Perhaps it's a pointless semantic distinction. I think of DMARC as a mechanism for expressing policy about authentication, not an authentication method.
I still don't understand what you think is unprotected. Scott K On October 31, 2021 4:48:10 PM UTC, Douglas Foster <[email protected]> wrote: >DMARC is an authentication test also. The authentication of the first >identifier (SPF or DKIM) serves as a proxy to authenticate the second >identifer (FROM), which is conditioned on a satisfactory relationship >(equal or aligned) between the two domains. > >You began to address the issue in your recent post, which included this: > >I think that if we changed the relaxed definition to the same as or a >sub-domain of the From domain it would avoid potential issues like that >without practical impact. I don't think I have ever seen legitimate mail >where Mail From or DKIM signing domain wasn't either the same or a >sub-domain of From that were in the same org domain. > > >You still need a way to protect the PSL names themselves, and this >paragraph does not do so. > >Exact match to the authenticated domain is always sufficient to >authenticate the FROM domain. > >>From a trust standpoint, the greatest trust occurs when the authenticated >identifier (SPF or DKIM) is the parent of the second identifier (FROM). >Based on my observed data, I agree that the norm is for FROM to be the >parent or the equal, rarely the child. I should be able to provide some >data. I will not have data about cousin relationships (unit1.example.com >aligned with unit2.example.com). > >Doug > >On Sun, Oct 31, 2021 at 11:30 AM Scott Kitterman <[email protected]> >wrote: > >> Neither SPF nor DKIM use the PSL, so I still don't understand. What do >> you mean by "authentication testing"? >> >> Scott K >> >> _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
