If a.b.example.com is considered aligned with c.example.com under RFC7489, but will be considered unaligned under DMARCbis, then we have a pretty significant incompatibility and need to move to DMARCv2.
In the current example of comparing a.b.example.com and c.example.com to each other: if there is a shared DMARC policy at example.com, why would we not consider the two names in alignment? In the case of organizations that lease subdomains, do both the subdomains and the parent domain send email and publish DMARC policies? If so, then we are back to needing a PSL. On Sat, Jan 22, 2022 at 9:15 AM Dotzero <[email protected]> wrote: > > > On Sat, Jan 22, 2022 at 6:52 AM Alessandro Vesely <[email protected]> wrote: > > <SNIP> > >> >> No, the concept of Organizational Domain is foundational to DMARC. We >> cannot >> overthrow it to spare an extra lookup. When we talked about tree walk we >> knew >> that additional lookups might well have come out. >> >> To specify that a.b.example.com and c.example.com are not aligned is >> wrong. >> > > While this may be your personal opinion, it is not a fact. I have > previously pointed out that there are organizations that lease/rent or > otherwise provide subdomains as part of their commercial offerings. Your > assertion is akin to claiming that tenants in an apartment building are > family relatives simply because they have the same landlord. We can > identify a relationship between a.b.example.com and example.com. We can > also identify a relationship between c.example.com and example.com. In > both of these cases someone with control over example.com created the DNS > records that brought the subdomains into existence. We cannot identify a > meaningful relationship between a.b.example.com and c.example.com because > we have no way of knowing whether such a relationship exists or if they are > independent actors. > > If we were to accept your argument in favor of this approach it opens up a > very large attack surface.Attacker finds sites (think blog hosting websites > for example) where multiple independent parties use subdomains. This would > be a great approach for targeted attacks against NGOs, Journalists, etc. > > Michael Hammer > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
