On Thu, Nov 18, 2021 at 8:11 AM Douglas Foster <
dougfoster.emailstanda...@gmail.com> wrote:
>
> Do we want to provide a sub-tree alignment option?
>
> Suppose that “security.example.edu” does not want any other part of “
> example.edu” to be sending emails on their behalf, so they want to limit
> alignment to their sub-tree only. This approach becomes feasible if (a)
> we use tree walk and (b) we implement a clause which indicates “top of tree
> for alignment purposes”. I suspect that this would have some appeal to
> parts of some universities and other complex organizations, but again we
> would need those organizations to affirm that it would be useful.
>
>
>
It seems to me that DMARC already provides the ability for
security.example.edu to ensure that no other part of example.edu can send
mail on their behalf. To accomplish this, security.example.edu can today:
- Publish an SPF record listing only hosts under its direct control, a
record which ends with "-all"
- Ensure that only hosts under its control can DKIM sign messages using "
security.example.edu" as the signing domain, by making sure that its
private DKIM signing key is only deployed to hosts under its control
- Publish a DMARC policy record that includes the following three tags
and values:
- p=reject
- adkim=s
- aspf=s
--
*Todd Herr * | Technical Director, Standards and Ecosystem
*e:* todd.h...@valimail.com
*m:* 703.220.4153
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
