It appears that Scott Kitterman <[email protected]> said: >We are, but I think it's needed. I think we are in reasonably good shape for >backward compatibility. I still have a preference for org is last non-PSD and >not changing the alignment definition over org is first and changing the >alignment definition.
Having further pondered evil great aunts (not a recipe for a good night's sleep) I am coming around to your point of view. You're only subject to the evil sibling attack if your org domain does not publish a DMARC record and your PSD does publish one without psd=y. There are some PSDs that do that but trying to get their attention to fix it seems a whole lot easier than trying to add org=y to millions of ordinary domains, particularly since we have contact with many PSDs via ICANN. >If we did this, then we would specify that the upward tree walk terminates if >a record has psd=n in it. That would allow a defense against the evil/ >incompetent PSD and their scheming other customer. That seems reasonable. It doesn't make things worse for existing users. So I think this is the plan: 1. Take your domain, chop it to the last five labels if it's longer than that. 2. Walk up the tree starting at the original domain, and at each level look for a DMARC record. 3. If you find one with a psd flag, stop. 4. If you find one without a psd flag, remember it and keep going. 5. If you reach the root, stop. If you found a record with psd=n, that is the org domain. If you found a record with psd=y, the label below it is the org domain. Otherwise the org domain is the last DMARC record you found. The rest doesn't change: The policy domain is the original domain if it had a DMARC record, otherwise the org domain. The org domain might not have a DMARC record. Relaxed alignment still means that two names have the same org domain. If you found no records at all, there is no org domain and no policy but so what, there's nothing to do. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
