On November 28, 2024 4:11:35 PM UTC, "John R. Levine" <[email protected]> wrote: >On Wed, 28 Nov 2024, Stephen Farrell wrote: >> Personally, I do think it odd there's no way for a sender to use >> DMARC to say "I know I still have to publish SPF stuff, so as not >> to break things, but I'd really prefer you ignore that and depend >> only on my DKIM stuff if you know how to parse this new bit of a >> TXT RR for DMARC." > >DMARC can pass with either SPF or DKIM, so if you don't like SPF, you don't >have to publish it at all. Or if you want to be clever, your SPF record can >say ?ip:1.2.3.4 rather than +ip:1.2.3.4 which returns a neutral result, not >enough for DMARC but usually enough for the handful of mail systems that try >to enforce SPF. This is all in the mailing list discussion. > >As you noted, this draft is already too long so instead than adding more text, >I'd rather do an A/S or maybe an update to 7208 on Why and How Not to Use SPF. > >>>> (2) The tree-walk calls for querying TLDs for TXT RRs. Was that >>>> discussed with DNS operators for TLDs? ... > >> With the same attitude as above (no harm for us to clarify a bit more, >> but "secdir-reviewer being happy" is not a required outcome here), I'd >> say being able to convince the IESG that more than a couple of oddball >> TLDs are ok with this would be a good plan. (When I tried a few, I got >> NXDOMAIN answers, other than for the couple you mentioned.) Maybe one >> way to argue that is to say that those DMARC queries won't even be >> noticed, but that kind of assertion probably needs to come from some >> DNS type folks. (I guess there'll be a dnsdir review too and they'll >> bring that up if it's real.) > >If your concern is the trickle of queries to _dmarc.com and the like, I don't >think that ever came up. DNS resolvers cache negative results and I cannot >imagine that anyone would even notice these in the torrent of junk queries >every TLD gets. I can ask registry people I know but I would lay serious >money they'd agree with what I said.
I think it's also worth mentioning the trade-off: No more Public Suffix List (PSL) for DMARC. Approximately everyone viewed this as a win, particularly the PSL maintainers. Not having a big text file somewhere that can break people's email is a win. Scott K _______________________________________________ dmarc mailing list -- [email protected] To unsubscribe send an email to [email protected]
