Re: [dmarc-ietf] Benjamin Kaduk's Discuss on draft-ietf-dmarc-psd-12: (with DISCUSS and COMMENT)

Tim Wicinski <> Mon, 10 May 2021 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1449E3A2A7D; Mon, 10 May 2021 13:45:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id hWeaxcG8ZOGT; Mon, 10 May 2021 13:45:17 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D1C433A2A72; Mon, 10 May 2021 13:45:16 -0700 (PDT)
Received: by with SMTP id h4so25438038lfv.0; Mon, 10 May 2021 13:45:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bcB92YiEV6+WFhVnWIhnSWvyBiGWEC3kBBJrwnVZPyE=; b=n+TbI8yryHd/O4uyptYT7N289JFyBPP/AsJZOY3y8URYRZ/kDZDg8umnnXLegpK8rb +Uvqjdkox6bPr+191XFIH3+IQ66cCeOEVGQrQCovdFeHl5t5OE8DpTocnn2fM10taRTy lRex5TFAflE50L0ClEq1VHRsq8maXgOlEq+MKg/UBugPZPlagnckbLbcZLO11cZlB+ie WVnJBJhPmlUFQdgH0Z1TGNIjg6KnSm/sIfxiuALFJ5pc5AAEE5Y31GdiROedPd9JuhWG 2Sm99nZ87D7y2Vdg5bV6y683Q+zkPpNKuZxF/Qivb5spjLcXlDi8Z4rOzZJxhbc31bVn ffRQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bcB92YiEV6+WFhVnWIhnSWvyBiGWEC3kBBJrwnVZPyE=; b=shrshi7XnCyQgSc1zVXMSbrVaYvXxcBV/Mo98gtoLWvhf5mDQ0zWwKcvI38MsVxZm7 9PYAPUNyAFQSKb4lJ6OiIdCs3YWrihlPpqAkwTlnhq2gVHLi1zSJDkbvuiFMN0yTFWLh EUZxKSC9g6Cg7HneEdWrVXOIWhqrbvE72abxAUAyOloztTsy5mGBUKGG1irGUet3MKEm I5yQPLZzvLCCgVSougsmjT6HgKi/Hth/f+Dm9JgCggSdXjC//DBQ5oTbfR7uLKCFylsV aMzhBeh1uzOIxFrVunGoVNMpLzqn/ISuHJmelyyC9eZfacU9gAIbXKBUGmrFD7Mz/swE +Jfg==
X-Gm-Message-State: AOAM532SM/Ra+PSIL84ZKenho1L794jjljgDV8DXwEIKTc0gF4VEWwj9 7mgWfaoxv4WouoL/GQEjytpH7U1ZmeiwJWyfbrE=
X-Google-Smtp-Source: ABdhPJz2HJOE5bYnH9njMxZzJ/gYi27KgFybnA+PANnwdqGF+GFMqgInTp1SPSB+IBeM7X7cSu9kTyxno3ok5E5g9zM=
X-Received: by 2002:a05:6512:689:: with SMTP id t9mr18006893lfe.262.1620679513392; Mon, 10 May 2021 13:45:13 -0700 (PDT)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Tim Wicinski <>
Date: Mon, 10 May 2021 16:45:02 -0400
Message-ID: <>
To: Benjamin Kaduk <>
Cc: The IESG <>,,, IETF DMARC WG <>, Alexey Melnikov <>
Content-Type: multipart/alternative; boundary="000000000000b0ca5105c1ffda87"
Archived-At: <>
Subject: Re: [dmarc-ietf] Benjamin Kaduk's Discuss on draft-ietf-dmarc-psd-12: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 10 May 2021 20:45:26 -0000


On Wed, Apr 21, 2021 at 1:04 AM Benjamin Kaduk via Datatracker <> wrote:

> Benjamin Kaduk has entered the following ballot position for
> draft-ietf-dmarc-psd-12: Discuss
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> There seems to be a bit of internal inconsistency in Appendix B.2:
>    Names of PSDs participating in PSD DMARC must be registered this new
>    registry.  New entries are assigned only for PSDs that require use of
>    DMARC.  [...]
> These two sentences seem to be in conflict, since a PSD can participate
> in PSD DMARC without requiring use of DMARC for all its subdomains.  The
> rest of the section is clear that the registry is only intended to be
> for PSDs that do require the use of DMARC for subdomains, so I expect
> that a minor tweak to the wording of "PSDs participating in PSD DMARC"
> would be an appropriate fix.
I reworded these two sentences to say:

    PSDs that are deploying DMARC and are participating in PSD DMARC
    must register their public suffix domain in this
    new registry.

