It appears that Todd Herr <todd.h...@valimail.com> said: >It seems to me that DMARC already provides the ability for >security.example.edu to ensure that no other part of example.edu can send >mail on their behalf. To accomplish this, security.example.edu can today: > > - Publish an SPF record listing only hosts under its direct control, a > record which ends with "-all" > - Ensure that only hosts under its control can DKIM sign messages using " > security.example.edu" as the signing domain, by making sure that its > private DKIM signing key is only deployed to hosts under its control > - Publish a DMARC policy record that includes the following three tags > and values: > - p=reject > - adkim=s > - aspf=s
Agreed. That would work fine. An sp=reject in both security.example.edu and its org domain would also be a good idea. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc