On Thu 17/Feb/2022 20:17:30 +0100 John R Levine wrote:
I took another look at Scott's original message, and now I'm trying to figure
out if there are situations where an upward vs downward tree walk will make a
significant difference and the downward walk is a surpsise.
Consider the domain us.com which acts as a pseudo-registry, and say we have
these records for their customer cust.us.com
_dmarc.com NXDOMAIN
_dmarc.us.com something (it has an MX)
_dmarc.cust.us.com something (it also has an MX)
_dmarc.sales.cust.us.com NXDOMAIN
They send a message from sales.cust.us.com. If you believe the PSL, the org
domain is cust.us.com. If you do an upward tree walk, the first DMARC record
is cust.us.com. If you do a downward tree walk, ???
I suppose _dmarc.us.com should have psd=y but it's also a domain that sends and
receives mail. This sort of ambiguity is surprisingly common.
If they have MX and non-trivial SPF records, they probably are using the domain
to send and receive mail. Yet, they also host independent subdomains. IMHO,
we should trait [email protected] as a regular domain, without the limitations we
apply to PSDs. At the same time we should allow cust.us.com to claim
independence from us.com, as far as DMARC is involved. We need to allow org=y.
Note that this is a point where we can do better than relying on the PSL. RFC
7489 proposed to use heuristics /in the absence of more accurate methods/.
After years of experience, can we propose a new method which can be more
accurate? Accuracy comes from publishing DMARC records with psd/org/sub flags.
In the quoted scenario, assuming "something" is a DMARC record without flags, a
tree walk delivers us.com as the org domain. To avoid BEC, there must be a
transition period during which mail filters check the PSL in such cases; that
is, in the absence of flags.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
