It appears that Scott Kitterman <[email protected]> said: >For a 'normal' domain/sub-domain like eml.example.com where the domain has a >DMARC policy, every single implementation approach gives the >same answer, so it doesn't matter. The challenge is getting all the other >cases right. > >Until we understand what we want, overall, selecting a specific design to >achieve that goal is premature. Both of those approaches will >give a wrong answer (at least as I'd define it) for less usual cases.
Yup. I think I was the first person to propose a tree-walk, so here is roughly what I was thinking: The problem with organizational domain is that it is ill-defined. It waves its hands and says to use something like the PSL, and in practice everyone uses the PSL. But the PSL is a moving target, with entries added and deleted on a regular basis, so this month's organization domain may not be the same as last month's. The advantage of the tree walk is that the DMARC result now depends entirely on what is in the DNS, not on a volunteer maintained list whose volunteers keep reminding us that it's only intended to manage http cookies. Todd's stats confirm my intuition that the DNS is pretty flat, and the amount of mail that comes from addreses with more than, say, four labels is miniscule. So if you do a four level tree walk, you will find all of the DMARC records for all of the real mail. The question remains what to do about the fake mail with 12 label domains. My perhaps radical suggestion is to say that if the author domain does not exist, i.e., you look it up and get NXDOMAIN, then DMARC does not apply and you do whatever you do to mail with fake addresses. Or perhaps you only say that if it's NXDOMAIN and has more than four labels. That way if you really want to use 12 label addresses, you have to add a _dmarc record every four levels. Nobody will do that, but nobody sends mail like that other than to be perverse, so it doesn't matter. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
