Re: [dmarc-ietf] PSD vs org, 5.5.4. Publish a DMARC Policy for the Author Domain - dmarcbis-06

[Scott Kitterman <sklist@kitterman.com>]

On April 6, 2022 2:21:52 AM UTC, John R Levine <johnl@taugh.com> wrote:
>On Tue, 5 Apr 2022, Scott Kitterman wrote:
>>>> _dmarc.ac.me TXT "v=DMARC1; p=quarantine; adkim=r; aspf=r; fo=0; pct=100;
>>>> rua=mailto:dmarc@ac.me" ac.me mail is handled by 10 mail.ac.me.
>>>> ac.me TXT "v=spf1 mx ip4:89.188.43.10 ip6:2a02:4280:0:200:89:188:43:10 -all"
>
>> Generally speaking, I think that a PSD can send mail and it should be covered
>> by DMARC, so I disagree with the idea that a PSD can never also be an Org.
>
>How about if we say that if the initial domain has psd=y, that's the org 
>domain and you don't look anywhere else.  That is easy to explain and I 
>don't think we are likely to find anything that better matches the 
>expectations of people who send mail from PSDs.
>
>There are 44 domains in the "ICANN" part of the PSL that have MX records 
>and at least 400 in the "PRIVATE" part so I think it would be a good idea 
>to have a plan for how DMARC works for them.

Agreed as far as having a plan, but it would have to be more complicated or more restrictive than that, I think.

Let's take the example of:

5322.From: psd.example (which has psd=y)
5321.MailFrom: spf.psd.example
d= domain: dkim.psd.example.

If we just ignore psd=y for an exact match, then the org domain for psd.example is psd.example, spf.psd.example for SPF, and dkim.psd.example for DKIM.  Neither align since neither have the same org domain as the 5322.From.

I see two potential paths out of this:

1.  Slightly expand your proposal to say that if the 5322.From domain has psd=y, then the psd tag is ignored for all org domain determinations for the message.

2.  Just say explicitly, if you are a PSD, you have to make all three the exact domain (effectively like strict alignment only).

The current text says a domain is always its own org domain, so we have (without explaining it anywhere) defined #2 currently.  I think that's good.

PSDs, have already (mostly) told us that the name space below is administratively distinct.  The approach in #1 would give all their customers the ability to spoof them, which is suboptimal.  Additionally it would make the SPF and DKIM org domain determinations dependent on the org domain determination from the 5322.From.  That adds complexity and seems ugly.

A PSD that does control/trust the namespace below it (e.g. .mil) might not even need to bother with psd=y if they aren't worried about their registrants spoofing each other.

My suggestion is that we leave the process as is and add some explanation for PSDs on the implication of being a mail sending PSD that does DMARC.  It should be simple enough.

If the group agrees, I can write something up, but I don't think the next revision needs to wait for it.

Scott K