-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In message <[email protected]>, John Levine <[email protected]> writes
>It's a lot better to set the TTL on your record to a few seconds, then >change it to p=reject, and see what you get back. If you're seeing a >flood of unexpexted rejections, quick flip it back to p=none until you >figure out how to fix the problem. A significant cost for DMARC (both in sending reports and indeed implementing DMARC more generally) is that DMARC records often have very short TTLs and hence they have to be continually re-fetched in order to determine their content -- both for deciding what policy has been requested and then where to send reports of disposition. At the billions scale it would be very helpful for TTLs (both for successfully fetched records and for NXDOMAIN) to be of the order of a week rather than a few minutes or hours (leave alone seconds) -- but people seem to get twitchy (for no really good reasons in my view given the general stability of these records) when I suggest ignoring the DNS server's TTL altogether and using 7.5 days instead. - -- richard Richard Clayton Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 11 Nov 1755 -----BEGIN PGP SIGNATURE----- Version: PGPsdk version 1.7.1 iQA/AwUBZP228d2nQQHFxEViEQLQbgCcCtnm9ya/2crwUH19JXHky/MdHAYAn2Xr dGHsjdCl8mlU3EYBdxaYbsns =CxSq -----END PGP SIGNATURE----- _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
