Both of these statements seem unnecessarily weak, bordering on apologetic.
5.3.General Record Format
PSD ("n")
."... There is no need to put psd=n in a DMARC record, except in the very
unusual case of a parent PSD publishing a DMARC record without the
requisite psd=y tag."
11.8 Determination of the Organizational Domain For Relaxed Alignment
"For cases where strict alignment is not appropriate, this issue can be
mitigated by periodically checking the DMARC records, if any, of PSDs above
the organization's domains in the DNS tree and (for legacy [RFC7489]
checking that appropriate PSL entries remain present). If a PSD domain
publishes a DMARC record without the appropriate psd=y tag, organizational
domain owners can add psd=n to their organizational domain's DMARC record
so that the PSD record will not be incorrectly evaluated to be the
organizational domain."
I suggest that the second sentence of 5.3 should read:
"While the tree walk is designed to be upward-compatible with existing
policies that do not provide a psd tag, use of psd=n is RECOMMENDED as it
reduces evaluator processing effort, reduces load on the DNS, and increases
confidence in the evaluation results. Use of psd=n is REQUIRED if a parent
domain has a DMARC policy without a psd tag."
Given the number of private registries that have embraced DMARC for PSDs
prior to publication of DMARCbis, it is difficult to even justify the
assumption that an unflagged PSD will be "very unusual"
Similarly, 11.8 could more usefully read:
"For cases where strict alignment is not appropriate, this issue can be
fully mitigated by publishing a psd=n tag on the organizational domain."
Why would anyone "periodically check" for a problem, when the risk can be
completely eliminated in advance by taking a simple preventative measure?
Doug Foster
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
