On Sun 16/Jun/2024 16:38:48 +0200 Tobias Fiebig via mailop wrote:
You'd need several domains, all having a rua= pointing to you. I'd
donate a (sub) domain to that effort. I'm donating a couple of
domains to Project Honey Pot. Unlike that project, however, in this
case donated domains will have to actively send replies.
Actually LUA records with powerdns should suffice; Similar to what is
already being done for the DNS tests:
dig MX sometext.uniq.measurement.email-security-scans.org \
@dns.measurement.email-security-scans.org
So, creating something like
_dmarc.<uniqid>.dmarcfail.measurement.email-security-scans.org, and
only sending the mails after at least N mails for the test have been
successfully received.
In theory, that's correct. However, we'd need both domains matching the PSL as
well as domains matching tree walks. I'm not familiar with PowerDNS, but
clients will query their usual DNS servers and resolve. Setting up domains
correctly won't be easy.
_dmarc.sometext.uniq.measurement.email-security-scans.org -> v=spf1 mx
ip4:195.191.197.88 ip6:2a06:d1c0:dead:3::88 -all
_dmarc.uniq.measurement.email-security-scans.org -> v=spf1 mx
ip4:195.191.197.88 ip6:2a06:d1c0:dead:3::88 -all
_dmarc.measurement.email-security-scans.org -> v=spf1 mx ip4:195.191.197.88
ip6:2a06:d1c0:dead:3::88 -all
_dmarc.email-security-scans.org -> v=DMARC1; p=reject;
rua=mailto:dm...@aperture-labs.org
There will also be confirmation RRs for rua= at external domains (some will
have to not be confirmed, to check for that check).
Some subdomains will have DMARC records, some not. Perhaps, some mails can be
sent from real IPs, if their owners are not afraid to be blacklisted.
I agree the same effect can be obtained by creating lots of subdomains, but
that wont work for filters still using the PSL.
In addition, having domain donors might boost cooperation.
Best
Ale
--
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop