Thanks for the review.
On Wed, 4 Dec 2024, Ines Robles via Datatracker wrote:
1- DMARC Tree Walk:
1-1: Related to CNAME:
1.1.1- Does the resolution of a CNAME record during a DMARC Tree Walk
override the normal Tree Walk process?
This is really a DNS question. DMARC doesn't do anything special with the
DNS, so if there's a CNAME, DNS libraries will resolve the CNAME in the
usual way.
1-2: Related to Wildcard Records:
1.2.1: Does a wildcard DMARC record apply only when no explicit _dmarc
record exists for the queried domain? 1.2.2: If both an explicit _dmarc
record and a wildcard record exist at the same level (e.g.,
_dmarc.example.com and *.example.com), does the explicit record always
take precedence over the wildcard?
This is another DNS question. Explicit names always take precedence over
wildcards.
2- How should multi-tenant email systems, where subdomains are shared among
different organizations, manage DMARC policies effectively? Are there best
practices or recommendations for defining subdomain policies using the sp tag
in such setups? For example, in cases where multiple tenants share subdomains
(e.g., tenant1.example.com and tenant2.example.com), should the sp tag be
recommended to enable policy differentiation among tenants?
Honestly, in the decade we've been using DMARC, I don't recall this
question coming up either here or at M3AAWG. If the subdomains really are
different organizations, the domain is a PSD.
3- How should Mail Receivers handle malformed or incomplete DMARC records
during policy discovery and evaluation?
Experience has shown that trying to guess how people will screw up and
work around it has never worked well. If you want people to follow your
DMARC policy and send you reports, follow the spec and publish a valid
record. If there's no valid DMARC record, there's no valid DMARC record
and the result isn't defined.
4- How should Mail Receivers handle cases where no PSD-related DMARC policy is
found (e.g., no DMARC record at the PSD level, incomplete PSD DMARC record, or
missing p= tag)?
The spec says what to do. In practice we expect very few PSDs to publish
DMARC records. There are at least a thousand PSDs and I am aware of about
a dozen with DMARC records.
5- Should the draft include guidance on handling replay attacks that leverage
valid DKIM signatures, given the potential for misuse in bypassing DMARC
validation?
DKIM replay is a separate issue. If it's of interest see the DKIM2
discussion in the ietf-dkim list.
6-Appendix C.3: Related to "...That RFC was an Experimental RFC, and the
results of that experiment were that the RFC was not implemented as written..."
It would be nice to add some references to the results of that experiment.
I don't think there are any. They were observations by the author of the RFC.
Nits:
7- Section 4.9: Add caption in Figure of Flow Diagram
8- Section 4.10: discovry --> discovery?
9- Section 10.8: Organizataional --> Organizational
Thanks.
Regards,
John Levine, [email protected], Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
