No Murray, I was speaking to the PSD document. PSD's entire purpose is to detect abuse of non-existent organizational domains, so the definition of non-existent is crucial to its success. I believe the current language will produce false positives, albeit probably a small number. The current language is also more resource-intensive than mine, although that is not my concern.
I believe this is also a general problem that full DMARC should address. If a domain exists but does not have a policy, we interpret this to mean that the domain owner has not chosen to publish a policy, which is his right. If a domain does not exist, then there is no domain owner to publish a policy and no reason to believe that the use of the domain is legitimate. In fact, use of an unregistered domain is a violation of IETF policy and the entire name registration infrastructure. Consequently, I believe that SPF and DMARC SHOULD differentiate between "policy not specified" and NXDOMAIN. But to put this topic into play for DMARC, I need to create a ticket, right? I also want PSD to use a correct definition of non-existent because it will establish a precedent for any generalization done as part of the full DMARC effort. Doug Foster On Tue, Jan 19, 2021 at 9:23 AM Murray S. Kucherawy <superu...@gmail.com> wrote: > On Tue, Jan 19, 2021 at 4:34 AM Douglas Foster < > dougfoster.emailstanda...@gmail.com> wrote: > >> I raised objections to the definition of "non-existent", which never >> received an adequate response before the discussion went silent. >> >> DMARC checks the From header address, which may exist only as an >> identifier used for mass mailings. These mailings are often sent by an >> ESP using an unrelated SMTP address. As such, the From address need not >> be associated with any A, AAAA, or MX record. I assert that the only >> viable definition of non-existent is "not registered", as evidenced by >> absence of an NS record. >> > > This is a discussion of DMARC, not of PSD, right? DMARC defines this test > in an Appendix, and then makes it non-mandatory. PSD says to apply that > test for domains that request it. > > Hooking this test up to registration requires introducing RDAP or > something similar. Is that what we're talking about here? > > I don't believe the proposed definition of "non-existent" is reliably true >> even in the special case of interest for this document, impersonation fraud >> occurring at the top of an organizational structure. Example.PSD may >> legitimately use mail.Example.PSD for email and www.example.psd for web. >> If the proposed condition MUST always be true, I have not seen that fact >> demonstrated. Since the document raises a general concern about >> fraudulent use of non-existent domains, the definition used should be one >> that can be generalized., >> > > This sounds like something that should be solved in DMARC, not PSD, but > naturally consensus wins here, so have at it. > > -MSK >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
