This is about Ale's question about handling the situation where the tree walk starts on a PSD=y entry:
When the tree walk starts at a PSD=Y record, the appropriate response is to treat it as a self-contained organization (PSD=N) and force alignment to STRICT for both SPF and DKIM. This rule applies naturally to PSDs, and to the private registries which are implemented as a single label. The question becomes: Are there private registry organizations which: - have a multi-label structure so that relaxed alignment is feasible, and - have a need to send email from a leaf domain name with PSD=Y, and - have a need to authenticate those messages using a different domain and relaxed alignment? This combination is certainly possible, but I suspect it is rare. More importantly, I think it is necessary to inconvenience private registries which have that special case, simply for the technical convenience of using a single token and the security benefit of knowing that other PSD=Y entries are handled safely. Does this work for everyone? I actually thought that some version of this had been agreed previously. Doug On Sat, Jul 16, 2022 at 7:16 AM Alessandro Vesely <ves...@tana.it> wrote: > On Fri 15/Jul/2022 18:03:36 +0200 John Levine wrote: > > > On Fri, 15 Jul 2022, Alessandro Vesely wrote: > >> Organizational Domains are defined as PSD+1, and can have DMARC records > > > > I think this would be a good time to review the way relaxed alignment > > works in sections 4.5 through 4.8 of the draft. > > > I think this statement in 4.8 is inexact: > > OLD: > If this process does not determine the Organizational Domain, then > the initial target domain is the Organizational Domain. > > NEW: > If this process does not determine the Organizational Domain, then > the initial target domain is the Organizational Domain, unless it > is a PSD. > > > Indeed, since we said an org domain is PSD+1, a PSD cannot be an org > domain. OTOH, you can happen to start the process with a PSD. > > Perhaps we should take a position of treating a domain as if it were > an org domain albeit it isn't, for uk.com and similar? > > > > Perhaps 0.01% of the time, a tree walk will find a record with a psd > > tag. The other 99.99% of the time it's the shortest name with a DMARC > > record, and PSDs are completely irrelevant. > > > Yes, you seem to be repeating this argument and I'm unable to grasp > its implication. The Internet itself wouldn't exist if there were no > PSDs, however rare. Programmers have to know what to do when they > find one. > > > Best > Ale > -- > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
