Ale, this response frustrates me. We should be discussing non-existence based on shared data, which is why I asked you to test it with your own data.
I get legitimate non-existent From addresses every day. They are ESP mailings where the SMTP address is the ESP domain and the From address is the client domain. Obviously, legitimate but non-existent means that the FROM address is a subdomain of the organizational domain. The rules for relaxed alignment only require that messages have a DKIM signature from somewhere in the organization. ESP practice seems to only require that the FROM address match the client organization, not that it exactly matches the email account used to establish the account. The theory and the data converge on the same result - the FROM domain does not need to exist. Organization existence is a different matter. Organizations MUST be registered with a registrar, whether that is a PSO or private registrar. We should not have needed a DMARC policy to enforce this rule, but implementations do need a DMARC infrastructure before they can correctly determine an organizational domain to be tested. So it makes sense for us to document this defense in our group, and it provides a feedback mechanism for registrars. A third type of non-existence is a non-existent public suffix, which can be detected by a non-existent TLD. A TLD can be tested for existence if it participates in DNS SEC, because the RRSIG records prevent NXDOMAIN. I have asked whether all TLDs currently participate in DNS SEC, but no one has answered and I certainly do not know for sure. Without DNS SEC, we are back to asking whether the TLD is absent from the PSL. Doug Foster On Tue, Feb 22, 2022 at 8:06 AM Alessandro Vesely <[email protected]> wrote: > On Tue 22/Feb/2022 13:09:12 +0100 Douglas Foster wrote: > > On Tue, Feb 22, 2022 at 3:57 AM Alessandro Vesely <[email protected]> > wrote: > >> On Mon 21/Feb/2022 23:55:56 +0100 Douglas Foster wrote: > >>> To accurately identify PSD policies, we have two choices: > >>> - assume that PSDs will add the "psd=y" flag to their policies prior > to publication, or > >>> - declare that the "NP" clause is the PSD indicator, meaning > >>> (a) it indicates that the first child domain without an NP term is an > >>> organizational domain, and that organization must pass an existence > test to > >>> verify registration. > >> > >> I don't see why an org domain, or any domain, cannot specify NP. To > me, a non > >> existing From: domain is such an obvious abuse indicator that could > have been > >> the default (as it actually has been, IIRC.) > > > > Non-existent organizations and non-existent FROM domains are very > different tests. > > > It is the From: domain. It can be nosub.havenbank.bank (whose parent > domain > exists) or credit-suisse.bank (which doesn't exist). In either case, np= > applies. > > > > Relaxed alignment allows for the FROM domain to be non-existent > > on legitimate messages, and mailers take advantage of that feature. > This > > distinction was part of my long-running fixation on changing the NP > clause > > of the PSD experiment. I think if you check your message logs, you > will > > be able to confirm this situation. > > > > Since the PSD experiment was rolled out without the "psd=y" term, making > a > > clear distinction between NP and NX solves two problems. > > > That creates a new problem. You'd need to restrict use of NP. Domains > that > wish to use it, according to rfc9091, could no longer do so. > > > Best > Ale > -- > > > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
