Re: [dmarc-ietf] PSD vs org, 5.5.4. Publish a DMARC Policy for the Author Domain - dmarcbis-06

[Alessandro Vesely <vesely@tana.it>]

On Wed 06/Apr/2022 07:07:32 +0200 Scott Kitterman wrote:
> On April 6, 2022 2:21:52 AM UTC, John R Levine <johnl@taugh.com> wrote:
>>On Tue, 5 Apr 2022, Scott Kitterman wrote:
>>>>> _dmarc.ac.me TXT "v=DMARC1; p=quarantine; adkim=r; aspf=r; fo=0; pct=100; rua=mailto:dmarc@ac.me"
>>>>> ac.me mail is handled by 10 mail.ac.me.
>>>>> ac.me TXT "v=spf1 mx ip4:89.188.43.10 ip6:2a02:4280:0:200:89:188:43:10 -all"
>>>
>>> Generally speaking, I think that a PSD can send mail and it should be covered 
>>> by DMARC, so I disagree with the idea that a PSD can never also be an Org.


They can send mail, but they're different from an org domain in that the latter 
can have aligned subdomains.


>>How about if we say that if the initial domain has psd=y, that's the org 
>>domain and you don't look anywhere else.  That is easy to explain and I 
>>don't think we are likely to find anything that better matches the 
>>expectations of people who send mail from PSDs.
>>
>>There are 44 domains in the "ICANN" part of the PSL that have MX records 
>>and at least 400 in the "PRIVATE" part so I think it would be a good idea 
>>to have a plan for how DMARC works for them.
>
> Agreed as far as having a plan, but it would have to be more complicated or more restrictive than that, I think.
>
> Let's take the example of:
>
> 5322.From: psd.example (which has psd=y)
> 5321.MailFrom: spf.psd.example
> d= domain: dkim.psd.example.
>
> If we just ignore psd=y for an exact match, then the org domain for psd.example is psd.example, spf.psd.example for SPF, and dkim.psd.example for DKIM.


It is not that we ignore psd=y.  I'd say that in this case psd.example /must be 
treated like/ an org domain —although it isn't— with the restriction that 
alignment must be strict.


> Neither align since neither have the same org domain as the 5322.From.


Correct, for whatever definition of org domain.


> I see two potential paths out of this:
> 
> 1.  Slightly expand your proposal to say that if the 5322.From domain has psd=y, then the psd tag is ignored for all org domain determinations for the message.
> 
> 2.  Just say explicitly, if you are a PSD, you have to make all three the exact domain (effectively like strict alignment only).
> 
> The current text says a domain is always its own org domain, so we have (without explaining it anywhere) defined #2 currently.  I think that's good.


I agree that #2 is straightforward.  It follows also if we define alignment for 
either identical domains or both admitting identical org domains (as per my 
proposed amendment).


> PSDs, have already (mostly) told us that the name space below is administratively distinct.  The approach in #1 would give all their customers the ability to spoof them, which is suboptimal.  Additionally it would make the SPF and DKIM org domain determinations dependent on the org domain determination from the 5322.From.  That adds complexity and seems ugly.


+1,  #2 is the way to go.


Best
Ale
--