On Fri, Oct 20, 2023 at 12:05 AM OLIVIER HUREAU < olivier.hur...@univ-grenoble-alpes.fr> wrote:
> I don't understand the choice made when writing the point 6. of the policy > discovery mechanism (Dmarcbis : > https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-28.html#section-4.7 > ) > > ```If a retrieved policy record does not contain a valid "p" tag, or > contains an "sp" or "np" tag that is not valid, then: > > * If a "rua" tag is present and contains at least one syntactically > valid reporting URI, the Mail Receiver MUST act as if a record > containing "p=none" was retrieved and continue processing; > > * Otherwise, the Mail Receiver applies no DMARC processing to this > message.``` > > According to this text, the record : > 'v=DMARC1; p=reject; sp=quarantin;' (an 'e' is missing at 'quarantine') > MUST be interpreted as 'v=DMARC1; p=none;' because the "sp" tag is not > valid. > > It implies that domain name owners who had made a spelling mistake on the > sp tag see their 'p' tag downgrade to 'none'.. > Even though the domain owner will receive the aggregate report containing > the 'p' DispositionType, I am not sure he/she will catch the issue. > > I would then propose to set the invalid tag to none instead of the 'p' tag > such as : > > [Old Version] > * If a "rua" tag is present and contains at least one syntactically > valid reporting URI, the Mail Receiver MUST act as if a record > containing "p=none" was retrieved and continue processing; > [/Old Version] > > [Proposition] > * If a "rua" tag is present and contains at least one syntactically > valid reporting URI, the Mail Receiver MUST act as if the invalid tag > was set to none and continue processing; > [\Proposition] > > The situation for RFC 7489 is slightly the same, with the keyword SHOULD > instead of MUST: > https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.3 > A couple of things here: (1) As written, the text says (to me) that the handling of a message might change depending on this mapping of a broken value to "none", but only if "rua" is present; absent "rua", the record is treated as junk and DMARC doesn't apply. That seems a peculiar decision tree to me. We might want to tease these apart: Does the policy handling change in the presence of a typo, or does the reporting logic change, or both? And don't gate it on the "rua" tag. (And if "quarantine" is misspelled, how do we know "rua" isn't?) (2) Mapping a misspelled "reject" or "quarantine" to "none" even only in the report will be confusing; the domain owner will be told there's a "none" out there when there isn't. A non-thorough domain owner might conclude that the receiver is broken and not debug their problem. The guidance here ought to result in the report indicating somehow that the receiver assumed "none" because what it extracted from the DNS appeared to be junk. Should the report include a mechanism making this explicit? -MSK, participating
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
