On 12/12/2016 18:54, Roland Turner via dmarc-discuss wrote: > > OK, but presumably the business process system isn't generating new > subdomains on an hourly/daily basis (or indeed, ever). Assuming that simply > fixing the BPS outbound email stream to have valid DKIM signatures is not an > option (e.g. delivery via corporate gateway), then presumably this is better > dealt with as: > > _dmarc.example.com TXT "p=reject" > _dmarc.bps.example.com TXT "p=none" > > than with a blanket sp=none in the parent domain?
Some of your subdomains may send infrequently, and you may not know what all of them are until end of month/quarter. Depending on what's happening with the parent domain, this odd-looking policy might be your better option for the interim. And second, sometimes you can only do what you can convince the customer to accept. I've had the "business decision maker" refuse to block ~1 million fraudulent messages per day because up to 500 legit messages (out of more than 50,000) per day would also be blocked due to forwarding. And that was their decision to make, since it was a business decision. So I'm not saying it's a great choice, but in some cases it may be what gets you the next step forward. --S. _______________________________________________ dmarc-discuss mailing list [email protected] http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
