Re: [dmarc-ietf] draft-crocker-dmarc-author-00 ?
On 14 Aug 2020, at 12:47, Neil Anuskiewicz wrote: Under 50% of companies have any DMARC record. Of those who deploy DMARC, about ~2% have p=quarantine and ~5% p=reject, though some industries such as finance it looks like it's closer to 15% p=reject. I'm sure these numbers aren't perfect but what you have likely isn't radically different. My numbers are inverted regarding quarantine vs reject, as I posted on this list: On 30 Jul 2020, at 18:01, Luis E. Muñoz wrote: I am currently observing ~215.5 million domain names. Out of those, ~64 million have a seemingly _valid_ SPF record and ~113 million with at least one MX record. This is a current breakdown of the (valid) DMARC records I am observing over the general domain population above. This amounts to an adoption rate of ~1.7%. |p | count | | :- | --: | | none | 2715614 | | quarantine | 238584 | | reject | 726045 | Numbers have moved a bit since then, but not much. I'm seeing 3:1 reject to quarantine ratio across the board. Why is adoption low? Is that a big problem? Why so few aggressive policies? Is that a big problem? DMARC can be quite useful even with p=none. This use case provides insight on what's going on and sometimes, that's all that is wanted. Moving to more aggressive policies require a degree of control on the mail flows that not all organizations are prepared to exercise, IMO. Best regards -lem ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] non-mailing list use case for differing header domains
On 30 Jul 2020, at 15:52, Jim Fenton wrote: There's an underlying assumption here that I don't agree with: that DMARC adoption equates to the publication of a p=reject DMARC policy, and that everyone (or at least all Fortune 500 companies) should be doing that. p=reject should only be used when the usage patterns of the domain support that policy. I'm more inclined to say that 85% of Fortune 500 companies are savvy enough not to publish a policy that doesn't fit their usage patterns. I am currently observing ~215.5 million domain names. Out of those, ~64 million have a seemingly _valid_ SPF record and ~113 million with at least one MX record. This is a current breakdown of the (valid) DMARC records I am observing over the general domain population above. This amounts to an adoption rate of ~1.7%. |p | count | | :- | --: | | none | 2715614 | | quarantine | 238584 | | reject | 726045 | It is interesting that roughly half of those are not taking advantage of the reporting. Here are the counts for those with neither `rua=` nor `ruf=` in the DMARC records: |p | count | | :- | --: | | none | 1092990 | | quarantine | 107767 | | reject | 307614 | I do not have a definitive list of Fortune 500 domain names, but I compile a rolling list of domain names with most traffic using multiple sources, which currently holds ~1.8 million unique domain names. The breakdown of DMARC records from that high-traffic population is shown below, and it amounts to about 6.3%. |p | count | | :- | : | | none | 79367 | | quarantine | 18094 | | reject | 15875 | For completeness, here is the same report, counting only those that have neither `rua=` nor `ruf=` in the DMARC record. The ratio of _silent_ `p=quarantine` and `p=reject` seems around half as in the case of the general population. |p | count | | :- | : | | none | 32561 | | quarantine | 4534 | | reject | 2760 | It would seem that those high-traffic domains are ~5x more likely to adopt DMARC. To me, these numbers speaks of thoughtful and deliberate deployment that outpaces the general domain name registrations. That said, I cannot claim whether the list of high-traffic domains is actually a good proxy for the domain portfolio of the Fortune 500 companies. Best regards -lem ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] inheritance and public suffix list
On 5 Apr 2018, at 13:58, Kurt Andersen (b) wrote: That seems like a regrettable limitation. Would we need further definition around the "well known" aspect from IETF to fix this or would it require ICANN-level changes to contractual terms? Contractual changes. This is the relevant text from https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved-31jul17-en.html 1.1. For the “Internet” (IN) Class: 1.1.1. Apex SOA record 1.1.2. Apex NS records and in-bailiwick glue for the TLD’s DNS servers 1.1.3. NS records and in-bailiwick glue for DNS servers of registered names in the TLD 1.1.4. DS records for registered names in the TLD 1.1.5. Records associated with signing the TLD zone (e.g., RRSIG, DNSKEY, NSEC, NSEC3PARAM and NSEC3) 1.1.6. Apex TXT record for zone versioning purposes 1.1.7. Apex TYPE65534 record for automatic dnssec signing signaling 1.2. For the “Chaos” (CH) Class: 1.2.1. TXT records for server version/identification (e.g., TXT records for “version.bind.”, “id.server.”, “authors.bind” and/or “hostname.bind.”) Luis Muñoz Director, Registry Operations http://www.uniregistry.link/ 2161 San Joaquin Hills Road Newport Beach, CA 92660 Office +1 949 706 2300 x 4242 l...@uniregistry.link ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] inheritance and public suffix list
On 5 Apr 2018, at 13:04, MH Michael Hammer (5304) wrote: I think _dmarc as a TXT record is fairly well known. Is there anything that would specifically prohibit this? gTLDs are not permitted to place TXT records in their zones. Luis Muñoz Director, Registry Operations http://www.uniregistry.link/ 2161 San Joaquin Hills Road Newport Beach, CA 92660 Office +1 949 706 2300 x 4242 l...@uniregistry.link ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] inheritance and public suffix list
On 4 Apr 2018, at 11:19, Peter M. Goldstein wrote: 3. *New gTLDs* - With the recent expansion of the list of TLDs, many of the new TLDs are controlled by a single organization. It may make sense to allow those gTLDs to define a DMARC record on the TLD itself or on some 'default' domain - both for administrative simplification and to ensure against abuse. It may be possible to handle this case outside of a lookup change with wildcarded DNS records, but I know it's something that's come up in discussions with some of those TLD owners. Keep in mind that gTLD operators are restricted in the records they can include in their respective DNS zones. This would require the use of a well known name specifically for this purpose. Best regards Luis Muñoz Director, Registry Operations http://www.uniregistry.link/ 2161 San Joaquin Hills Road Newport Beach, CA 92660 l...@uniregistry.link ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
