On July 19, 2022 7:13:13 PM UTC, John Levine <[email protected]> wrote:
>It appears that Murray S. Kucherawy <[email protected]> said:
>>So it comes down to which we're willing to tolerate and/or to foist upon
>>the Internet: a split-brain that makes results non-deterministic, or a
>>relatively homogeneous space with an arguably unsafe historic default.
>>Whichever we pick, we should be prepared to explain why.
>
>Seems to me the answer is self-evident.
>
>I have no idea to what extent sibling authentication is OK because the
>two names are indeed part of the same organization, and to what extent
>it isn't because they aren't. I would be surprised if anyone had data
>to share since only very large mail systems would collect enough to be
>useful, and they tend to be shy about sharing.
>
>So since we're just guessing, let's pick the guess that minimizes the
>changes.
>
>One of the reasons we added the new psd flag is to make it easy for domains
>to disable sibling authentication. If you know it's a problem, it's
>the work of a moment to add psd=y to a name above the evil siblings.
+1.
Or, if your provider is slow to react, add psd=n to your own domain to prevent
either the parent or siblings from being considered.
I don't think we can change the default alignment without bumping the version
and that would be horrible.
We've added knobs for domain owners and PSOs to turn to solve the exact problem
being speculated about in this thread. I think that's sufficient. It would be
nice if we could move forward with the tag assignment for psd= so we can start
encouraging people to use it.
Scott K
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
