On Tue, Dec 1, 2020 at 5:44 PM Joseph Brennan <[email protected]> wrote:
> I want to ask again why DMARC should consider any domain other than > the one in the Header From. The purpose of DMARC should be stated > right at the top of the proposed standard. It is intended to control > use of a domain in the Header From. If the Header From has > [email protected], the DMARC record for _dmarc.example.com should > apply. > > It does not make sense to me to say that if the Header From is > [email protected], and there is no _dmarc.alpha.example.com > record, then recipient systems should continue to look for > _dmarc.example.com and apply the dmarc rule there. I know of no other > standard that requires this type of relationship. This is something > new. It will require administrators to continually check what their > sub- and supra-domains are doing in order to escape interference by > DMARC records they did not create. I think this is unreasonable. Only > domains interested in applying DMARC should be involved with DMARC. > Others should be able to do what they want. I know that otherwise will > out rule out DMARC for the "columbia.edu" domain that I administer. > If DMARC is thus constrained and you have a "p=reject" on "columbia.edu" only, then nothing stops me from generating unauthenticated email with a >From field indicating "foobar.columbia.edu" for any subdomain "foobar", whether or not it actually exists in the DNS. -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
