On Tue, Dec 10, 2019 at 2:13 PM Brandon Long <[email protected]> wrote:
> > On Mon, Dec 9, 2019 at 6:27 PM Kurt Andersen (b) <[email protected]> wrote: > >> On Mon, Dec 9, 2019 at 4:54 PM Scott Kitterman <[email protected]> >> wrote: >> >>> On Monday, December 9, 2019 7:41:27 PM EST Brandon Long wrote: >>> >>> > I'm sure I probably missed this, but couldn't we avoid this question >>> by just mandating no reporting for non-existing organizational domains? Is >>> that a non-starter? >>> >>> It's one of the use cases we are trying to cover. I don't know if that >>> makes it a non-starter. >>> >> >> Unless I'm misunderstanding Brandon's suggestion, it seems like you >> (Brandon) are asking if doing no reporting on missing org domains solves >> the scalability problem. *Getting* reports for missing org domains is the >> main purpose of the PSD proposal so it would render the purpose moot. >> > > Hmm, I guess I don't see it that way. > > Preventing phishing attacks from nonexistent.gov.uk, insomuch as DMARC > can be used for such, seems way more important than the reporting. > Obviously, getting to p=reject without reporting is more challenging. You > can certainly have policy without reporting. > While it is very true that receivers may implement validation and possibly enforcement without reporting, we could solve the use case of phishing from missing org-level domains by the same approach that we can solve it from any missing domain - just don't accept mail from such bogus sources. That does not help the overseers of a domain realm (org-1, aka LPSD) to tackle takedowns or public awareness campaigns against such abuse though. --Kurt
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
