On Wed, Dec 20, 2017 at 9:58 AM John R Levine <[email protected]> wrote:
> On Wed, 20 Dec 2017, Kurt Andersen (b) wrote: > >> I need to be able to emulate in some way the effect of SPF and DMARC > >> records for non-existent first level subdomains under the PSL gov.uk - > to > >> stop spoof mail apparently coming from them being delivered. > > > I'm quite sure that you will need to do this via synthetic records being > > returned either by the gov.uk name servers or by having gov.uk refer to > a > > general "parked domain" name server (farm) for all of the non-existent > > subdomains ... > > With your current DNS setup, you could add this, no new name servers > needed: > > *.gov.uk. IN TXT "v=spf1 -all" > *.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:<something>; ruf=mailto: > <something>" > > This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and > abc.def.gov.uk. It won't cover names under existing subdomains, e.g. > abc.mod.gov.uk but it's better than nothing. > > Unless the people who host your DNS are willing to let you use customized > stunt servers, which seems unlikely considering who they are, that's about > the best you can do without getting the cooperation of your delegatees. SPF doesn't have sub-domain level protection like DMARC does, would it be useful to look at adding it? DMARC sub-domain level protection assumes that the owner domain isn't a TLD. Can we change that to add a lookup on the TLD? GIven the small number of TLDs and that most will not support that, negative caching should mitigate most of the DNS lookups for that. My knowledge of DNS is limited whether that is technically feasible. Also, curious issues if someone like .com decided to add such a record. Perhaps even more privacy issues with rua/ruf at a TLD level. Is there any designation difference between something like .gov.uk and .co.uk? Am I going to have read the entire archive of DBOUND? Brandon
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
