Re: [dmarc-ietf] Tree walk in -06
On March 24, 2022 12:01:39 PM UTC, Alessandro Vesely wrote: >On Wed 23/Mar/2022 12:08:16 +0100 Douglas Foster wrote: >> But we do have a difference between PSOs, which never send mail, and private >> registrars, which may or may not send mail from the domain or subdomain used >> as >> a private registration point. It seems desirable to resolve this ambiguity >> so >> that we can reliably know that a true PSO cannot be impersonated, while >> allowing private registrars to document their configuration. >> >> A "sendsmail=(y,n)" indicator would accomplish this purpose. > > >For documentation purposes, although I'd have preferred meaningful, explicit >tokens, if people much more experienced than me insist that obscurity is >advisable in this case, I don't agree but I accept it. > >For security, a private registrar should set psd=y. If it sets psd=n, it >forces all registrants below that point to do the same. If the From: domain >has psd=y, you know that they send mail because you received it. In that >case, >it can only authenticate by strict alignment. > >Perhaps, we could advise private registrars that they had better use an >intermediate label with psd=y as a registration point if they want more DMARC >flexibility at their base domain. Based on the current draft, this is not correct. An exact match is the org domain, even if PSD=y, so even if the policy uses the relaxed alignment approach, it will still be aligned. Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Tree walk in -06
On March 24, 2022 6:53:13 PM UTC, John Levine wrote: >It appears that Murray S. Kucherawy said: >>-=-=-=-=-=- >> >>On Tue, Mar 22, 2022 at 10:35 AM Ken O'Driscoll >40wemonitoremail@dmarc.ietf.org> wrote: >> >>> Having different behaviour for the absence of the tag and the default >>> value will be unnecessarily confusing and not intuitive. >> >>I'm confused. In the absence of the tag, don't you apply the default? >>That is, aren't these necessarily the same thing? > >Currently, no. psd=n means one thing, psd=y means another thing, and no psd >at all means a third. > >My suggestion is to allow explicit or default psd=u for the third thing. I've revised my opinion based on the discussion. I agree this is the way to go. I'll put together some words in the next day or three. Scott K ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Exception management
It appears that Murray S. Kucherawy said: >Were I implementing such a thing, I'd probably have a list of overrides >that map names to DMARC records. For every name in the tree walk I'm going >to try, I'd check that list first for an override, and use that if one is >found. As we all know, some organizations have an unfortunate habit of publishing DMARC policies that don't match their sending policies because "it's more secure." If you have a set of override DMARC records, you can use them to fix broken policies with p= and broken authority boundaries with psd=, using one simple hack. R's, John ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Exception management
On Fri, Mar 25, 2022 at 3:51 AM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote: > Exception management is straightforward when using the PSL. The system > administrator simply maintains an errata file that is used to add entries > to, or remove entries from the downloaded PSL file. If the PSL does not > list "onmicrosoft.com", but I want it treated as a registrar, I simply > insert that name into the local data structure which represents my copy of > the PSL. > > But how does the system administrator apply corrections to the Tree Walk? > I am having trouble envisioning any suitable solution. The partial ideas > in my head seem unsustainably complex to develop, administer, and query. > Were I implementing such a thing, I'd probably have a list of overrides that map names to DMARC records. For every name in the tree walk I'm going to try, I'd check that list first for an override, and use that if one is found. Such a list would not be likely to change often, if I even need it, so I would not need to load it from disk very often, and could just keep it cached. -MSK ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
[dmarc-ietf] Exception management
Exception management is straightforward when using the PSL. The system administrator simply maintains an errata file that is used to add entries to, or remove entries from the downloaded PSL file. If the PSL does not list "onmicrosoft.com", but I want it treated as a registrar, I simply insert that name into the local data structure which represents my copy of the PSL. But how does the system administrator apply corrections to the Tree Walk? I am having trouble envisioning any suitable solution. The partial ideas in my head seem unsustainably complex to develop, administer, and query. Doug Foster ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc