On Tue, Dec 10, 2019 at 2:13 PM Brandon Long <bl...@google.com> wrote:
> > On Mon, Dec 9, 2019 at 6:27 PM Kurt Andersen (b) <kb...@drkurt.com> wrote: > >> On Mon, Dec 9, 2019 at 4:54 PM Scott Kitterman <skl...@kitterman.com> >> wrote: >> >>> On Monday, December 9, 2019 7:41:27 PM EST Brandon Long wrote: >>> >>> > I'm sure I probably missed this, but couldn't we avoid this question >>> by just mandating no reporting for non-existing organizational domains? Is >>> that a non-starter? >>> >>> It's one of the use cases we are trying to cover. I don't know if that >>> makes it a non-starter. >>> >> >> Unless I'm misunderstanding Brandon's suggestion, it seems like you >> (Brandon) are asking if doing no reporting on missing org domains solves >> the scalability problem. *Getting* reports for missing org domains is the >> main purpose of the PSD proposal so it would render the purpose moot. >> > > Hmm, I guess I don't see it that way. > > Preventing phishing attacks from nonexistent.gov.uk, insomuch as DMARC > can be used for such, seems way more important than the reporting. > Obviously, getting to p=reject without reporting is more challenging. You > can certainly have policy without reporting. > While it is very true that receivers may implement validation and possibly enforcement without reporting, we could solve the use case of phishing from missing org-level domains by the same approach that we can solve it from any missing domain - just don't accept mail from such bogus sources. That does not help the overseers of a domain realm (org-1, aka LPSD) to tackle takedowns or public awareness campaigns against such abuse though. --Kurt
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc