This is fundamentally misrepresenting DMARC by making people believe that edge cases are generalities and making people believe that a convenience feature to bolster early adoption is a fundamental flaw. The data is against you, DMARC is working well to stop spoofing at the receiver who adopted it, and yes there is still work to do, but the fundamentals are there. DMARC, improved DKIM interactions between MTA, improved forwarding in several places. DMARC does not work out of the box, until you take control of your email streams, for some organization this is easy, for some others it requires a lot of work. It is all then a question of priority and risk assessment.

That's just a little bit hyperbolic. By extension, there's no such thing
as "-all" in SPF or "dkim=discardable" in ADSP.
There are several examples of senders that find the policy action useful
because some key receivers do act on it. The same goes at least for SPF or
any advanced use of DKIM.

Honoring a "p=reject" might require more than zero thought. Unfortunately,
that scares some people more than it probably should.

-MSK

Funny, the latter part of that statement is what I remember the large
receivers telling me ~10 years ago when I asked them to block messages
that failed SPF checks. The assertion being that they couldn't trust
that senders correctly understood or implemented SPF records and the
impact they would have. I view DMARC as the result of senders and
receivers working together to find a way to make that blocking possible
for many, but not all, cases.

DMARC can very effectively block abusive messages at scale. Where almost
all spurious messages were being allowed through for a particular domain
before publishing a "p=reject", less than 1% were being allowed through
after publishing that record. And yes, that's even with any "secret
sauce policies" or exceptions previously mentioned in this thread. We're
talking about millions of fraudulent messages being kept out of
mailboxes, and I'll take those actual results every time over any
quibbles about DMARC's design.

Thank goodness the receivers see the value in dedicating the manpower
and resources it takes to implement their side of it even if they "just
cannot trust it" - I'll continue to do so on the sender side where ever
I can.

--S.

As others have pointed out, this is simply false. I may have a policy
that you give all of your money to me simply for continuing to read this
message, that doesn't mean that you will do so. The fact that you don't
do so doesn't mean that the policy doesn't exist, simply that it's not
binding upon you.

DMARC policies are similarly non-binding upon receivers. A Domain Owner
can have a range of policies and options (p, sp, pct). No such policy is
ever binding upon a receiver because the latter owns (and indeed, pays

It’s kind of a domain reputation issue. That you’re using an @linkedin.com email address for 1:1 email to mailing lists shows that linkedin.com are not an appropriate domain to use DMARC as they don’t have full control over how their domain is used for email (and that in turn leads to more pressure to special case delivery and ignore DMARC unless you know something more about the mail and so on). That you’re doing this on mailing lists that have a high visibility to DMARC folks means that the impact of that is *way* disproportionally large. :)

If you were to use a different domain for your testing of mailing list behaviour with DMARC (e.g. franckmartin.com or an entirely DMARC testing dedicated one) then the implication would be quite different.

Cheers,
Steve

Surely I have, and you likely have too, dozens of times over months and months, using this cool new email technology called DMARC. ;-)

I may have done so again by pointing out the issue on this list. But no, I didn't ever raise the issue with Google because back when I first noticed it I still:

a) wanted to fully understand the consequences of posting to lists with p=reject
b) having recipients on this list that validate SPF differently provides useful information
c) I haven't done enough debugging to determine exactly why it fails
I, and others, have not gone that route and yet we too have survived. There are consequences to both approaches.

Matt

I plain reject on SPF -all, and my clients are fine with it, in several different installations. Exceptions are added to a whitelist on a case by case basis, and only if the sender is some automatic system whose administrator is not easily reachable. Otherwise, the sender is told they are spoofing the domain against the domain owner's policy, and the case is closed. It works, because it's the sender's fault, and because it is plain easy to see it and to check it, AND BECAUSE IT IS PLAIN EASY FOR THE SENDER TO FIX IT. So far, my clients are happy. I also reject on SPF softfail for some heavily spoofed domains -- and, again, so far my clients are happy with their spam free inboxes.

The case will not be so easy for DMARC's p=reject false positives. It is going to be hard for the sender to fix them, because they are going to keep publishing p=reject AND having users subscribing to mailing lists (so is human nature -- senders are not going to go through the all trouble of learning about DMARC, setting it up, just to end up not using p=reject to "protect" their "precious" email domain/brand). Yes, I know your answer: that the receiver has to build a custom, fine-tuned, on-going maintenance-heavy local-only system to deal with those DMARC failure cases, as the DMARC standard so aptly suggests. Therefore, the conclusion is clear: DMARC has NOT a workable policy of reject for receivers to implement.

But I guess if someone is hired full time to deal with the support tickets for DMARC failure cases, then his definition of "workable" would be different.
My stated prediction is exactly correct, at least in terms of the number of mailbox providers currently covered by DMARC.
I won't, as a receiver. I will, as a sender, with p=none and just to get feedback reports on my email streams.
That could work: a Spamhaus.org-like service for sharing known-good DMARC whitelisting of DMARC p=reject failure cases, based on the sending domain or, perhaps better, on known-good mailing-lists/forwarders.
I already did. It was summarily dismissed, though. So I tried, I did not just complained.

http://www.ietf.org/mail-archive/web/dmarc/current/msg00167.html
Sorry, but it IS reasonable to expect that someone who goes through the effort of using his resources and time to find out about your published policy, will then follow it -- specially when the onerous part is the first one, finding about the policy, and not the second one, following it (ie., just dumping failures on p=reject). If the receiver was not interested on the sender's policy, why did he bothered to check it at all? Was he bored? Was he just doing field research and collating statistics? What is going on here? --> What is going on here is the reality that DMARC's reject policy is UNRELIABLE, and therefore unworkable.(*)

(*) Unless, of course, the receiver wants to build a custom, fine-tuned, on-going maintenance-heavy local-only system to deal with DMARC failure cases.
OK then, policy is not policy. You are right.
I am sorry you do not like my feedback. It must is destructive.

Regards,

J.Gomez


PS: I would love it if your posts to the list would keep the proper quotation marks in their plain-text alternative version, so that quoting them would not longer be an exercise in acrobatics.