On Tue, 25 Jan 2022, Dotzero wrote:
If they are cousin domains, walk up the tree from each until you find a
policy record. If you find the same policy
record and it's not a PSD and it allows relaxed alignment, they're in
relaxed alignment. If you find different
records, or only one record, or no records, they aren't.
I think a better term is sibling domains. The phrase "cousin domains" has
typically been used for look alike domains rather than the subdomain issue.
Agreed, sibling is better, although of course they could be great-aunts,
too.
It actually does allow malicious, not accidental, alignment. I'm done
reminding. This allows an attack vector which can be useful for BEC
attacks, hostile governments targeting NGOs, journalists, etc. and other
targeted attacks.
I don't have strong opinions about whether to continue to allow great-aunt
alignment other than to note this is such a well known problem that it is
exactly the problem the PSL was invented to address, and we can argue
about how well the PSL and other widely available mitigation techniques
work and how reasonable it is to expect people to use them.
Do we have any stats on how often real mail depends on sibling alignment?
If nobody actually uses it, the spec would be simpler if we could take it
out.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
