We know that DMARC Fail is a weak result because in-transit changes may cause a message that was verifiable at first hop to be unverifiable at last hop.
Consequently, it is desirable to distinguish between Fail and Never-sends-mail. We should not assume that a domain sends mail simply because a message arrives with their name on it. Real PSOs never send mail, and I suspect that many private registries do not send mail from the specific subdomain used for client registration. So my default expectation for registrars is that they do not send mail, but we need a way for private registrars to announce that they are an exception On Thu, Mar 24, 2022, 8:02 AM Alessandro Vesely <[email protected]> wrote: > On Wed 23/Mar/2022 12:08:16 +0100 Douglas Foster wrote: > > But we do have a difference between PSOs, which never send mail, and > private > > registrars, which may or may not send mail from the domain or subdomain > used as > > a private registration point. It seems desirable to resolve this > ambiguity so > > that we can reliably know that a true PSO cannot be impersonated, while > > allowing private registrars to document their configuration. > > > > A "sendsmail=(y,n)" indicator would accomplish this purpose. > > > For documentation purposes, although I'd have preferred meaningful, > explicit > tokens, if people much more experienced than me insist that obscurity is > advisable in this case, I don't agree but I accept it. > > For security, a private registrar should set psd=y. If it sets psd=n, it > forces all registrants below that point to do the same. If the From: > domain > has psd=y, you know that they send mail because you received it. In that > case, > it can only authenticate by strict alignment. > > Perhaps, we could advise private registrars that they had better use an > intermediate label with psd=y as a registration point if they want more > DMARC > flexibility at their base domain. > > > Best > Ale > -- > > > > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
