I think we would like to have the whole DMARC feature disabled by default for now. That matches the ‘disabled by default’ behaviour of the old spam detection site setting. The only DMARC failures we’ve had hitting our meta inbox are ‘real’ customers with misconfigured email servers, so this is just causing confusion on our end.
Fair enough, I’ll change the behaviour when
email_in_authserv_id is blank from “if there’s a failing header, observe it” to “just do nothing”. I made that decision from a naïve security perspective (where everyone has their email servers set up correctly!)
Aside: how do the ‘well known values’ in the meta post get used? As far as I can tell, when
email_in_authserv_id is blank, we read all
Authentication-Results headers, and take the worst one. I can’t see any specific checks for amazon/google.
Those ‘well known values’ are for users to paste into the
email_in_authserv_id setting if they know they’re using amazon/google, so they don’t have to grep through their received emails. We can’t hard code them in, since, say a user’s using amazon as their email receiver, an attacker could then include a
Authentication-Results: mx.google.com; header in their email, and amazon wouldn’t strip it out (because it’s not