It appears that Scott Kitterman <[email protected]> quoted: >> - If there's evidence of intent, then the argument is "The >> definition of alignment needs to change, because the current >> definition isn't what the authors intended and it exposes domains to >> security/abuse risks." >> - If not, then the argument is "The definition of alignment needs >> to change, because the current definition exposes domains to >> security/abuse risks."
On the one hand, Mike points out that there are what used to be called domain parks, and their operators and customers don't appreciate the security risks of one customer impersonating another. On the other hand, Laura points out that there are real mailers that authenticate with sibling domains, and there is currently no easy technical way to tell the difference. In principle domain parks can list themselves in the PSL, in practice most don't. My opinion is that while the risk of impersonation via DMARC is real, other kinds of impersonation are worse, notably web cookie stealing, and if they can live with the web problems, they can live with the DMARC problems. Also, if we go to a tree walk with a psd=y flag, the cost to the domain park of identifying itself with a DMARC record is about as low as possible, way easier than petitioning the PSL which they still have to do if they have cookies. R"s, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
