On Wednesday, February 23, 2022 8:16:24 PM EST John Levine wrote: > It appears that John Levine <[email protected]> said: > >It appears that Scott Kitterman <[email protected]> said: > >>If we did first match, but allowed for relaxed alignment for org domains > >>also when one is a subdomain of the other, I don't think that helps with > >>the evil sibling problem. > > > >I think that would largely solve it. I am worried about foo.us.com > >pretending to be bar.us.com since they have no relation to each other. I > >am much less worried about foo.us.com pretending to be us.com or vice > >versa since they have a direct business relationship and so have recourse > >against each other. > Hm, no, if us.com has a regular non-PSD DMARC record, bar.us.com is > aligned with foo.us.com. If we do first match, it's not aligned with > mail.foo.us.com if there's also a DMARC record at foo.us.com, but it > feels like we're getting into the weeds.
We are, but I think it's needed. I think we are in reasonably good shape for backward compatibility. I still have a preference for org is last non-PSD and not changing the alignment definition over org is first and changing the alignment definition. Here are the advantages I see of last non-PSD: Does not requiring changing the alignment definition. I think this is a big deal. Alignment is something that affects code. If we change from PSL to last non-PSD we are changing the method for determining an input to the DMARC evaluation process, not the actual process. I think that's good. Also, it's easier to assess the effects of the change. It's isolated to org domain determination. If we also change the alignment rules it's a more complicated assessment that we are less likely to get completely correct. Modulo PSL errors and non-PSD DMARC records published by PSDs it produces the same results as the RFC 7489 design (more about this later). DMARC records published based on RFC 7489 do not need to be changed. I don't see any real disadvantages. Neither solves the evil/incompetent PSD case where the PSD publishes a regular DMARC record and allows one customer to impersonate another. In that regard, I think there is a point to the suggestions people have been making about org=y. If we could give domain owners a method to specify there's nothing above for org we could give them a defense in this case other than switch to a new provider. I don't think org=y is needed though. We could use psd=n for this and not need yet another new tag. If we did this, then we would specify that the upward tree walk terminates if a record has psd=n in it. That would allow a defense against the evil/ incompetent PSD and their scheming other customer. This is a general discussion of the concept, not a full definition. If this seems reasonable to people, I can write it up more precisely. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
