On Mon 29/Aug/2022 17:27:07 +0200 Scott Kitterman wrote:
On Monday, August 29, 2022 7:50:18 AM EDT Douglas Foster wrote:
Some organizations have subtrees within their DNS structure that represent
client sub-organizations, which are unaffiliated for purposes of relaxed
authentication. [...]
The only reason to use psd=n is if the entity above yours in the DNS
tree has a DMARC record without psd=y and is an actual PSD.
It can also be a branch claiming independence. I agree this is quite
unlikely, as orgs tend to manage the DNS separately from email, but could
happen.
When we discussed this before, we concluded that while the current protocol
definition does technically support embedded PSDs lower in the tree below DMARC
organization domains, it's not something that actually happens.
"The future has a way of arriving unannounced." —George Will
[...]
It doesn't matter if a PSD (with psd=y) that sends mail specifies adkim/aspf=s.
Given the current design, an exact match is all that will ever align. While I
agree actually putting adkim/aspf=s in a PSD's DMARC record would be clearer
for human interpretation, for the machines they don't matter. I don't believe
there's any benefit to specifying them.
Is it so? My understanding is that psd=y is ignored when it is the first
step in a tree walk. That way you can have From: u...@psd.example.com
authenticated by d=example.com, or helo=mailout.example.com on a bounce.
A couple of convoluted examples like that wouldn't hurt. They won't
confuse people since every body will skip them. Yet, in case discussions
like this arise in the future, pointing to an example can solve them.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
