On March 1, 2023 3:08:16 PM UTC, Jesse Thompson <z...@fastmail.com> wrote: >On 3/1/2023 6:12 AM, Douglas Foster wrote: > >> A sub-issue to consider: Should we do a Tree Walk on the authenticating >> domain? >> For example, assume that "virgina.gov <http://virgina.gov>" and >> "dmas.virginia.gov <http://dmas.virginia.gov>" both have DMARC policies with >> relaxed alignment. Should "dmas.virginia.gov <http://dmas.virginia.gov>" >> be prohibited from authenticating "virginia.gov <http://virginia.gov>"? >> My gut says yes, but it adds some overhead to enforce that rule. > >My gut says that might break ESPs who are using subdomains for SPF relaxed >alignment. Unless you are saying that it's safe for treewalk changes to break >MAILFROM=bounces.dmas.virginia.gov rfc5322.From=virginia.gov, then maybe there >is some data to suggest that it is rare. > >Dare I suggest that virginia.gov be able to define the subdomains to which SPF >relaxed alignment should apply? As a domain owner, I might be inclined to >reserve something like bounces.virginia.gov for all MAIL FROM sub-sub-domains >that are used for delegating ESP traffic and manage it similar to DKIM >selectors. aspf=s for any subdomains that aren't otherwise defined. > >In my experience talking to state governments (as well as reflecting back on >my own time in state government), domain owners are seeing a lot of ESP usage >sprawl among their sub-domains/agencies/departments and they are frustrated >that they can't manage or govern it effectively. In this late stage of the >game, they won't be able to publish aspf=s to keep agencies from delegating >ESP usage of virginia.gov when the domain owner would otherwise not want them >to. >
If an org domain doesn't want to have subdomain used then they need to use strict alignment. There's no need to turn relaxed alignment into some sort of almost strict, but more complicated. We've gotten this far without redesigning alignment, let's not start now. As far as I remember, it's still the same as RFC 7489 and that's a good thing. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
