On November 28, 2024 4:11:35 PM UTC, "John R. Levine" <johnl@xxxxxxxx> wrote: >On Wed, 28 Nov 2024, Stephen Farrell wrote: >> Personally, I do think it odd there's no way for a sender to use >> DMARC to say "I know I still have to publish SPF stuff, so as not >> to break things, but I'd really prefer you ignore that and depend >> only on my DKIM stuff if you know how to parse this new bit of a >> TXT RR for DMARC." > >DMARC can pass with either SPF or DKIM, so if you don't like SPF, you don't have to publish it at all. Or if you want to be clever, your SPF record can say ?ip:1.2.3.4 rather than +ip:1.2.3.4 which returns a neutral result, not enough for DMARC but usually enough for the handful of mail systems that try to enforce SPF. This is all in the mailing list discussion. > >As you noted, this draft is already too long so instead than adding more text, I'd rather do an A/S or maybe an update to 7208 on Why and How Not to Use SPF. > >>>> (2) The tree-walk calls for querying TLDs for TXT RRs. Was that >>>> discussed with DNS operators for TLDs? ... > >> With the same attitude as above (no harm for us to clarify a bit more, >> but "secdir-reviewer being happy" is not a required outcome here), I'd >> say being able to convince the IESG that more than a couple of oddball >> TLDs are ok with this would be a good plan. (When I tried a few, I got >> NXDOMAIN answers, other than for the couple you mentioned.) Maybe one >> way to argue that is to say that those DMARC queries won't even be >> noticed, but that kind of assertion probably needs to come from some >> DNS type folks. (I guess there'll be a dnsdir review too and they'll >> bring that up if it's real.) > >If your concern is the trickle of queries to _dmarc.com and the like, I don't think that ever came up. DNS resolvers cache negative results and I cannot imagine that anyone would even notice these in the torrent of junk queries every TLD gets. I can ask registry people I know but I would lay serious money they'd agree with what I said. I think it's also worth mentioning the trade-off: No more Public Suffix List (PSL) for DMARC. Approximately everyone viewed this as a win, particularly the PSL maintainers. Not having a big text file somewhere that can break people's email is a win. Scott K -- last-call mailing list -- last-call@xxxxxxxx To unsubscribe send an email to last-call-leave@xxxxxxxx
