Hello At the National Cyber Security Centre in the UK we're supportive of the PSD DMARC initiative. However, we currently have one problem that would hamper its applicability to our use case: We essentially have the need to express different subdomain policies to existing and non-existing domains. In our case for the gov.uk PSD we'd like to be able to set a 'reject' policy for non-existent subdomains to prevent delivery of email from them whilst not interfering with authentication of email for the legitimate subdomains.
Why? Well, whilst we have a programme of work to get domain owners under gov.uk to implement DMARC and other standards, it will take some of them time, and we don't want to inadvertently break mail delivery for the organisations that have e.g. implemented SPF but not DMARC. But on the flipside, we also know that non-existent domains under gov.uk are being spoofed for phishing, so we want to publish a policy of 'reject' on those and receive reporting about them. What would be the best way to incorporate this requirement? Thanks in advance Richard Crowther, NCSC This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
