Reference? I googled but couldn't find any data, other than a very old report claiming 47% usage. (Not the same as "properly" but who knows what you really mean by that.)
Also, I wouldn't be surprised if less than two percent of all domains are non-junk domains anyway.
> Reference? I googled but couldn't find any data, other than a very old report claiming 47% usage. (Not the same as "properly" but who knows what you really mean by that.)
I very much dispute reject/quarantine being the "proper" configuration. Yes, it is the strongest configuration. I had to back down from quarantine in the past due to the way some customers wanted to forward our mail (breaking SPF of course but also breaking DKIM, thus not forwardable with DMARC p=q). Even without p=q there is still a signal and MUA (or with server assistance) can flag the mail as suss, so p=none is not "wrong" or even "inadequate". It's just ... less than perfect. I'm also not so clear on how this is much of a spam signal. The attackers get https certs, and the spammers pass DMARC. So BIMI is more aboout brand protection than spam resistance.
As well, there are 630MM domains registered and bimi radar only tracks 71MM. It only tracks 92 "large public companies", not even say, the F500. So I don't even have any confidence in what they are reporting, even within the scope of what they are claiming.
> I had to back down from quarantine in the past due to the way some customers wanted to forward our mail (breaking SPF of course but also breaking DKIM, thus not forwardable with DMARC p=q).
They should implement ARC instead.
> Even without p=q there is still a signal and MUA (or with server assistance) can flag the mail as suss, so p=none is not "wrong" or even "inadequate".
I strongly disagree. It's an absolute menace when trying to protect against forgeries. Worse than no DMARC at all (green light is worse than no light etc.)
> As well, there are 630MM domains registered and bimi radar only tracks 71MM. It only tracks 92 "large public companies", not even say, the F500. So I don't even have any confidence in what they are reporting, even within the scope of what they are claiming.
You don't have to take all the domains to have a sufficiently accurate general statistics.
Thanks again. I wasn't even aware of ARC. I'll start recommending that. However, there's a big gap between what customers "should" do and what they are willing or even capable to do. I'm sure most people and most companies have no idea how email even works these days. Eg, I'm the only one on my team of 10 infra folks that has any clue at all.
We are just going to have to agree to disagree on p=none. Regardless of the policy, the receiving MTA and MUA has all the signal it needs. p=none is very far from being a green light.
> You don't have to take all the domains to have a sufficiently accurate general statistics.
I'm not a statistician, but I would think that without random sampling, you do? There's no description of how they selected which domains to track.
Also, I wouldn't be surprised if less than two percent of all domains are non-junk domains anyway.