Ability to disable DMARC-enforcement on org-domain

[PHPGangsta]

Hi Marc,

I'm currently testing your authentication_milter which is using Mail::BIMI. But I see many BIMI implementations of newsletters which don't enforce DMARC on the org-domain. For example they have DMARC with p!=none on newsletter.domain.com, but they do have DMARC p=none on domain.com.

I talked to two guys from big newsletter sender companies (ESPs), and both told me that a lot of brands don't enforce DMARC on the brands org-domain because it is a lot of work to do that, and those brands are not able to do it. That's why lots of newsletters with BIMI only have DMARC on the subdomain (which was delegated to the ESP), but not the org-domain. Both told me that most of their customers (more than half, maybe 70%-90%) don't have DMARC enforced on their org-domain. They are asking them to do it, but there are plenty of reasons why they don't do it.

Both told me that Yahoo/AOL does not care about the org-domain, they only check DMARC on the subdomain. That's why Yahoo shows so many BIMI logos which fail the "DMARC enforcement on the org-domain" check.

I would also like to disable the DMARC enforcement check on the org-domain. As far as I can see this is not possible yet with Mail::BIMI, right? It would be nice to have an option for it.

There are many examples, here is one: service.rossmann.de

    bimi=skipped (DMARC Policy is not at enforcement);
    dkim=pass (2048-bit rsa key sha256) header.d=inxserver.com
      header.i=@inxserver.com header.b=o4W6L9zD header.a=rsa-sha256
      header.s=202007;
    dkim=pass (2048-bit rsa key sha256) header.d=service.rossmann.de
      header.i=@service.rossmann.de header.b=cfEIV2FY header.a=rsa-sha256
      header.s=inx20493434;
    dmarc=pass policy.published-domain-policy=reject
      policy.applied-disposition=none policy.evaluated-disposition=none
      (p=reject,has-list-id=yes,d=none,d.eval=none) policy.policy-from=p
      header.from=service.rossmann.de;

There is dmarc=pass, but bimi=skipped. And as far as I can see it's because of the p=none on the org-domain. https://bimigroup.org/bimi-generator/ shows this:

There are many more like this, for example:

urlaub.fti.de
mail.lidl.de
news.congstar.de
news.intersport.de
news.fc-koeln.de
news.gravis.de
news.mammut.com
newsletter.robinson.com
email.babymarkt.de
news.trigema.de
...

All of them have a missing DMARC record on the org-domain, or p=none on the org-domain. DMARC on the subdomains is enforced.

Thanks Michael

[marcbradshaw]

Such an option would go against the BIMI draft spec, specifically

  *  Fully implement the DMARC [RFC7489] mechanism, to include:

      -  Creating and publishing in DNS [RFC1035] a DMARC [RFC7489]
         policy record that meets the following criteria:

         o  The policy record MUST express either a Requested Mail
            Receiver policy of "quarantine" with an effective
            percentage of 100%, or a Requested Mail Receiver policy
            of "reject" (with any percentage value).

         o  If a subdomain policy is published it MUST NOT be "none"

         o  Be published for the Organizational Domain, and any
            subdomains thereof

Additionally, the goals of BIMI as stated in the draft are to drive adoption of Authentication BCP, especially DMARC, and removing the requirement for strong DMARC across the entire domain would subvert that intent.

BIMI is designed to be open and to work at Internet scale. BIMI is intended to drive adoption of email authentication best practices by leveraging existing DMARC [RFC7489] policies, the supporting authentication methods DKIM [RFC6376] and SPF [RFC7208], and other associated standards such as ARC [RFC8617].

I know Yahoo! isn't checking this at the moment, they currently have their own validation process outside of that recommended by the draft while implementation is ongoing. We are recommending to CAs that they check the domains DMARC policy in full before issuing VMCs for a domain. I've seen similar policy issues across many types of organisations, there are also banks and government agencies who have effective p=none at their organazational domain level.