This question is about this paragraph: 5.7.2.1. DMARC Policy Discovery If the set produced by the DNS Tree Walk contains no DMARC policy record (i.e., any indication that there is no such record as opposed to a transient DNS error), Mail Receivers SHOULD NOT apply the DMARC mechanism to the message.
Whether a DMARC policy is missing or NONE, the test can be performed successfully, using default alignment of relaxed. Both PASS and FAIL results can be useful to the evaluator, and a savvy evaluator will choose to do so. If a particular author's messages are trusted to be safe and wanted, the sender may be configured to bypass content filtering. This disposition is only free of impersonation risk when the sender identity has been validated. A result of DMARC PASS provides this assurance. If a test produces DMARC FAIL, this does not demonstrate that the message is malicious or unwanted, but it may be a reason to prioritize the message for review, so that local policies can be updated to ensure that the authorship of future messages can be assessed unambiguously. I suggest the language should be more like this: If the set produced by the DNS Tree Walk contains no DMARC policy record (i.e., any indication that there is no such record as opposed to a transient DNS error), Mail Receivers MAY choose to proceed with the DMARC mechanism using a default alignment of "relaxed" and a default policy recommendation of "NONE". If PSDs embrace the PSD flag, a missing DMARC flag should become a rare event. This may indicate a fraudulent TLD, so I think we also need to document that possibility. The right way to do test for a fraudulent TLD depends on my earlier question of whether all TLDs have implemented DNS SEC. If so, non-existent TLDs will return NXDOMAIN in response to a query on the TLD name, while valid TLDs will return NOERROR or DATA. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
