On Monday, June 10, 2019 8:07:25 AM EDT Richard C wrote: > Thanks for the question, Seth. > What would be the best way to incorporate this requirement? > The simplest possible way to address this use case is just to make sure > those existing but currently non-compliant domains just have a bare p=none > record. Then they'll never fall back to the > gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgov > .uk&data=02%7C01%7CRichard.C%40ncsc.gov.uk%7C5e404b44633f4f62576c08d6e558b35 > 3%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636948566460672014&sdata=ihf4 > soMa8kR%2BcGFwjiIwgy9iHDnrnKLkawsj0Zm9Mi4%3D&reserved=0> record. There's no > risk to inadvertently breaking mail here. > Is it remotely realistic for you to offer this guidance? If you're already > saying that p=reject is required, how painful is it to advertise that any > domain without a DMARC record will get p=reject by default unless it > explicitly puts p=none in? > I wish that publishing guidance resulted in swift adoption of it but > unfortunately it’s not so simple. We already have guidance published > requesting that organisations configure DMARC on their gov.uk domain > (starting at ‘none’ and progressing to ‘reject’ as they gain confidence). > The problem is we have ~3500 domains in use, many by smaller organisations > with limited technical ability. Whilst we’ll continue to work towards > helping them all deploy DMARC, realistically there will be a long tail to > adoption, hence our interest in support for different policies for the > existent and non-existent subdomains in DMARC PSD. > Presumably other PSDs that aren’t brand new will have this problem too? I’m > interested to hear whether we’re on our own or not.
As written, DMARC (RFC 7489) has the option to express different policy for subdomains (sp= tag). Perhaps we could address this case in PSD DMARC by leveraging that feature. PSD DMARC is the first time there is any DMARC related explicit guidance on non-existent sub-domains. If we made it a rule that non-existent sub-domains use the domain level (p=) policy and existent sub-domains use the sub-domain policy (sp=) then I believe the affect you are after is achievable. Assuming p=reject and sp=none at the PSD level, the result would be: existing org domain (or sub) with DMARC record = use org policy existing org domain (or sub) with no DMARC record = None policy Non-existing org domain (or sub) with DMARC record = Reject policy PSD domain = Reject policy That would be a non-trivial increase in implementation complexity for receivers, so I think we need some discussion about if there is consensus to take this on. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
