> On July 17, 2019 8:14:54 PM UTC, "Kurt Andersen (b)" <kb...@drkurt.com> > wrote: > >Firstly, I'm a little concerned with the sentence which says 'Note that > >"np" will be ignored for DMARC records published on subdomains of > >Organizational Domains and PSDs due to the effect of the DMARC policy > >discovery mechanism described in DMARC [RFC7489] Section 6.6.3.' I > >don't > >think that is an accurate portrayal. When DMARC evaluation libraries > >are > >updated to do both PSD lookups and handle the np tag, I would expect > >the > >presence of np tags below the PSD level would be processed exactly the > >way > >that any other tag in a DMARC record is processed. np will only be > >ignored > >(per the terms of the DMARC spec) when it is an "unrecognized" tag. I > >realized that this text is sort of picked up from the current > >description > >of "sp", but the inclusion of "and PSDs" makes it inaccurate. You can't > >publish an np record on a non-existent Org domain or any subdomain > >thereof
At first, I thought Kurt was right, but after further thought, I don't think so. To review the 'sp' definition that I took this from: Imagine sub.sub.example.com where example.com is the org domain. If sub.sub.example.com has no DMARC record, then the next lookup is for a DMARC record at the org domain (example.com). If sub.example.com has a DMARC record with an 'sp' tag, it's never retrieved. The same thing would apply to 'np' when used in a non--PSD context. No different. Keeping in mind that our definition of non-existent is a domain that has none of A, AAAA, or MX. It could have other types. It could also have subdomains called "_dmarc" that have TXT records. Non-existent domains (in our context) can have DMARC records, so I think the description is correct, but narrowly focused. Modifying the example I used above slightly: Imagine sub2.sub1.org.example where example has a PSD DMARC record with 'np', org.example has no DMARC record, sub1.org.example also has a DMARC record with 'np', and sub2.sub1.org.example has no DMARC record. In this case, the policy lookup is for sub2.sub1.org.example (exact domain), org.example (org domain), and then example (PSD). Just as with 'sp' and regular DMARC, 'np' (or 'sp') in non-org subdomains of PSDs don't get discovered. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc