On 11/18/2021 1:44 PM, John Levine wrote: > It appears that Todd Herr <todd.h...@valimail.com> said: >> It seems to me that DMARC already provides the ability for >> security.example.edu to ensure that no other part of example.edu can send >> mail on their behalf. To accomplish this, security.example.edu can today: >> >> - Publish an SPF record listing only hosts under its direct control, a >> record which ends with "-all" >> - Ensure that only hosts under its control can DKIM sign messages using " >> security.example.edu" as the signing domain, by making sure that its >> private DKIM signing key is only deployed to hosts under its control >> - Publish a DMARC policy record that includes the following three tags >> and values: >> - p=reject >> - adkim=s >> - aspf=s > > Agreed. That would work fine. > > An sp=reject in both security.example.edu and its org domain would also be a > good idea.
(Sorry, AWOL due to new employment, only tertiary involved in matters relevant to this discussion these days. Also haven't read this list for about a year.) Here's my best recollection of the issue: p=(quarantine|reject) isn't the real issue for example.edu; just tell departments to use their sub.example.edu domains (localized control/branding makes people happy, more or less.) [1] p=(quarantine|reject) for sub.example.edu isn't really an issue either; just a microcosm. The problem is when there are departments with lots of systems all sending from hostname.sub.example.edu. So, sub.example.edu needs time to reconcile (or doesn't care to), wants to publish sp=none for sub.example.edu; but can't because the org domain's sp policy is the only one that matters, since there is no tree walk from hostname.sub.example.edu to sub.example.edu. Meanwhile, example.edu can't move beyond sp=none. Also, the lack of control down the tree means that example.edu would never be able to use aspf=r, which is restricting a useful feature from organizations that could probably benefit the most from the flexibility it provides. I don't think that inability to use adkim=r is as much of an issue since individual CNAME records are easy to create under example.edu. This if off topic in my mind, but it was mentioned above. Jesse [1] most complex institutions probably aren't so willing to hand out subdomains like candy _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc