On Mon 30/Sep/2024 21:46:38 +0200 Murray S. Kucherawy wrote:
Section 10.8 also talks about "periodically checking the DMARC Policy
Records, if any, of PSDs" but doesn't talk about how one might achieve
knowledge of where they are. Is this just caching of the ones you've
discovered?
Aren't there ICANN policies that (dis)allow publishing DMARC records?
Maybe, maybe not; do we have to complicate this work with that discussion?
Section 10.8 seems to undeservedly characterize relaxed alignment as less
secure and requiring more precautionary actions, such as periodically checking
the DMARC Policy Records of PSDs above the Organizational Domain. That's bad
advice for various reasons:
*The tone*:
Some sentences should be reworded in an alignment-neutral tone, for example:
OLD
DMARC evaluation for relaxed alignment is also highly sensitive to
errors in determining the Organizational Domain if the Author Domain
does not have a published DMARC Policy Record.
NEW
For relaxed alignment to work properly, a DMARC Policy Record has to
be defined at the Organizational Domain, possibly in addition to
records defined at the Author Domain(s), if different, in order to
ensure alignment of all subdomains.
*Periodic checking*:
Can we say that a PSO SHOULD make it clear whether or not it intends to publish
DMARC records? I don't know whether ICANN mentions that point in their
agreements, but certainly a PSO cannot set a DMARC record /by surprise/,
especially with a strict p=.
People owning a .com 2ndLD don't need to check _dmarc.com every now and then.
It won't be published. Or, if it will, it has to be loudly announced with
adequate advance notice, no?
If we know about an ICANN document that treats the issue, we must cite it. It
would rather ease users' concerns than complicate the discussion. Indeed, we
choose cryptic values y/n/u for psd= because we don't want everybody to modify
their records, because it's not needed, because we know that PSOs won't publish
DMARC records, except for a few well-known cases. Let's say so.
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
