AD Review - Reporting and psd=y

[toddherr]

Should DMARCbis be amended to include normative text, likely in sections 5.3.8 (Send Aggregate Reports) and 5.3.9 (Optionally Send Failure Reports) that says "If the DMARC Policy Record in question contains a 'psd=y' tag, reports MUST NOT be sent to any addresses found in any rua= or ruf= tag in that DMARC Policy Record"?

[jrlevine]

The whole point of PSD records was so that registries like .BANK and .INSURANCE could collect reports and check that their registrants have the DMARC policies they're supposed to. This would be a breaking change, and I am sure that even if we made it, people would ignore it. So leave it as is, please.

[Daniel-t]

For context, I work for an organization that operates a (restricted) public suffix domain. The subdomains are owned by ~400 different but related organisations. 1) At a minimum the rua= reports for our PSD domain need to come to us, our PSD domain is used to send emails as well as receive emails, so it is important to us that we can see when things are going wrong at the PSD level. [We also are seeing spoofing of our PSD to send phishing emails] 2) for subdomains without their own DMARC policy to send rua reports to their own endpoint, will let us quantify the email delivery issues they are having and help convince them to implement their own policy.

I understand not sending ruf reports to PSD reporting endpoint, but ongoing rua reports for us are critical (at least for the PSD itself).

[alevesely]

That looks fine.

To support different organization, you need psd=y. Sending from the PSD then requires all identifiers to be strictly aligned, irrespective of adkim/aspf settings, because any subdomain will be considered to be a different org, according to the DNS tree walk .