Re: [dmarc-ietf] DMARC PSD and non-existent subdomains
Richard C <Richard.C@ncsc.gov.uk> Mon, 10 June 2019 12:07 UTC
Return-Path: <Richard.C@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31EA1120180 for <dmarc@ietfa.amsl.com>; Mon, 10 Jun 2019 05:07:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.388
X-Spam-Level:
X-Spam-Status: No, score=-0.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URI_HEX=1.122, URI_NOVOWEL=0.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvsQSsL_zxiM for <dmarc@ietfa.amsl.com>; Mon, 10 Jun 2019 05:07:28 -0700 (PDT)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-eopbgr100118.outbound.protection.outlook.com [40.107.10.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F46012017D for <dmarc@ietf.org>; Mon, 10 Jun 2019 05:07:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UldEwmdC5yOEeMEvVeHB9B/d+SpX55II9vpEhiytGuQ=; b=CPYPdJFZWOyK+irKAYR9acWv5OBBSi+8YGC3M4BDE6vSu+U6LtVavjgWl0TKg+tBB1t/nxKNDus/IuectoPFCa8+oNcgjffEdz08HuMVhOeLPCKMsEKDX7D01jMUujBVS7NXbe0oKbsiR2o2pvnvBwSPo0FirZYzIxbL6z1dHSM=
Received: from LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM (20.176.156.23) by LO2P123MB1854.GBRP123.PROD.OUTLOOK.COM (20.176.154.205) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.15; Mon, 10 Jun 2019 12:07:25 +0000
Received: from LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM ([fe80::fc74:1f4:86dc:24de]) by LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM ([fe80::fc74:1f4:86dc:24de%7]) with mapi id 15.20.1965.017; Mon, 10 Jun 2019 12:07:25 +0000
From: Richard C <Richard.C@ncsc.gov.uk>
To: Seth Blank <seth@sethblank.com>
CC: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] DMARC PSD and non-existent subdomains
Thread-Index: AdUW/jphmQ6IwLIpSlOVp/KM9LEwVAAQ0CMAAOBoajA=
Date: Mon, 10 Jun 2019 12:07:25 +0000
Message-ID: <LO2P123MB23346502F9B6F1EE38269147AD130@LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM>
References: <LO2P123MB2334F6DE24EFE7FF43DEDB39AD180@LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM> <CAD2i3WPsdoJEnhRLCTdyd3xkQ_+5NkVKqekBQGmL2U7233KVRw@mail.gmail.com>
In-Reply-To: <CAD2i3WPsdoJEnhRLCTdyd3xkQ_+5NkVKqekBQGmL2U7233KVRw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Richard.C@ncsc.gov.uk;
x-originating-ip: [51.141.34.27]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 230802dc-707e-4212-b759-08d6ed9c33b4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:LO2P123MB1854;
x-ms-traffictypediagnostic: LO2P123MB1854:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <LO2P123MB1854E05DA0F2DBEAB803C361AD130@LO2P123MB1854.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0064B3273C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(136003)(376002)(39850400004)(396003)(366004)(189003)(51914003)(199004)(66556008)(66476007)(66946007)(66446008)(8936002)(68736007)(26005)(5660300002)(71200400001)(476003)(66066001)(186003)(64756008)(76116006)(7736002)(14444005)(256004)(25786009)(6916009)(76176011)(102836004)(73956011)(6116002)(3846002)(7696005)(11346002)(446003)(6506007)(55236004)(4326008)(790700001)(53936002)(478600001)(74316002)(52536014)(75922002)(316002)(99286004)(606006)(14454004)(33656002)(6246003)(72206003)(74482002)(55016002)(54896002)(6306002)(236005)(81156014)(6436002)(8676002)(71190400001)(81166006)(86362001)(229853002)(486006)(2906002)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:LO2P123MB1854; H:LO2P123MB2334.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 4GJ1ngpDycx/SRhJPsdPhwL+iLlnR1LCMDGuoM8lUl2aMVT6yJZwGA4HA+6gNbFeiUNhm32B9FzHie82g3v+yr1l5XmVvKClBTIrRaoGPt4ktTO0YX/LlKEzmOtkbWHNsaCXhtb1GXqkyjJ4rSpHnfR3BostzFHPXfyPfgl0D68hN1T5hWD80hxoyjrbGmPqw+i3bLq24NzQ4ll+evPenKPgN1fw8cWXLRuNmaS5zWQdw32Tm2rnX+pCzveUoj04yrYcvxdUybOfIkkB/8Femh72P7vpb+N58SVeKKF5kR1rh3ArjZrUjUvx+tmplmtK49ApRaoeyZ8XLLPxi1z6WDK2U2yhPxbiat9WwRHkDI6lr75usdiXSpR1YRU1gc9LqE+26pLAq2hn1vNEpKn4DHAqiqp2fAx2UYGTIY6wNL8=
Content-Type: multipart/alternative; boundary="_000_LO2P123MB23346502F9B6F1EE38269147AD130LO2P123MB2334GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 230802dc-707e-4212-b759-08d6ed9c33b4
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2019 12:07:25.6007 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: richard49955@ncsc.gov.uk
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB1854
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sf_QbmESIl3cJbExsW1r3Kz7sxM>
Subject: Re: [dmarc-ietf] DMARC PSD and non-existent subdomains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 12:07:30 -0000
Thanks for the question, Seth. What would be the best way to incorporate this requirement? The simplest possible way to address this use case is just to make sure those existing but currently non-compliant domains just have a bare p=none record. Then they'll never fall back to the gov.uk<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgov.uk&data=02%7C01%7CRichard.C%40ncsc.gov.uk%7C5e404b44633f4f62576c08d6e558b353%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636948566460672014&sdata=ihf4soMa8kR%2BcGFwjiIwgy9iHDnrnKLkawsj0Zm9Mi4%3D&reserved=0> record. There's no risk to inadvertently breaking mail here. Is it remotely realistic for you to offer this guidance? If you're already saying that p=reject is required, how painful is it to advertise that any domain without a DMARC record will get p=reject by default unless it explicitly puts p=none in? I wish that publishing guidance resulted in swift adoption of it but unfortunately it’s not so simple. We already have guidance published requesting that organisations configure DMARC on their gov.uk domain (starting at ‘none’ and progressing to ‘reject’ as they gain confidence). The problem is we have ~3500 domains in use, many by smaller organisations with limited technical ability. Whilst we’ll continue to work towards helping them all deploy DMARC, realistically there will be a long tail to adoption, hence our interest in support for different policies for the existent and non-existent subdomains in DMARC PSD. Presumably other PSDs that aren’t brand new will have this problem too? I’m interested to hear whether we’re on our own or not. Richard This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk
- [dmarc-ietf] DMARC PSD and non-existent subdomains Richard C
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Seth Blank
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Richard C
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Scott Kitterman
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Alessandro Vesely
- Re: [dmarc-ietf] DMARC PSD and non-existent subdo… Hector Santos