On Sat 26/Feb/2022 18:14:30 +0100 John R Levine wrote:
No. This just adds more useless complexity that is unlikely to get
implemented.
While composing a DMARC record, setting role=org seems more likely than psd=n.
For the umpteenth time, the goal here is to be as compatible as possible with
the way that DMARC works now. An important part of that is not to ask people
to change their existing DMARC records because we know that most of them won't.
100% agreed.
The normal case, like 99.99% of the time, is that the PSD does not publish a
DMARC record at all. The org domain has a DMARC record if it sends mail or its
subdomains use relaxed alignment. The way Scott and I propose to do a tree
walk, that will get the same alignment as now with no changes to the DMARC
record. That includes millions, maybe tens of millions of domains.
A few PSDs publish DMARC records, either because they have a policy about their
registrants' mail, or because the PSD itself has an MX. We want them to add
psd=y. That includes 52 domains. (I counted them.)
As an extreme corner case, if you are registered under a PSD that publishes a
DMARC record but erroneously doesn't include psd=y, you can use psd=n as a
kludge to prevent evil sibling alignment. That currently includes about 45 of
those 52 domains, but I think we can get it close to zero because we have
contacts at many of them.
That's a Good Thing.
I'm finding it hard to understand the advantage of a scheme that requires
millions of DMARC records to change rather than one that changes 52.
I never proposed such a massive operation.
OTOH, those ~8 million DMARC domains are a small fraction of the 70+ million
domains having SPF records. I think we can expect DMARC domains to grow.
In some cases, a domain can induce correct alignment assessments by asking for
inclusion in the private domains section of the PSL, like us.com. I'd figure
most of those PSL additions were driven by cookie alignment issues. However,
some of them could also have been motivated by DMARC considerations, who knows?
Setting a role=org flag would be akin to updating the PSL. Not something that
every domain does every day. Perhaps nobody will ever do it. (I found no
DMARC record in the few subdomains of us.com I checked.) Yet, the possibility
to have role=org looks to me better than using a false boolean for the same task.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
