to
stronger policy (p=reject), you may want to know which mailing list
will still fail DMARC, and which lists perform From munging and, as a
result, do not fail DMARC. For this purpose, before switching to
"p=reject" it's useful to switch to "p=quarantine;pct=0". After this,
you will only see mailing lists without From munging in DMARC reports.

2. Why quarantine should not be used with pct different from 0

If you start enforsing strong DMARC policy with "p=reject" and you have
some previously uncatched misconfiguration (e.g. wrong envelope-from
address in some once-in-the-month mailing), you see DMARC failures  in
your logs and you can react to this failures and even re-send the
messages affected. 
If you start with "p=quarantine" you have no feedback except reports,
and reports are received with a huge lag (up to 2 days) and do not
provide sufficient information to catch the exact problem and you can
not re-send the quarantined messages.


On Wed, 2020-12-02 at 13:15 +0200, Дилян Палаузов wrote:
> Hello,
> On Tue, 2020-12-01 at 15:55 -0800, Dave Crocker wrote:
> > On 12/1/2020 3:17 PM, John R Levine wrote:
> > > #39 proposes that we remove p=quarantine.  I propose we leave it
> > > in, 
> > > even if it
> > > is not very useful, because trying to remove it would be too
> > > confusing. 
> > 
> > process, I suggest this issue gets some meaningful discussion.  My
> > email 
> > archive indicates it hasn't gotten any discussion at all.
> This was discussed under the subject “Abolishing DMARC policy
> quarantine” in June 2019.  There was no consensus.  SMTP offers this
> distinciton and this is mirrored in DMARC.  In particular, senders
> are
> free to publish p=quarantine and receipients are free to interpret it
> as p=reject.  Senders can publish p=reject and receivers are free to
> interpret it as p=quarantine.
> Moreover, some destination addresses do not have the concepts of a
> quarantine.  E.g an address that accepts commands for mailing lists
> managements.  Such addresses can either accept or reject the message
> -
> there is no quarantine, so interpreting published p=quarantine as
> p=reject is feasible.
> Recalling the discussion from June 2019 I do not count on any
> different
> consensus, if it the discussion happens here again now.
> Greetings
>   Дилян