On 11/12/20 3:23 PM, John Levine wrote: > You now can put a DMARC > record on a name below the org domain to shadow a subtree, but I don't > think that is a problem that needs to be solved.
I'm confused by this statement. Are you saying that you can "now" do subtree shadowing with sp? as in the following language is being changed "now"? "Note that "sp" will be ignored for DMARC records published on subdomains of Organizational Domains due to the effect of the DMARC policy discovery mechanism described in Section 6.6.3." Or that you meant to say "not" instead of "now" - which is more accurate to current state, I think. I would assert that for "sp" to be realistically achievable (i.e. the policy coverage for the non-existant and long tail of domain/host names that *shouldn't* be sending unauthenticated email) for a complex organization this is a problem that needs to be solved. To further clarify the use case for walking the tree: it allows us to put sp=reject on the org domain (backstopping the problem) and contain legacy environments to solve through reconfiguration/attrition by setting sp=none on the applicable 3rd/4th-level domains. Jesse _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc