On Wednesday, February 23, 2022 4:45:35 PM EST John Levine wrote: > It appears that Scott Kitterman <[email protected]> said: > >> I prefer the first (longest) but could live with the last if people think > >> that will in practice be less surprising. I do worry about foo.us.com vs > >> bar.us.com. > > > >I think it will (less surprising). Currently if you have a.b.bar.us.com > >and "a" and "b" need different policies you can just publish them. If you > >stop at the first one, then b.bar.us.com would be identified as the org > >domain for a.b.bar.us.com vice bar.us.com. > > I understand, but the question is whether anyone actually does that. It is > my impression that our argument is largely hypothetical because it is rare > to have stacked DMARC records like that.
I've seen it done. Unfortunately I can't go into specifics. I suspect it is rare, but when it happens it's pretty essential. > >We could fix this by changing the definition of relaxed alignment to be is > >the same or one is a subdomain of the other, but I think it's better to > >take the last DMARC record and leave the definition as is. > > Laura says she's seen sibling or maybe great aunt alignment. I really wish > we could get some stats about what kinds of relaxed alignment people > actually use, because I would prefer to avoid evil sibling alignment if we > can do that without breaking significant existing use. The problem with statistics is that leads you not to care about the rare entities for which the functionality is absolutely essential. If we did first match, but allowed for relaxed alignment for org domains also when one is a subdomain of the other, I don't think that helps with the evil sibling problem. I think this is significant enough that we don't want to break it. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
