Dear All, I completely support formulating a DMARC recommendation for “never sending” domains, however, at the same time I prefer that this recommendation stays neutral regarding the desirability of feedback URI specification.
The reason for this is that there are cases where the specification of reporting addresses will prove (a) CUMBERSOME or (b) even TECHNICALLY IMPOSSIBLE without relying on 3rd party services: (a) Some persons who manage a large number of domains that never send e-mails might simply not wish to obtain information about (all the individual) failures, but at the same highly value the straightforward possibility of protecting their managed domains with an empty “-all” SPF record along with a “v=DMARC1; p=reject;” requested DMARC policy. (b) Owners of only a single domain that is not used to send e-mails will typically not be able to provide a reporting URI, as they cannot specify a “..._report._dmarc...” record in the DNS of their inbox providers, which would legitimate their (free) personal e-mail addresses as reporting URIs. The only alternative option for such domain owners would be to employ 3rd party DMARC report analysis services, which might however prove to be too configuration-intensive for a large number of technically less enthusiastic persons. Just my two cents... Best, Ivan Gojmerac -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Matt Simerson Gesendet: Dienstag, 10. Dezember 2013 23:03 An: Franck Martin Cc: <[email protected]> Betreff: Re: [dmarc-discuss] dmarc for "never sending" domains On Dec 10, 2013, at 1:40 PM, Franck Martin <[email protected]> wrote: > On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote: > >>> Suggest following this thread from 2007. >>> http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html >> >> That's the null MX proposal. I resuscitated Mark Delany's draft in >> July, and I suppose I might nudge Murray to see if appsawg would >> accept it, but it's a separate issue. >> >> For DMARC, what advice can we offer beyond publishing SPF -al and >> DKIM p=reject? (Normally I'm not a big fan of p=reject, but this is >> a place where it's clearly appropriate.) >> > > I propose to add something along these lines in the DMARC FAQ. +1 Matt > I have parked domains that do not send emails, how can I protect them? > > First create a DMARC record on your main domain (example.com) for all your > parked domains: > _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua= > mailto:[email protected];"; > > If example.net is a parked domain you can then protect it this way: > _dmarc.example.net CNAME _dmarc.parked.example.com example.net TXT > "v=spf1 -all" > *.example.net TXT "v=spf1 -all" > > The CNAME allows you to control in one place all your parked domains. If you > want, for instance, to start receiving failure reports for all your parked > domains, you just need to update one DNS record. In the example above the > record becomes: > _dmarc.parked.example.com TXT "v=DMARC1; p=reject; > rua=mailto:[email protected]; ruf=mailto:[email protected];"; > > This will update all the domains using this CNAME. > > The wildcard on the TXT record for SPF will protect any subdomain or host > under this domain. > > To be able to receive reports for example.net at the mailboxes at > example.com you must create a report record: > example.net._report_dmarc.example.com TXT "v=DMARC1;" > > If you have many parked domains, you can use a wildcard, instead of creating > a record for each domain you are protecting: > *._report_dmarc.example.com TXT "v=DMARC1;" > > However, you can then receive reports for any domains, ensure you are > protected against false reporting and the potential load on your > infrastructure. > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note > Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
