I don't think that's the question we want to try and answer in this working group. That's roughly the question dbound tried and failed to answer.
If I could reframe the question, I would make it "Is it feasible that DNS flags could provide a less-bad replacement for the PSL for DMARC". We have already attempted to solve the larger question and failed. Let's not repeat the experience. Fundamentally, I think the questions you are asking are outside the IETF's remit. They aren't technical questions that we are equipped to address. It won't surprise you to hear that my answer to the question as I've modified it is yes. I think if we clearly and concisely describe the risks with certain aspects of DMARC record publication by PSDs it will mostly work out through either contractual requirements outside the IETF's scope or market forces. I'll offer that in the early days of SPF there were several DNS providers that decided to 'help' their customers by automatically publishing an SPF record for them that said their customers only sent mail through their infrastructure. As far as I'm aware, that practice eventually died out because it raised support costs and had negative reputational effects on the providers. I think that it'll be similar for PSDs and DMARC. Where there aren't contractual limits in place, some entities will publish problematic records, but market forces will fix it as needed. Let's not try to boil the ocean. Let's focus on what's in our scope. Scott K On November 6, 2021 1:08:41 PM UTC, Douglas Foster <dougfoster.emailstanda...@gmail.com> wrote: >Back to Scott's original comment and Ale's skepticism: > >Is it feasible that DNS flags could provide a less-bad replacement for the >PSL, or will it be just a different and maybe even less-reliable mess? >If most are not under contract, how can we hope to get cooperation? >Does the leadership or designated members of this group have a way to >evaluate that question? > > >On Fri, Nov 5, 2021 at 2:23 PM John Levine <jo...@taugh.com> wrote: > >> It appears that Tobias Herkula <tobias.herk...@1und1.de> said: >> >I'm aware of that, to be more explicit about my meaning. At least I >> currently believe (I don't know) that there is a difference in buying >> >the domain "mydomain.example" under the assumption that .example is a >> gTLD, sTLD or ccTLD in comparison of buying a domain from ME, like >> >"harharhar.mydomain.example". >> >> If you buy mydomain.broker.aero or mydomain.castle.museum or >> mydomain.smith.name or mydomain.cpa.pro, you are buying it directly >> from the ICANN contracted registry via a registrar so you are in the >> same position as if you buy mydomain.org. If you buy mydomain.us.com >> you are buying it from an ICANN contracted registry, but they don't >> happen to have a contract about that 2LD. >> >> The public part of the PSL also has thousands of 2nd and 3rd level ccTLD >> entries >> where you get whatever you get from the ccTLD, none of which have >> meaningful ICANN contracts. And as I said, the PSL is missing >> a lot of 2LDs sold direct by the TLD registries. It is a mess and >> it does not claim to be authoritative. >> >> R's, >> John >> >> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
