Psd=n is the best evidence that the walk has ended in the right place and that the domain owner has embraced DmarcBis.
Without it, we have swapped one risk for an equivalent one. RFC7489 is at risk of false alignment caused by missing PSL entries, while DMARCbis is at risk of false alignment from untagged private registries. In the absence of a PSD tag, the safest implementation is to do both Tree Walk and OSL lookup, then take the longest result. That added complexity does not motivate evaluators to rapidky adopt the new spec. Doug On Thu, Jun 20, 2024, 4:49 AM Alessandro Vesely <[email protected]> wrote: > On Wed 19/Jun/2024 16:53:59 +0200 John R Levine wrote: > > On Wed, 19 Jun 2024, Alessandro Vesely wrote: > > > >> IOW, why not let the org domain be just the shortest of the > organization > >> domains for which a DMARC record was found? It sounds more natural. > > > > In nearly every case, that is exactly what DMARC does. > > > > The only time something else might happen is if the domain publishes > psd=n to > > say to use a lower level name. > > > Fair enough. In that case, however, we have to say a little bit louder > that > org domains need to be marked psd=n. For example, at step 2 of the > algorithm > in Section 4.10.2, we can say explicitly that the org domain thus > determined > might not have any DMARC records. > > Not setting psd=n can wreak havoc on new PSD records. Consider, for > example, > what would happen if Nominet UK, after the proven success of the gov.uk > policy, > decided to do the same also for ac.uk, co.uk, org.uk, net.uk and > eventually all > their 2ndLDs. At that point, they may consider it more efficient to define > just > one record in _dmarc.uk rather than a dozen psd=y records scattered here > and > there. There's nothing in the specs that says it's a bad idea to do so. > Then > suddenly DMARC will no longer work for the whole country. > > > > We have discussed this in hundreds of messages over the past several > years. I > > do not understand why anyone would try to relitigate it now. > > > Only when I coded it I did realize how unnatural it is for the publication > of > PSD records not to be idempotent w.r.t. the determination of the org > domain. > > > Best > Ale > -- > > > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
