Given that the PSL is subject to errors, it is reasonable to warn senders that
"Because of the risk of PSL errors, some evaluators MAY NOT accept some or all forms of relaxed alignment as acceptable authentication." Technically, this is just stating the obvious, since evaluators MAY do whatever they want. Then the inference from that warning is: "Senders SHOULD avoid configurations that depend on the PSL for authentication. This is accomplished by publishing a DMARC policy on both the organizational domain and any mail-sending subdomains, and by using strict alignment on those policies." But strict alignment will be burdensome for some configurations, so an intermediate solution would be: - define an optional "organizational domain" token for DMARC policies. If present, it must be equal to or a parent of the current domain. - If the token is provided AND matches the PSL, then the organizational domain is considered safe for relaxed alignment. If the token is provided but does not match the PSL, then the longer of the two domain names will be used for relaxed alignment. By using same-domain DMARC policy, senders permit improved efficiency for evaluators while protecting both senders and evaluators from PSL errors. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc