On Tuesday, January 15, 2019 07:49:17 PM John Levine wrote: > In article <5126347.eOcQ2jtf8Q@kitterma-e6430> you write: > >This update removes the IANA registry (which is what I think I was supposed > >to do based on the feedback to date). I also bulked up the > >Privacy/Security considerations descriptions since they are no longer > >mitigated. > > > >I'd like feedback on the best path forward. Essentially this draft > >replaces the IANA registry with an undefined way to know where PSD DMARC > >is appropriate. I think we need something better than that, but I didn't > >know what. > > The more I look at this, the less I understand what problem it solves. > If you manage a zone that can publish a PSD policy, you have some kind > of relationship with the zone members so you should be auditing their > policies anyway. > > To take a non-random example, I looked at the 2700 names in .BANK. > There are 122 with no DMARC at all, which PSD might help, but there > are also 164 with p=none, 29 with p=quarantine, 7 with pct=N where N > is not 100, 4 with multiple policies, and about 30 where the DMARC > record is invalid. Assuming your goal is to get everyone to p=none, > PSD doesn't impress me as offering significant help.
My understanding is that, since, as you say, PSOs (like .bank) have a pre- existing relationship with their registrants, they don't need PSD DMARC to audit their registrant's policies. For an entity like that, it offers the chance to get feedback on other, presumably non-existent, domains so as to better understand abuse patterns within the PSD they manage. It also gives them a mechanism to express a reject policy for those domains, which does not currently exist. This may help improve rejection of cousin domains by receivers. For single entity PSDs, like for a very large Internet company that is, conveniently not named after a large South American rain forest (so they can get it registered), it offers other advantages. In cases like this, the PSD operates like an organizational domain except for the fact that in the current DMARC instantiation, their record won't work for subdomains. PSD DMARC would enable '.example' to publish a single record for all lower level entries in the zone. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
