On Dec 10, 2013, at 2:59 PM, Rolf E. Sonneveld <[email protected]> wrote:
> Hi, Franck, > > On 12/10/2013 10:40 PM, Franck Martin wrote: >> On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote: >> >>>> Suggest following this thread from 2007. >>>> http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html >>> That's the null MX proposal. I resuscitated Mark Delany's draft in >>> July, and I suppose I might nudge Murray to see if appsawg would >>> accept it, but it's a separate issue. >>> >>> For DMARC, what advice can we offer beyond publishing SPF -al and DKIM >>> p=reject? (Normally I'm not a big fan of p=reject, but this is a >>> place where it's clearly appropriate.) >>> >> I propose to add something along these lines in the DMARC FAQ. >> >> I have parked domains that do not send emails, how can I protect them? >> >> First create a DMARC record on your main domain (example.com) for all your >> parked domains: >> _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua= >> mailto:[email protected];"; >> >> If example.net is a parked domain you can then protect it this way: >> _dmarc.example.net CNAME _dmarc.parked.example.com >> example.net TXT "v=spf1 -all" >> *.example.net TXT "v=spf1 -all" >> >> The CNAME allows you to control in one place all your parked domains. If you >> want, for instance, to start receiving failure reports for all your parked >> domains, you just need to update one DNS record. In the example above the >> record becomes: >> _dmarc.parked.example.com TXT "v=DMARC1; p=reject; >> rua=mailto:[email protected]; ruf=mailto:[email protected];"; >> >> This will update all the domains using this CNAME. > > are you sure that all DNS implementations (both client and server) support > this construct (client requests TXT record, server returns CNAME, client > interprets CNAME, client requests TXT record for aliased domain)? AFAICS it's > not violating any (DNS) standards... > If I recall, a few months ago, we tested this on the few DMARC implementations we had on hand, and it worked as expected (or at least no one complained yet). You may notice it is already the construct in another FAQ entry.
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
