In article <CAL0qLwZwz+R52ydEgn7Qpu8t4=5wsh0xluijs48fwb00vbq...@mail.gmail.com> you write: >> Consider: From f...@bogus.bogus.bogus.bogus.bogus...bogus.bogus.example.com >> >Yeah, I'm familiar with the nature of the attack. But based on what >amounts to the hallway track, it feels like the perspective of the DNS >community these days is that the currently deployed DNS infrastructure >could easily deal with such an attack, ...
The DNS crowd is finally admitting to themselves that Sturgeon's Law applies to the DNS, too, and a little more crud will be lost in the large amoung ot noise. I gather than people are implementing RFC 8020 which makes this attack less effective. >The issue PSD is attempting to address is mail sent as a nonexistent >subdomain. For example, irs.gov doesn't have a subdomain called >auditors.irs.gov, so irrespective of any irs.gov DMARC policy, I could send >email as m...@auditors.irs.gov without limitation. ... I have less sympathy for that argument. I do a hard reject of any mail with a nonexistent bounce address which I don't think is unusual. PSD as I understand it is to address the same issue the organizational domain does, but a level up, in a group of organizations that have some administrative connection. The issue is people who publish A and MX records without covering DMARC records. They're not supposed to do that but they do, and PSD is one way of figuring out who needs to fix what. R's, John -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc