Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

[Scott Kitterman <sklist@kitterman.com>]

On Sunday, April 9, 2023 9:55:29 AM EDT John Levine wrote:
> It appears that Matthäus Wander <mail@wander.science> said:
> >Earlier in the discussion, the term high-value domain has been used
> >(along with transactional email domain) in opposition to domain for
> >general-purpose email. ...
> 
> "High value" isn't a useful metric here. yahoo.com is a very valuable
> domain, but they still shouldn't be using a reject policy. The useful
> distinction is mail from people rather than mail from machines,
> whether the latter is transactions or bulk.
> 
> Keep in mind that DMARC policies cause damage to transactional mail,
> too. If a sender only validates with SPF (still common because it's
> cheap) and a recipient uses a forwarding address, transactional mail
> will get lost. A while back I talked to some people who worked at
> Paypal who told me of course they were aware of that, but for their
> purposes and given what a phish target they are, they felt the
> benefits were worth it.
> 
> When someone sets a DMARC policy for mail from people, it's hard to
> think of a time when they asked at wll whether that was what the
> people wanted. Or if they did, they asked something like "do you want
> your mail to be more secure?" which misses the point.
> 
> R's,
> John
> 
> PS: I can make anyone's mail 100% secure by unplugging your mail
> server but I'm pretty sure that's not what you want.

It gets even more complicated to describe.

I am aware of companies that have policies that prohibit use of company 
assigned email addresses in mailing lists and other known rough spots for 
DMARC and published DMARC p=reject with the understanding that there is mail 
that won't get delivered as a result.

They've evaluated the trade-offs and put policies in place with the 
understanding of the implications of them.  They can do that.

It's not even as simple as transactional/real users.

Scott K