I’d say it’s best practice to have a separate policy subdomains. We should encourage it.
foo.example.com’s spoofed by one vendor most likely, so switching vendors isn’t too big a task. No need to roll example.com back to none. Just role foo back. It’s clearly a better way to go.
Set things up so when you make changes, you open up a tiny security hole for as short a time as possible. So if dmarcbis exncourages subdomain dmarc policies then let’s encourage that with clear words and clear policies. On Oct 7, 2023, at 11:44 AM, Douglas Foster <dougfoster.emailstanda...@gmail.com> wrote:
No, this is not a false positive. The PSL put all of the identifiers in a 2LD organization, which I reviewed and judged to be correct.
The problem happens when Mail From u...@bounce.example.com authenticates u...@example.com and both domains have DMARC policies. Removing the lower policy is the only remedy. For SPF, this pattern of child-authenticates-parent is quite common. Hsving multipke DMARC policies is less common.
Again, what previous data was presented to justify the consensus that we would see no probems?
Doug -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In message <CAH48Zfyowa3nnXf2bn59R01LqXq-=kMFNPS6=46Py2c-
hgv...@mail.gmail.com>, Douglas Foster <dougfoster.emailstandards@gmail.
com> writes
> So initially, I am asking for a compsrison between my results and
> the data used to justify the asserted consensus.
if you published the data (just the right hand side of relevant
addresses is needed) we could check your working ...
> Was 2% previuosly observed and judged acceptable? Were the
> previous error rates judged acceptable because they were computed
> using a different denominator definition?
clearly if you get 10 messages from odd-domain and 10 messages from
Google then you will see a different percentage than someone who gets 3
(or some days 0) messages from odd-domain and 1000000 from Google ...
but provided odd-domain isn't just sending to you then any large mailbox
provider should have seen enough mail to provide a sensible measure of
the impact by counting domains not %age of overall mail.
> With our present design, the necessary response to these errors is
> for the domain owner to remove intermediate DMARC policies.
that's strange ... isn't the intent of the new scheme to encourage
subdomain owners to add them !
I do wonder if this is the PSL raising its ugly head again. A remarkable
number of the people who have added entries have not understood how they
now need to publish rather more DNS records than previously ...
- --
richard Richard Clayton
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755
-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1
iQA/AwUBZSGUTN2nQQHFxEViEQKHpQCeP4SAEJFQbCG74hSpmKPugIWLWs0An2e5
DMtrmcDBziCPFM9PVB0Vx6dI
=aCqk
-----END PGP SIGNATURE-----
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
|
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
