I started from the assumption that we would want to generalize NP into organizations. But after spending a lot of time on the subject for the last 15 months, I am convinced that it is not needed.
Assume that a university or other organization wishes to use a "none" policy to permit mailing lists and other legitimate impersonators. The best practice for this situation is to use domain-specific DMARC policies, with p=none, for each domain that is used in a From address. Then use sp=reject (or quarantine) on the organization record. This protects the organization much better than NP ever could, and it eliminates any arguments over the definition of non-existent. On the one hand, I am arguing that the test is a waste of effort for the evaluator, as the likelihood of finding a true positive is low while the likelihood of false positives is high. On the other hand, I am asserting that it is a redundant and inferior for those organizations that do wish to inhibit impersonation of non-mail and non-existent subdomains. Doug On Tue, Mar 15, 2022 at 8:10 AM Alessandro Vesely <ves...@tana.it> wrote: > On Tue 15/Mar/2022 02:54:21 +0100 Douglas Foster wrote: > > > > For subdomains of registered organizations, SP=reject protects both > existent > > and non-existent domains. This means that a NP policy would only be > relevant > > when sp=none and np=reject. > > > While that's true, someone may want to set, for example, sp=quarantine; > np=reject; > > While some organizations may use non-existing domains in From:, I wouldn't > consider that to be a good practice. Some other organizations may instead > want > to reject messages exhibiting a non-existent author domain, irrespective > of > authentication. That was ADSP's nxdomain feature. > > DMARC only allows to force non-existent domains into a policy. At a first > look, it would seem that an organization which wants to disown messages > with > non-existent author domain should be able to do it. Unless their SPF > record is > wrong or their DKIM keys are stolen, it is enough to avoid to send > messages > with such From: lines. > > > > [...] > > > > At the same time, it is difficult to assume that any > theoretical expectation > > will remain valid across many spammers and billions of messages. In my > > limited study, I only see non-existent subdomains used for legitimate > mail. > > Since no one has submitted evidence to the contrary, I feel > emboldened that > > my theory may indeed be correct. If non-existent subdomains of > legitimate > > organizations are being impersonated on a scale worthy of checking every > > message, I would expect that we could find evidence of it. > > > What would be the advantage of impersonating a non-existent domain? > > Anyway, it should be clear to the readers of RFC 9091 that np=reject > implies > that mail from t4x.gov.example is going to be accepted if it passes SPF or > DKIM. Or is there room for misunderstanding? > > > Best > Ale > -- > > > > > > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
