On June 28, 2022 4:33:15 PM UTC, Alessandro Vesely <ves...@tana.it> wrote: >On Mon 27/Jun/2022 15:54:51 +0200 John R Levine wrote: >>> Please recall what you said in April: >>> >>> How about if we say that if the initial domain has psd=y, that's the org >>> domain and you don't look anywhere else. That is easy to explain and I >>> don't think we are likely to find anything that better matches the >>> expectations of people who send mail from PSDs. >>> https://mailarchive.ietf.org/arch/msg/dmarc/UEwREV5oDD0BoyNpaUB9GN6ixtI >> >> I thought about it some more and changed my mind. That occasionally happens. > > >Right, but how about discussing the merit of it? > >What can one find continuing the walk after psd=y? > >For example, let's consider an imaginary bank, com.bank, say. They use that >domain as corporate domain, and have a DMARC record. They also delegate zones >to local subsidiaries. One of them, uk.com.bank in turn delegates to other >banks in the UK and sends mail like uk.com. So you may end up having a DMARC >record at each level: > >bank -> psd=y, >com.bank -> psd=n or psd=u (for private use), >uk.com.bank -> psd=y. > >Does our model support that? How else should they set their records up?
I think that's sufficiently obscure that I doubt we care, but I think it is supported just fine. The only nuance is that in this scenario, mail that is 5322.from uk.com.bank would have to use 5321.mailfrom and DKIM d= uk.com.bank. Subdomains wouldn't align, which I think is fine. The operational distinction between a PSD and a non-PSD is that subdomains of a PSD are different organizations and subdomains of non-PSDs are part of the same organization. I believe that's the correct distinction. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
