* Maybe no one would be willing to go with np=reject without being able to confirm there's no good mail doing that.
Exactly this. As we’ve pushed DMARC across gov.uk we’ve found all sorts of interesting things in the reporting we get. Ta. I. -- Dr Ian Levy Technical Director National Cyber Security Centre [email protected]<mailto:[email protected]> Staff Officer : Kate Atkins, [email protected]<mailto:[email protected]> Pronouns : he/him (I work stupid hours and weird times – that doesn’t mean you have to. If this arrives outside your normal working hours, don’t feel compelled to respond immediately!) From: dmarc <[email protected]> On Behalf Of Brandon Long Sent: 12 December 2019 23:38 To: Kurt Andersen (b) <[email protected]> Cc: IETF DMARC WG <[email protected]>; Scott Kitterman <[email protected]> Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd On Wed, Dec 11, 2019 at 7:45 AM Kurt Andersen (b) <[email protected]<mailto:[email protected]>> wrote: On Tue, Dec 10, 2019 at 2:13 PM Brandon Long <[email protected]<mailto:[email protected]>> wrote: On Mon, Dec 9, 2019 at 6:27 PM Kurt Andersen (b) <[email protected]<mailto:[email protected]>> wrote: On Mon, Dec 9, 2019 at 4:54 PM Scott Kitterman <[email protected]<mailto:[email protected]>> wrote: On Monday, December 9, 2019 7:41:27 PM EST Brandon Long wrote: > I'm sure I probably missed this, but couldn't we avoid this question by just > mandating no reporting for non-existing organizational domains? Is that a > non-starter? It's one of the use cases we are trying to cover. I don't know if that makes it a non-starter. Unless I'm misunderstanding Brandon's suggestion, it seems like you (Brandon) are asking if doing no reporting on missing org domains solves the scalability problem. *Getting* reports for missing org domains is the main purpose of the PSD proposal so it would render the purpose moot. Hmm, I guess I don't see it that way. Preventing phishing attacks from nonexistent.gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fnonexistent.gov.uk&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C522306c0a8a84aca4a7308d77f5c5d4b%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637117906987236215&sdata=Be5QRL1NweewdLl2E6UbuliKRWqAEZb0KPS7YW8nn5E%3D&reserved=0>, insomuch as DMARC can be used for such, seems way more important than the reporting. Obviously, getting to p=reject without reporting is more challenging. You can certainly have policy without reporting. While it is very true that receivers may implement validation and possibly enforcement without reporting, we could solve the use case of phishing from missing org-level domains by the same approach that we can solve it from any missing domain - just don't accept mail from such bogus sources. That does not help the overseers of a domain realm (org-1, aka LPSD) to tackle takedowns or public awareness campaigns against such abuse though. I mean, that was also true for all DMARC, the point was the owner was asking everyone to do that. If you're saying we should have a different system for trying to get everyone to not accept messages from non-existent domains... ok, but I'm not sure where that would come from. Maybe no one would be willing to go with np=reject without being able to confirm there's no good mail doing that. That seems more likely to be true for existing large scale branded domains (which I guess gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgov.uk&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7C522306c0a8a84aca4a7308d77f5c5d4b%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637117906987246211&sdata=ADl8m4tEnSW2tzuk6dWIVU7sx8Y%2BRUQ%2FS1cffxjsuOU%3D&reserved=0> falls into), whereas setting that policy for the newer branded domains (.google) and multi-organizational (.bank) seems fine without reporting. Brandon This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to [email protected]. All material is UK Crown Copyright ©
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
