On Wed, Apr 17, 2024 at 1:06 AM Scott Kitterman <[email protected]> wrote:
> > I am confused. > > Under the current (7489) rules a record for _dmarc.c.d.e.f.tld won't be > found > either in this case. Why do we need to support something that is > currently > unsupported? > > We picked n=5 to allow the current org level record to be detected by the > tree > walk. It's true that the tree walk provides some additional flexibility > for > subordinate organizations within what we would call a DMARC org domain > based > on RFC 7489, but that was by no means anything we ever described as a > feature > or a goal. > I don't share your understanding here. I interpret some of the text of https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/79, "Do away with the PSL and Org Domain entirely; just walk the tree" to at least imply that the tree walk was designed to provide this flexibility, to wit: When DMARC was first developed, there was concern about DNS load and needing to minimize DNS lookups. Operational expertise now shows that this is no longer cause for concern. Short circuiting a tree walk has led to many issues, like a reliance on the PSL, complicated algorithms for Org Domain discovery, many types of domains (PSDs, per https://tools.ietf.org/wg/dmarc/draft-ietf-dmarc-psd/) being unable to utilize DMARC even though they wish to, and larger organizations (such as universities and governments) that are comprised of sub-organizations that use subdomains having material problems getting everything authenticated. All these issues disappear, and DMARC becomes a lot simpler conceptually, if DMARC simply walks the DNS hierarchy for the exact sending domain down to the TLD until it finds a DMARC record, and stops. It's the second paragraph, specifically the "and larger organizations..." bits to which I'm referring here. > Even if some organizations have very deep DNS trees, the fact that some > entity > uses a.b.c.d.e.f.tld doesn't affect DMARC. The record for the top level > of > their organization will still be found. > > In any case, any domain, at any depth in the tree can publish their own > DMARC > record if they need some special thing. The value of N does not affect > that at > all. > > Fair enough. You're correct that a DMARC policy can be published for any specific domain used as the RFC5322.From domain, so perhaps a bit of text in the Tree Walk section describing the really deep use case and the solution for it might be a compromise. -- Todd Herr | Technical Director, Standards & Ecosystem Email: [email protected] Phone: 703-220-4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
