+1 BTW, we'll exhibiting RSA in SF next time, this will be between 24-28 of February next year. Please stop by our booth and I hope we discuss DMARC more..
Best Regards, Jonas Falck CEO & Co-Founder HALON SECURITY INC 100 Montgomery Street, Suite 1080 San Francisco, CA 94104, USA Phone: +1.415.835.3030 Cell: +1.650.445.9076 [email protected] www.halonsecurity.com On 10 Dec 2013, at 22:15, Paul Midgen <[email protected]> wrote: > I've been using CNAMEs this way commercially for about a year without issue > across different dns providers, client/server combos, etc. > > I think you can proceed with confidence. > > sent from phone, pls frgv trs msgs nad typos. > >> On Dec 10, 2013, at 10:01 PM, Franck Martin <[email protected]> wrote: >> >> >>> On Dec 10, 2013, at 2:59 PM, Rolf E. Sonneveld >>> <[email protected]> wrote: >>> >>> Hi, Franck, >>> >>>> On 12/10/2013 10:40 PM, Franck Martin wrote: >>>> On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote: >>>> >>>>>> Suggest following this thread from 2007. >>>>>> http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html >>>>> That's the null MX proposal. I resuscitated Mark Delany's draft in >>>>> July, and I suppose I might nudge Murray to see if appsawg would >>>>> accept it, but it's a separate issue. >>>>> >>>>> For DMARC, what advice can we offer beyond publishing SPF -al and DKIM >>>>> p=reject? (Normally I'm not a big fan of p=reject, but this is a >>>>> place where it's clearly appropriate.) >>>> I propose to add something along these lines in the DMARC FAQ. >>>> >>>> I have parked domains that do not send emails, how can I protect them? >>>> >>>> First create a DMARC record on your main domain (example.com) for all your >>>> parked domains: >>>> _dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua= >>>> mailto:[email protected];"; >>>> >>>> If example.net is a parked domain you can then protect it this way: >>>> _dmarc.example.net CNAME _dmarc.parked.example.com >>>> example.net TXT "v=spf1 -all" >>>> *.example.net TXT "v=spf1 -all" >>>> >>>> The CNAME allows you to control in one place all your parked domains. If >>>> you want, for instance, to start receiving failure reports for all your >>>> parked domains, you just need to update one DNS record. In the example >>>> above the record becomes: >>>> _dmarc.parked.example.com TXT "v=DMARC1; p=reject; >>>> rua=mailto:[email protected]; ruf=mailto:[email protected];"; >>>> >>>> This will update all the domains using this CNAME. >>> >>> are you sure that all DNS implementations (both client and server) support >>> this construct (client requests TXT record, server returns CNAME, client >>> interprets CNAME, client requests TXT record for aliased domain)? AFAICS >>> it's not violating any (DNS) standards... >> If I recall, a few months ago, we tested this on the few DMARC >> implementations we had on hand, and it worked as expected (or at least no >> one complained yet). You may notice it is already the construct in another >> FAQ entry. >> >> >> _______________________________________________ >> dmarc-discuss mailing list >> [email protected] >> http://www.dmarc.org/mailman/listinfo/dmarc-discuss >> >> NOTE: Participating in this list means you agree to the DMARC Note Well >> terms (http://www.dmarc.org/note_well.html) > > _______________________________________________ > dmarc-discuss mailing list > [email protected] > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well terms > (http://www.dmarc.org/note_well.html) _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
