On Tue 01/Feb/2022 00:01:33 +0100 Dotzero wrote:
On Mon, Jan 31, 2022 at 3:51 PM Alessandro Vesely <[email protected]> wrote:
(This message is not going to be accepted by the IETF today, so I CC John too)
Why wouldn't your email be accepted?
I messed around with the DNS and reverse IP wasn't resolving —thanks for asking.
On Sun 30/Jan/2022 05:25:30 +0100 Dave Crocker wrote:
3. The role of the function that uses the PSD and the role of the
function that does a tree walk are identical. Since you apparently feel
otherwise, please explain.
A PSD is potentially useful for DMARC policy determination if no policy exists
for the exact domain or the organizational domain. It is not useful for
evaluating relaxed alignment. Only the organizational domain can be used for
that. So I do not think you are correct.
The RFC 9091 does not contain the word 'relaxed', so I'm curious about the
basis for your assertion of the limitation.
Let me ask if the following scenario is possible at all:
.BANK admins decide to setup a DKIM signing service for .bank domains.
They register dkim.bank, and accept and relay messages originating from
their customers, signing them with d=dkim.bank. (Compare to
onmicrosoft.com?) >>
They may consider that a tangible way to protect .bank domains.
Will that work to validate, say, mail From: [email protected]?
Let's be realistic, any organization providing a DKIM signing service (but
why would banks divert their mail flows to go through such a service?) can
easily sign in an aligned manner for any unique domain. I did this for
multiple domains (about 6,000) with different mail systems at various times
(Ironport, Message Systems, etc). If such a service or system couldn't sign
for unique domains on the fly, it shouldn't be used.
Perhaps it could be a marketing hint, to demarcate (or do you say demark?) all
mail from .bank. I don't think it is a good idea, as it would conflate all
those banks with one another. I asked the question to see more clearly where
the WG stands about ORG vs. PSD differences. As a conclusion, it seems that
nobody here thinks PSDs can be used for alignment.
To avoid BEC attacks, it is necessary to distinguish PSDs from ORGs. If there
are organizations that lease/rent or otherwise provide subdomains as part of
their commercial offerings, they should be categorized as PSDs. This is the
duty that the PSL has been involved in. Relaying on psd=, a tree walk can work
without the PSL if we assume that all PSDs duly set that flag, which is not
going to happen.
The reality is that people are trying to jump through all kinds of hoops in
support of a bad idea.
For onmicrosoft.com, it looks as if they believe that the value of a DKIM
signature can be recognized even without referring to DMARC.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
