On April 6, 2022 2:21:52 AM UTC, John R Levine <[email protected]> wrote:
>On Tue, 5 Apr 2022, Scott Kitterman wrote:
>>>> _dmarc.ac.me TXT "v=DMARC1; p=quarantine; adkim=r; aspf=r; fo=0; pct=100;
>>>> rua=mailto:[email protected]"; ac.me mail is handled by 10 mail.ac.me.
>>>> ac.me TXT "v=spf1 mx ip4:89.188.43.10 ip6:2a02:4280:0:200:89:188:43:10
>>>> -all"
>
>> Generally speaking, I think that a PSD can send mail and it should be covered
>> by DMARC, so I disagree with the idea that a PSD can never also be an Org.
>
>How about if we say that if the initial domain has psd=y, that's the org
>domain and you don't look anywhere else. That is easy to explain and I
>don't think we are likely to find anything that better matches the
>expectations of people who send mail from PSDs.
>
>There are 44 domains in the "ICANN" part of the PSL that have MX records
>and at least 400 in the "PRIVATE" part so I think it would be a good idea
>to have a plan for how DMARC works for them.
Agreed as far as having a plan, but it would have to be more complicated or
more restrictive than that, I think.
Let's take the example of:
5322.From: psd.example (which has psd=y)
5321.MailFrom: spf.psd.example
d= domain: dkim.psd.example.
If we just ignore psd=y for an exact match, then the org domain for psd.example
is psd.example, spf.psd.example for SPF, and dkim.psd.example for DKIM.
Neither align since neither have the same org domain as the 5322.From.
I see two potential paths out of this:
1. Slightly expand your proposal to say that if the 5322.From domain has
psd=y, then the psd tag is ignored for all org domain determinations for the
message.
2. Just say explicitly, if you are a PSD, you have to make all three the exact
domain (effectively like strict alignment only).
The current text says a domain is always its own org domain, so we have
(without explaining it anywhere) defined #2 currently. I think that's good.
PSDs, have already (mostly) told us that the name space below is
administratively distinct. The approach in #1 would give all their customers
the ability to spoof them, which is suboptimal. Additionally it would make the
SPF and DKIM org domain determinations dependent on the org domain
determination from the 5322.From. That adds complexity and seems ugly.
A PSD that does control/trust the namespace below it (e.g. .mil) might not even
need to bother with psd=y if they aren't worried about their registrants
spoofing each other.
My suggestion is that we leave the process as is and add some explanation for
PSDs on the implication of being a mail sending PSD that does DMARC. It should
be simple enough.
If the group agrees, I can write something up, but I don't think the next
revision needs to wait for it.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
