Re: [dmarc-ietf] Rethinking DMARC for PSDs

[Ken O'Driscoll <ken@wemonitoremail.com>]

On Mon, 2019-04-08 at 09:50 -0400, Douglas E. Foster wrote:
[...snip...]
> My focus is on defining a framework for discussing product capabilities,
> while leaving room for vendors to add value above the minimum
> configuration.

That sounds more like what organisations such as Gartner are there for as
opposed to the IEFT. And they do a fairly good job in framing vendor
selection processes.

> Demonstrating email legitimacy is essentially a protocol between sender
> and receiver.   IETF has only defined one half of the protocol, so why
> should we be surprised that the conversation is broken.   Expertise can
> be assembled; the task is desperately needed.

That's not exactly true. The protocols do explain how a receiver should
implement them from a technical perspective. That ensures that there is no
divergence between how say a SPF record is interpreted on a product by
product basis. What they don't do, and what you appear to be alluding to,
is proscribe how receivers should filter spam, and more specifically forged
sender addresses from non-existent domains.

The IETF don't make such proscriptions because a) it's off-mission and b)
there is no one size fits all spam filter configuration.

What works for a small office would be unsuitable for a large corporation,
what works for a large corporation would be unsuitable for a hospital with
a similar number of users and in turn, dealing with millions of users
requires a completely different approach all together.

> In the interim, I am open to recommendations for good spam filters.   I
> have been trying to avoid disparaging the bad ones by name in a public
> forum.

This list isn't the appropriate place for that discussion as it does not
pertain to DMARC, despite the fact DMARC might be baked into some spam
filtering solutions.

Your starting point should be proper functional requirements specific to
your organisation.

Ken.