AFAIK there are three different situations and maybe that snippet only applies to the first one: 1) If an organizational domain provides a DMARC record without rua/ruf - the PSD DMARC record rua/ruf must not be used. The PSD DMARC record is only intended to be used when there is no other option. 2) There are government owned PSDs that see a lot of phishing from non-existing subdomains as they have DMARC already set up for all existing domains. In this case the rua/ruf in the PSD record provide intel about these attacks. 3) For commercial cases (like .bank/.insurance) using rua/ruf for an existing domain with missing DMARC (falling back to PSD record) might leak business secrets (so a privacy issue).
The business secret mentioned in (3) essentially boils down to; company A owns a TLD with a "type of business value" (like .bank). Company B that is a competitor of company A owns a domain under the TLD owned by A. When company B is trying to onboard a new service S and at the same time don't have a DMARC record covering the domain the service is using means that company A would get a DMARC report (being the PSD) that tells company A that company B is doing business with the service S. THis could also be related to acquisitions. Hence, to be on the safe side and to support use case #2 that I know governments are very interested in, I think the only acceptable use case of using rua/ruf in the PSD record is if the organizational domain does not exist. /E On Mon, Oct 21, 2024 at 3:51 PM John R. Levine <[email protected]> wrote: > On Mon, 21 Oct 2024, Murray S. Kucherawy wrote: > > Just for context, this issue was a comment I made based on this > paragraph, > > which is in 4.10.1 of -33: > > > > Note: PSD policy is not used for Organizational Domains that have > > published a DMARC Policy Record. Specifically, this is not a > > mechanism to provide feedback addresses (rua/ruf) when an > > Organizational Domain has declined to do so. > > Hm, you're right. Perhaps Scott can tell us how PSDs actually work in > .bank? > > Regards, > John Levine, [email protected], Primary Perpetrator of "The Internet for > Dummies", > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > dmarc mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
