On 3/1/2023 6:12 AM, Douglas Foster wrote: > A sub-issue to consider: Should we do a Tree Walk on the authenticating > domain? > For example, assume that "virgina.gov <http://virgina.gov>" and > "dmas.virginia.gov <http://dmas.virginia.gov>" both have DMARC policies with > relaxed alignment. Should "dmas.virginia.gov <http://dmas.virginia.gov>" be > prohibited from authenticating "virginia.gov <http://virginia.gov>"? > My gut says yes, but it adds some overhead to enforce that rule.
My gut says that might break ESPs who are using subdomains for SPF relaxed alignment. Unless you are saying that it's safe for treewalk changes to break MAILFROM=bounces.dmas.virginia.gov rfc5322.From=virginia.gov, then maybe there is some data to suggest that it is rare. Dare I suggest that virginia.gov be able to define the subdomains to which SPF relaxed alignment should apply? As a domain owner, I might be inclined to reserve something like bounces.virginia.gov for all MAIL FROM sub-sub-domains that are used for delegating ESP traffic and manage it similar to DKIM selectors. aspf=s for any subdomains that aren't otherwise defined. In my experience talking to state governments (as well as reflecting back on my own time in state government), domain owners are seeing a lot of ESP usage sprawl among their sub-domains/agencies/departments and they are frustrated that they can't manage or govern it effectively. In this late stage of the game, they won't be able to publish aspf=s to keep agencies from delegating ESP usage of virginia.gov when the domain owner would otherwise not want them to. Jesse
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
