On Mon, Dec 18, 2017 at 2:46 PM, Ian Levy <[email protected]> wrote:
> > > . . .As part of the UK Government’s Active Cyber Defence programme, we’re > trying to get DMARC across all public facing brands in the UK, starting > with all public sector domains. We’ve found a couple of interesting things > while trying to implement DMARC at scale. > > 1. <elided> > > > 1. As we’ve started to make criminals’ lives harder in abusing > Government brands, they’re moving to deceptive domains (relatively easy to > manage) and non-existent subdomains of gov.uk. We’ve got over 5000 > valid subdomains of gov.uk and not all of them are compliant with our > policies yet, so we can’t just set an sp=reject policy (and it’s not clear > it works in all circumstances anyway). > > Even if you listed an "sp=reject" policy, it would only be seen for mail that purported to come from gov.uk itself (so not helpful). As a public-level suffix, gov.uk's DMARC record should never be seen for any subdomains thereof (the algorithm checks an exact match domain and then falls back to an org-level domain which would already be the non-existent x.gov.uk, not gov.uk itself). --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