Does this sound better ?

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> This document is generally in pretty good shape; my comments (and,
> to some extent, my discuss as well) are pretty minor points.
> Thanks to Sandra Murphy for the secdir review.  I think there were some
> questions in there that are worth a response and possibly clarifications
> in the document.
Sandra did a strong review and I believe we worked through the issues

> Section 1.2
> It seems like the "branded PSD" and "multi-organization PSD" cases would
> benefit from a protocol-level indication and separate handling by
> message recipients.  It seems likely that the newly defined np (in
> combination with the preexisting sp) provides the flexibility to
> describe the different cases, but it seems like it would be helpful to
> have some discussion in this document that relates these two cases to
> the actual protocol mechanisms used to achieve them.
There is no different handling of between a "Branded PSD" and a
"multi-organization PSD".  The difference is highlighting the types.

> Section 3
> As Lars and Éric already commented, I suggest using a phrasing that
> includes something like "this experiment" and maybe "proposes", since
> actually formally updating the DMARC specification would procedurally be
> a bit exciting.
I've updated this text.

Section 3.2
>    np:  Requested Mail Receiver policy for non-existent subdomains
>       (plain-text; OPTIONAL).  Indicates the policy to be enacted by the
> I assume that "subdomains" here refers only to direct children (i.e.,
> one additional label), not deeper in the hierarchy.  It's not entirely
> clear to me whether all readers will do likewise, though...
It is the direct subdomain.   There is discussion inb RFC7489 if a subdomain
does not have a _dmarc DNS record, the _dmarc record at the parent domain is

> Section 3.3, 3.6
> It sounds like this entire paragraph is appended to the section?
> In other subsections we are a bit more explicit about where the new text
> is going and what part is the new text.
I added this text to the beginning of each paragraph:

    If this experiment is successful, this paragraph is added to this

Does that help?

> Section 4.1
>    o  Multi-organization PSDs (e.g., ".com") that do not mandate DMARC
>       usage: Privacy risks for Organizational Domains that have not
>       deployed DMARC within such PSDs are significant.  For non-DMARC
>       Organizational Domains, all DMARC feedback will be directed to the
>       PSO.  PSD DMARC is opt-out (by publishing a DMARC record at the
>       Organizational Domain level) vice opt-in, which would be the more
>       desirable characteristic.  This means that any non-DMARC
>       organizational domain would have its feedback reports redirected
>       to the PSO.  The content of such reports, particularly for
>       existing domains, is privacy sensitive.
> It might be worth making some statement about the applicability of PSD
> DMARC for such PSDs that do not mandate DMARC usage.  (I guess the
> following paragraphs mostly play that role, though perhaps editorially
> tying them together more clearly is possible.)

I'm not sure where you're going on this, but the following paragraphs do
try to pull it together.  I've been trying to wordsmith these with little

Also, it appears that the word "vice" above should be "versus".

> Or, in the vein of my comment on section 1.2, an explicit protocol
> mechanism could be introduced that limits the reporting to just the
> indicated (public suffix) domain and does not apply to subdomains.
>    organizational PSDs MUST be limited to non-existent domains except in
>    cases where the reporter knows that PSO requires use of DMARC.
> Do we have examples of how the reporter might come to know this?
> Say ... Appendix B.2?
Roman raised a similiar point.   I was thinking of adding
    "(by checking the DMARC PSD Registry)"

or would a full sentence be used to bring the point back home?

> Appendix A
>    o  Section 3.2 adds the "np" tag for non-existent subdomains (DNS
>       NXDOMAIN).  [...]
> Per §2.7, this is for NXDOMAIN or NODATA, not just NXDOMAIN.
NODATA is returned when there are Resource Records there, but nothing
matches the request.  Since the DMARC is a TXT record of the form
_dmarc.<subdomain>, there will never be any other resource record at
that location.

> Appendix B.1
>    A sample stand-alone DNS query service is available at
>    [].  It was developed based on the contents suggested for
> "DNS query service" is so generic so as to be almost meaningless.  Even
> if we defer usage instructions to the external site, we should probably
> say a bit more about what it is expected to do.
> I tend to agree with you here.  The only other options I could come
up with is "PSD DMARC Lookup service".    I'll try a few others.