DMARC and organizations

D

Comcast recently published a statement on DMARC over on their postmaster page. The short version is that Comcast is publishing a DMARC record, but has no current intentions to publish a p=reject policy for Comcast user email. Comcast will be publishing a p=reject for some of their domains that they use exclusively to communicate with customers, like billing notices and security notices.
Comcast does point out that Yahoo! and AOL’s usage of p=reject is “not common usage.”
This is something a lot of people have been arguing loudly about on various mail operations lists and network lists. DMARC is about organizational identity. In fact, I was contacted about my DMARC primer and told that I didn’t mention that it’s not about domains, it’s about organizations.
The way I read the DMARC spec, it is all about organizational identity. The underlying theme being that the domain name is linked to a particular organization and everyone using email at that domain has some official relationship with that organization. I’ve always read the spec mentally replacing organization with corporate brand. This was for brands and organizations that strictly control how their domains are used, who can use those domains and how the mail is sent with those domains.
I never expected any mailbox provider or commercial ISP to publish a p=reject message as it would just break way too much of the way customers use email. And it did break a lot of legitimate and end user uses of email. Many organizations have had to scramble to update mailing list software to avoid bouncing users off the lists. Some of these upgrades have broken mailbox filters, forcing endusers to change how they manage their mailboxes.
Even organizations see challenges with a p=reject message and can have legitimate mail blocked. At M3AAWG 30 in San Francisco I was talking with some folks who have been actively deploying DMARC for organizations. From my point of view anyone who wants to publish a DMARC p=reject should spend at least 6 months monitoring DMARC failures to identify legitimate sources of email. The person I was talking to said he recommends a minimum of 12 months.
This is just an example of how difficult it is to capture all the legitimate sources of emails from a domain and effectively authenticate that mail. For a mailbox provider, I think it’s nearly impossible to capture all the legitimate uses of email and authenticate them.
It remains to be seen if the other mailbox providers imitate Yahoo! and AOL or if they push back against the use of DMARC reject policies at mailbox providers. Whatever the outcome, this is a significant shift in how email is used. And we’re all going to have to deal with the fallout of that.

About the author

5 comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • “From my point of view anyone who wants to publish a DMARC p=reject should spend at least 6 months monitoring DMARC failures to identify legitimate sources of email. The person I was talking to said he recommends a minimum of 12 months.”
    This is particularly insightful and worth further emphasis: before making a major infrastructure change, you should try to find out just what that change is going to break.

  • Gotta commend Yahoo! and AOL for taking such an important and bold move against spam. They should take it to the next level and remove their A and MX records, just to be extra safe. *evil-grin*

  • I believe most organization which send mass-mails from controlled domains should go for p=reject as soon as they can, as we are planning to.
    1. we have strict control as to who uses our domain (corporate, transactional, marketing and support). no one else is supposed to do it.
    2. DMARC makes your messages more credible to the big four. even if the extent is not known, the loss is minimal or not there.
    3. it will prevent joe-jobs over your domain, even if someone uses it simply to spam randomly or whatever. there are still ISPs out there which will bulk your entire domain.
    4. DMARC gives you a somewhat centralized view of mail counts and senders across the myriad combination of ESPs you may have.
    5. mailing lists will adapt, sooner or later. I expect very little breakage with our transition.
    yes, it did take a bit of effort to force all the providers into DMARC alignment, one of our ESPs didn’t have the required functionality (read: sign messages with our DKIM key or allow us to export theirs). a bit of yelling and they fixed it…

By laura

Recent Posts

Archives

Follow Us