On Fri, Dec 17, 2021 at 6:56 PM Douglas Foster < dougfoster.emailstanda...@gmail.com> wrote:
> That is not my position, and I don't know how you drew that > conclusion from those words. > Then my mistake. > > I do take the position that DMARC PASS means "This name correctly > represents the stated domain", and NP=TRUE means "This name cannot > represent the stated domain because the domain owner never uses that > name". I am willing to say that if NP=TRUE produces an accurate result, I > will block the message and I can see no reason why anyone else would do > otherwise. > > DMARC FAIL is an ambiguous result, which was your point. DMARC PASS is > not ambiguous. NP=TRUE should be ambiguous if at all possible, otherwise > it adds no value. > > But back to the actual topic: > - Do you believe the NP test can be useful? If so, for what purpose? > - What is the optimal test to evaluate NP? How did you reach that > conclusion? > > I see the NP tag being useful for mid to large organizations that have a regular amount of organizational change (mergers, acquisitions, etc). A large mostly static organization will not deploy the np tag, because "p == sp", where the domain tag = the subdomain tag. Larger organizations deploying DMARC usually run into the problem of not knowing all the mail flows from all the change, and they end up with "p != sp" for some period of time. In these cases, np is really useful in preventing attack vectors using subdomains (log4j.example.com) from being used. I am sure there are folks who track DMARC record changes over time, but back in mid 2020 I pulled a bunch of DMARC records of some alexa top 10K, and noticed the number of domains where "p != sp". Doing a quick pull of those domains and checking now I see a number of them now show "p == sp", which means they feel they have a better understanding of their mail flows. I worked for a large organization which had to set "p != sp" for a period of time as they understood things better. They are now a "p == sp" organization now, which is good. But having the added bonus of blocking invalid subdomains during that migration period I am sure would have made folks feel better. (the other use case for the np tag is around TLDs and also the SLDs like co.uk, and Scott is all over that). tim > >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
