On Tuesday, October 26, 2021 10:09:13 PM EDT John Levine wrote: > It appears that Scott Kitterman <[email protected]> said: > >For a 'normal' domain/sub-domain like eml.example.com where the domain has > >a DMARC policy, every single implementation approach gives the same > >answer, so it doesn't matter. The challenge is getting all the other > >cases right. > > > >Until we understand what we want, overall, selecting a specific design to > >achieve that goal is premature. Both of those approaches will give a > >wrong answer (at least as I'd define it) for less usual cases. > Yup. I think I was the first person to propose a tree-walk, so here is > roughly what I was thinking: > > The problem with organizational domain is that it is ill-defined. It waves > its hands and says to use something like the PSL, and in practice everyone > uses the PSL. But the PSL is a moving target, with entries added and > deleted on a regular basis, so this month's organization domain may not be > the same as last month's. The advantage of the tree walk is that the DMARC > result now depends entirely on what is in the DNS, not on a volunteer > maintained list whose volunteers keep reminding us that it's only intended > to manage http cookies. > > Todd's stats confirm my intuition that the DNS is pretty flat, and the > amount of mail that comes from addreses with more than, say, four labels is > miniscule. So if you do a four level tree walk, you will find all of the > DMARC records for all of the real mail. > > The question remains what to do about the fake mail with 12 label domains. > My perhaps radical suggestion is to say that if the author domain does not > exist, i.e., you look it up and get NXDOMAIN, then DMARC does not apply and > you do whatever you do to mail with fake addresses. Or perhaps you only > say that if it's NXDOMAIN and has more than four labels. That way if you > really want to use 12 label addresses, you have to add a _dmarc record > every four levels. Nobody will do that, but nobody sends mail like that > other than to be perverse, so it doesn't matter.
Thanks. From the bottom up, I think that seems reasonable, but my concern (not surprisingly) is on the other end of the question. Should a policy found at _dmarc.com be treated differently than _dmarc.example.com? If so, then what about _dmarc.gov.uk versus _example.gov.uk and how do we distinguish between the first set and the second? Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
