On Mon, 21 Oct 2024, Emil Gustafsson wrote:
3) For commercial cases (like .bank/.insurance) using rua/ruf for an
existing domain with missing DMARC (falling back to PSD record) might leak
business secrets (so a privacy issue).
A PSD is a registry, which means that the names under the PSD have a
business relationship with the PSD's operator. That relationship controls
what the two parties can do. In the case of .BANK and .INSURANCE, I
happen to know that the registry's rules require that the registrants have
a specific DMARC setup, and they use reports to the PSD to check that the
registrants have that setup.
We have no idea what arrangements other registries might make with their
registrants, and we should not try to guess.
I would be OK with language that notes that DMARC allows a PSD to collect
reports about subdomains that don't have their own DMARC records, and it's
up to the PSD and its subdomains to decide whether the PSD does collect
reports and if so what it does with them.
R's,
John
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
