> On Apr 17, 2024, at 8:29 AM, Alessandro Vesely <[email protected]> wrote: > > On Wed 17/Apr/2024 15:42:23 +0200 Todd Herr wrote: >>> On Wed, Apr 17, 2024 at 1:06 AM Scott Kitterman <[email protected]> >>> wrote: >>> I am confused. >>> >>> Under the current (7489) rules a record for _dmarc.c.d.e.f.tld won't be >>> found either in this case. Why do we need to support something that is >>> currently unsupported? >> >>> We picked n=5 to allow the current org level record to be detected by the >>> tree walk. It's true that the tree walk provides some additional >>> flexibility for subordinate organizations within what we would call a DMARC >>> org domain based on RFC 7489, but that was by no means anything we ever >>> described as a feature or a goal. > >> I don't share your understanding here. I interpret some of the text of >> https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/79, "Do >> away with the PSL and Org Domain entirely; just walk the tree" to at least >> imply that the tree walk was designed to provide this flexibility [...] > > > If we wanted to provide high flexibility, then we'd have designed an > inheritance system whereby, for example, policy or rua address can be > inherited from parent domains. John would 've called it mission gallop. > > >>> Even if some organizations have very deep DNS trees, the fact that some >>> entity uses a.b.c.d.e.f.tld doesn't affect DMARC. The record for the top >>> level of their organization will still be found. >> >>> In any case, any domain, at any depth in the tree can publish their own >>> DMARC record if they need some special thing. The value of N does not >>> affect that at all > >> Fair enough. You're correct that a DMARC policy can be published for any >> specific domain used as the RFC5322.From domain, so perhaps a bit of text >> in the Tree Walk section describing the really deep use case and >> the solution for it might be a compromise. > > > We may say the system is harsh by design. You can rely on the org domain > settings or define your own in the From: domain. Flexibility to fetch values > from intermediate domains is not provided.
I’m imagining a little chaos if such flexibility were shoe horned in. Rare, sure, but frantic, baffled stress for a few unlucky souls. _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
