On Wed 16/Mar/2022 03:10:03 +0100 Douglas Foster wrote:
I started from the assumption that we would want to generalize NP into
organizations. But after spending a lot of time on the subject for the last
15 months, I am convinced that it is not needed.
Assume that a university or other organization wishes to use a "none" policy to
permit mailing lists and other legitimate impersonators. The best practice
for this situation is to use domain-specific DMARC policies, with p=none, for
each domain that is used in a From address. Then use sp=reject (or quarantine)
on the organization record. This protects the organization much better than
NP ever could, and it eliminates any arguments over the definition of non-existent.
I agree that setting np= makes much more of a difference at a PSD than at
regular organizations. Still, a uniform specification of what filters have to
do when they find that tag is simpler than otherwise.
On the one hand, I am arguing that the test is a waste of effort for the
evaluator, as the likelihood of finding a true positive is low while the
likelihood of false positives is high. On the other hand, I am asserting that
it is a redundant and inferior for those organizations that do wish to
inhibit impersonation of non-mail and non-existent subdomains.
Checking domain existence is useful anyway. In my implementation it is part of
the lookup call itself —if _dmarc.example.com exists, use the record; otherwise
check if example.com exists at all. Options to reject nxdomain are quite
popular. According to DMARC, one must still check that no aligned
authentications hold, but the intended meaning is loud and clear.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
