On Fri 18/Feb/2022 23:47:18 +0100 John Levine wrote:
It appears that Alessandro Vesely <[email protected]> said:
If they have MX and non-trivial SPF records, they probably are using the domain
to send and receive mail. Yet, they also host independent subdomains. IMHO,
we should trait [email protected] as a regular domain, without the limitations we
apply to PSDs. At the same time we should allow cust.us.com to claim
independence from us.com, as far as DMARC is involved.
So far so good.
We need to allow org=y.
If you mean we can allow DMARC records to contain org=y which evaluators ignore,
sure. Otherwise no, it's painfully not backward compatible.
Non-upgraded DMARC filters will ignore those (and use just the PSL). Upgraded
filters can use the flags, and obtain more accurate results.
As a DMARC filter developer, I'd be rather skeptic of modifying a working code
to introduce oversimplifications. However, I could take a look at the domains
between the From: domain and its PSD, in order to gain accuracy.
If DMARC is successful —I mean raising to some two-digit percentage— those
flags could be used to update the PSL.
In the quoted scenario, assuming "something" is a DMARC record without flags, a
tree walk delivers us.com as the org domain. To avoid BEC, there must be a
transition period during which mail filters check the PSL in such cases; that
is, in the absence of flags.
Um, surely you've been around long enough to know that "transition period"
means "forever".
Yes, if the PSL lasts forever.
Just treat the first DMARC record you find in an upward walk as an org. It
seems to me that will get the desired result at least as often as the PSL does,
and does not require an incompatible flag or a forever period.
To me, it seems you get the right result more often if you take the last
(topmost) DMARC record found. Didn't we have some numbers on that?
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
