On Thu 01/Sep/2022 21:02:37 +0200 John R Levine wrote:
So the question: Does anyone *really* think we *do* have to close out
these edge cases at the risk of complexity, incompatibility, or other
down-sides? ...
It can be worse, as in this case where trying to fix the corner case makes
things worse for everyone else.
I will agree with Ale somewhat. While we should say that PSDs MUST NOT publish
a ruf= tag, it would be prudent also to say that reporters MUST ignore a PSD's
ruf= tag in case one is there anyway. Belt and suspenders.
How about SHOULD NOT? Considering that there may exist valid reasons in
particular circumstances when providing a rua= and serving it is acceptable or
even useful, but the full implications should be understood and the case
carefully weighed before implementing any behavior described with this label
(text copied from RFC 2119.)
In practice, every org domain should be encouraged to publish their own DMARC
record, which cuts the privacy risks. We can justify SHOULD NOT by just
mentioning that the exception is the corner case. Implementers can choose to
always discard ruf= from PSD records, or go into the intricacies of
understanding the cases.
OTOH, we cannot really prevent PSDs from publishing what they want. And if
they do publish a ruf=, it doesn't prevent any interoperations.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
