On Wed 01/Mar/2023 16:28:49 +0100 Scott Kitterman wrote:
On March 1, 2023 3:08:16 PM UTC, Jesse Thompson <z...@fastmail.com> wrote:
On 3/1/2023 6:12 AM, Douglas Foster wrote:
A sub-issue to consider: Should we do a Tree Walk on the authenticating
domain?
For example, assume that "virgina.gov <http://virgina.gov>" and "dmas.virginia.gov <http://dmas.virginia.gov>"
both have DMARC policies with relaxed alignment. Should "dmas.virginia.gov <http://dmas.virginia.gov>" be prohibited from
authenticating "virginia.gov <http://virginia.gov>"?
My gut says yes, but it adds some overhead to enforce that rule.
My gut says that might break ESPs who are using subdomains for SPF relaxed
alignment. Unless you are saying that it's safe for treewalk changes to break
MAILFROM=bounces.dmas.virginia.gov rfc5322.From=virginia.gov, then maybe there
is some data to suggest that it is rare.
That's a curious example, as both virginia.gov and dmas.virginia.gov have DMARC
records defined without the _dmarc prefix.
I'd have exemplified a service which provides signing to the whole
organization. Their own department can be ready for strict policies, so they
may want to publish p=reject, while the whole organization sticks to a more
conservative policy. Adding rua= addresses is another reason to publish a
separate record.
If an org domain doesn't want to have subdomain used then they need to use
strict alignment. There's no need to turn relaxed alignment into some sort of
almost strict, but more complicated. We've gotten this far without redesigning
alignment, let's not start now. As far as I remember, it's still the same as
RFC 7489 and that's a good thing.
Somewhat similar to defining strict alignment, the org domain can avail of the
new possibility to define psd=y. Even if hey are not open to public
registrations, they may want to enforce a clear-cut subdivision.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
