While it's important for the specification to retain the flexibility to
do what you're describing, I'd suggest that this case (thwarting
spoofing of a domain held by an organisation that doesn't run a
mail-server but also isn't willing to use a third party service) is not
currently within the scope of an FAQ or BCP.
- Roland
On 12/11/2013 07:12 AM, Ivan Gojmerac wrote:
Dear All,
I completely support formulating a DMARC recommendation for “never sending”
domains, however, at the same time I prefer that this recommendation stays
neutral regarding the desirability of feedback URI specification.
The reason for this is that there are cases where the specification of
reporting addresses will prove (a) CUMBERSOME or (b) even TECHNICALLY
IMPOSSIBLE without relying on 3rd party services:
(a) Some persons who manage a large number of domains that never send e-mails
might simply not wish to obtain information about (all the individual)
failures, but at the same highly value the straightforward possibility of
protecting their managed domains with an empty “-all” SPF record along with a
“v=DMARC1; p=reject;” requested DMARC policy.
(b) Owners of only a single domain that is not used to send e-mails will
typically not be able to provide a reporting URI, as they cannot specify a
“..._report._dmarc...” record in the DNS of their inbox providers, which would
legitimate their (free) personal e-mail addresses as reporting URIs. The only
alternative option for such domain owners would be to employ 3rd party DMARC
report analysis services, which might however prove to be too
configuration-intensive for a large number of technically less enthusiastic
persons.
Just my two cents...
Best,
Ivan Gojmerac
-----Ursprüngliche Nachricht-----
Von: [email protected]
[mailto:[email protected]] Im Auftrag von Matt Simerson
Gesendet: Dienstag, 10. Dezember 2013 23:03
An: Franck Martin
Cc: <[email protected]>
Betreff: Re: [dmarc-discuss] dmarc for "never sending" domains
On Dec 10, 2013, at 1:40 PM, Franck Martin <[email protected]> wrote:
On Dec 10, 2013, at 11:39 AM, John Levine <[email protected]> wrote:
Suggest following this thread from 2007.
http://mipassoc.org/pipermail/ietf-dkim/2007q2/007663.html
That's the null MX proposal. I resuscitated Mark Delany's draft in
July, and I suppose I might nudge Murray to see if appsawg would
accept it, but it's a separate issue.
For DMARC, what advice can we offer beyond publishing SPF -al and
DKIM p=reject? (Normally I'm not a big fan of p=reject, but this is
a place where it's clearly appropriate.)
I propose to add something along these lines in the DMARC FAQ.
+1
Matt
I have parked domains that do not send emails, how can I protect them?
First create a DMARC record on your main domain (example.com) for all your
parked domains:
_dmarc.parked.example.com TXT "v=DMARC1; p=reject; rua=
mailto:[email protected];";
If example.net is a parked domain you can then protect it this way:
_dmarc.example.net CNAME _dmarc.parked.example.com example.net TXT
"v=spf1 -all"
*.example.net TXT "v=spf1 -all"
The CNAME allows you to control in one place all your parked domains. If you
want, for instance, to start receiving failure reports for all your parked
domains, you just need to update one DNS record. In the example above the
record becomes:
_dmarc.parked.example.com TXT "v=DMARC1; p=reject;
rua=mailto:[email protected]; ruf=mailto:[email protected];";
This will update all the domains using this CNAME.
The wildcard on the TXT record for SPF will protect any subdomain or host under
this domain.
To be able to receive reports for example.net at the mailboxes at example.com
you must create a report record:
example.net._report_dmarc.example.com TXT "v=DMARC1;"
If you have many parked domains, you can use a wildcard, instead of creating a
record for each domain you are protecting:
*._report_dmarc.example.com TXT "v=DMARC1;"
However, you can then receive reports for any domains, ensure you are protected
against false reporting and the potential load on your infrastructure.
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note
Well terms (http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
--
Roland Turner | Director, Labs
TrustSphere Pte Ltd | 3 Phillip Street #13-03, Singapore 048693
Mobile: +65 96700022 | Skype: roland.turner
[email protected] | http://www.trustsphere.com/
_______________________________________________
dmarc-discuss mailing list
[email protected]
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)
