On Sunday, December 5, 2021 9:35:15 PM EST John Levine wrote: > It appears that Scott Kitterman <skl...@kitterman.com> said: > >> For your #2 you seem to be saying that if I send no-reply transactional > >> mail, my DNS would look like this: > >> > >> notifiy.bigcorp.com. IN MX 0 . /* we don't receive replies /* > >> > >> IN A 0.0.0.0 /* make the domain exist */ > >> > >> _dmarc.notify.bigcorp.com. IN TXT "v=DMARC1; p=reject; ..." /* it's all > >> aligned */ s._domainkey.notify.bigcorp.com. IN TXT "v=DKIM1; h=sha256; > >> p=MIIBIjANB..." /* it's signed */ > > > >In the current definition one of MX, A, or AAAA needs to return something > >other than NODATA or NXDOMAIN. ... > > > >This is about if the sp= or np= policy should apply (if defined). I think > >it's reasonable to apply np= if the only thing that makes the domain exists > >in our terms in the null mx (#1). For #2, I think the sp= policy should > >apply. > The question appears to be whether we believe that null MX means that a > domain never sends mail, as opposed to never receivess mail. As we said in > RFC 7505 sec 4.2, sending mail from a null MX domain is not a great idea, > but it is a SHOULD NOT, not a MUST NOT. If you want to say you never send > mail, that's SPF -all. > > I don't think this is the place to change the semantics.
I agree it's not the place to change the semantics, but I don't think we are. The np/sp question is about domain existence, not does it send mail. Where published so far the np tags tend to be a stricter policy than the sp tags. For example the current record for .mil: v=DMARC1; p=reject; sp=none; np=reject; rua=mailto:dmarc_repo...@mail.mil The difference then would be that currently mail purportedly sent from example.mil would use the reject policy from the np= tag vice the none from sp=. If someone were to publish a null mx record for that domain, should that change? I think not. My simplistic view of SHOULD NOT is that anyone who does owns the results if they do. In this case if you really did send mail from example.mil with just the null mx record you SHOULD NOT have done that and if that gets a message rejected, well, you SHOULD NOT have done it that way and it's on you. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc