Re: [dmarc-ietf] DMARC PSD and non-existent subdomains
Scott Kitterman <sklist@kitterman.com> Mon, 10 June 2019 22:41 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0026B12006E for <dmarc@ietfa.amsl.com>; Mon, 10 Jun 2019 15:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=Aud+3mVP; dkim=pass (2048-bit key) header.d=kitterman.com header.b=Qd+2gYT7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2mFDs5RW4qoW for <dmarc@ietfa.amsl.com>; Mon, 10 Jun 2019 15:41:18 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B889312004A for <dmarc@ietf.org>; Mon, 10 Jun 2019 15:41:17 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id C2AB4F807AB for <dmarc@ietf.org>; Mon, 10 Jun 2019 18:41:16 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1560206476; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=ourohpPKSGVUgWt0McqAhKkEEZqWL/T2MnYy4ENk8dQ=; b=Aud+3mVPQXr+Bb6W3nh4FEZA3orcdBoc1uIJrUVBqawPb8jfSGDm/EGo Bq0BngosI9PFn9dqu0jdAu75E9H1Bw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1560206476; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=ourohpPKSGVUgWt0McqAhKkEEZqWL/T2MnYy4ENk8dQ=; b=Qd+2gYT7bPblnMqPwzbz4b9W/ggli5EgoojaamAldSjXacRfMGahmvbk cY4IpmdoKaxqjxjdj3Z+PFHsIjnKTMQGqGkEDTJ5hO/D9NlsogtLEMRhs/ EfvaVNHNXF+nynRggFDOUaFWhOylCT5MB+LA5wNdMGq7spfQPxNpHEN1Ga ZwkeDDLP7XP2Gw7uEzCRRxvI68IVU+yVcGR7V0XKZ1GhGjh9+ongmtFHCU HOVhWWvnWeGTKLt7aAJjM2Slen1x+Xwm8CPxQbxnzOnCyMEVFDJZ+j2ig9 +Kxbzg+peIB1WVFD7AjT2kZUXu3CU9xkJZMiyUW+Sf39TWChTC+eaQ==
Received: from l5580.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 90C01F8001B for <dmarc@ietf.org>; Mon, 10 Jun 2019 18:41:16 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Mon, 10 Jun 2019 18:41:16 -0400
Message-ID: <5425365.YBKd1By0BY@l5580>
In-Reply-To: <LO2P123MB23346502F9B6F1EE38269147AD130@LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM>
References: <LO2P123MB2334F6DE24EFE7FF43DEDB39AD180@LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM> <CAD2i3WPsdoJEnhRLCTdyd3xkQ_+5NkVKqekBQGmL2U7233KVRw@mail.gmail.com> <LO2P123MB23346502F9B6F1EE38269147AD130@LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/-eZIj0pmSwxcFzGDvEVyTwZFRPw>
Subject: Re: [dmarc-ietf] DMARC PSD and non-existent subdomains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 22:41:20 -0000
On Monday, June 10, 2019 8:07:25 AM EDT Richard C wrote: > Thanks for the question, Seth. > What would be the best way to incorporate this requirement? > The simplest possible way to address this use case is just to make sure > those existing but currently non-compliant domains just have a bare p=none > record. Then they'll never fall back to the > gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgov > .uk&data=02%7C01%7CRichard.C%40ncsc.gov.uk%7C5e404b44633f4f62576c08d6e558b35 > 3%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636948566460672014&sdata=ihf4 > soMa8kR%2BcGFwjiIwgy9iHDnrnKLkawsj0Zm9Mi4%3D&reserved=0> record. There's no > risk to inadvertently breaking mail here. > Is it remotely realistic for you to offer this guidance? If you're already > saying that p=reject is required, how painful is it to advertise that any > domain without a DMARC record will get p=reject by default unless it > explicitly puts p=none in? > I wish that publishing guidance resulted in swift adoption of it but > unfortunately it’s not so simple. We already have guidance published > requesting that organisations configure DMARC on their gov.uk domain > (starting at ‘none’ and progressing to ‘reject’ as they gain confidence). > The problem is we have ~3500 domains in use, many by smaller organisations > with limited technical ability. Whilst we’ll continue to work towards > helping them all deploy DMARC, realistically there will be a long tail to > adoption, hence our interest in support for different policies for the > existent and non-existent subdomains in DMARC PSD. > Presumably other PSDs that aren’t brand new will have this problem too? I’m > interested to hear whether we’re on our own or not. As written, DMARC (RFC 7489) has the option to express different policy for subdomains (sp= tag). Perhaps we could address this case in PSD DMARC by leveraging that feature. PSD DMARC is the first time there is any DMARC related explicit guidance on non-existent sub-domains. If we made it a rule that non-existent sub-domains use the domain level (p=) policy and existent sub-domains use the sub-domain policy (sp=) then I believe the affect you are after is achievable. Assuming p=reject and sp=none at the PSD level, the result would be: existing org domain (or sub) with DMARC record = use org policy existing org domain (or sub) with no DMARC record = None policy Non-existing org domain (or sub) with DMARC record = Reject policy PSD domain = Reject policy That would be a non-trivial increase in implementation complexity for receivers, so I think we need some discussion about if there is consensus to take this on. Scott K
- [dmarc-ietf] DMARC PSD and non-existent subdomains Richard C
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Seth Blank
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Richard C
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Scott Kitterman
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Alessandro Vesely
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Hector Santos