Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for .co.uk and uk.com domains #549

Open
chriswhitingBCH opened this issue Nov 25, 2024 · 5 comments
Open

Add support for .co.uk and uk.com domains #549

chriswhitingBCH opened this issue Nov 25, 2024 · 5 comments
Assignees
@soulemike
Labels
enhancement New feature or request exchange Microsoft Exchanage

Comments

@chriswhitingBCH
Copy link

These are both tLDs and should not be tested for SPF, DMARC, etc.

image
@chriswhitingBCH
Copy link
Author

image

@chriswhitingBCH
Copy link
Author

Exclude the onmicrosoft.com too

image

@soulemike
Copy link
Contributor

This is an interesting topic for a couple of reasons:

  1. What is a technical implementation that allows for filtering well-known managed second-level domains? I am not aware of an organization restricting this, just multiple that maintain well-known domains within their own standards.
  2. Technically this is still accepted risk. Microsoft should have parked records for onmicrosoft.com, the UK should have parked records for those top-level and second-level domains. Otherwise your organization has some implicit, al be it very little, trust and thus risk that those could be spoofed.

Open to suggestions on how to identify the first elegantly and then potentially flag as a warning for the second.

@soulemike soulemike mentioned this issue Nov 25, 2024
Open
@merill merill added the exchange Microsoft Exchanage label Dec 14, 2024
@merill
Copy link
Contributor

merill commented Dec 14, 2024

Since the admin can't do much here to fix TLDs it might be best to avoid showing this as failed.

We could still list them in the table here and flag as ignored.

I think we can hard-code the domains in the PowerShell cmdlet and folks can submit PRs to add them.

We should also add support to pass in domains to be ignore for this test. When we add support for configuring parameters (hopefully this quarter), admins will be able to exclude other domains.

Thoughts @soulemike?

@merill merill added the enhancement New feature or request label Dec 14, 2024
@soulemike
Copy link
Contributor

Since the admin can't do much here to fix TLDs it might be best to avoid showing this as failed.
We could still list them in the table here and flag as ignored.

This sounds like a reasonable approach. Only use the domains explicitly registered with Entra for the pass/fail, then show the results for the hierarchy but as ignored for the overall result.

We should also add support to pass in domains to be ignore for this test. When we add support for configuring parameters (hopefully this quarter), admins will be able to exclude other domains.

Yep, allowing an ignored domains array as a property makes sense as well.

I can work on wireframing these two changes up.

@soulemike soulemike mentioned this issue Dec 23, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@soulemike soulemike

Labels
enhancement New feature or request exchange Microsoft Exchanage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@soulemike @merill @chriswhitingBCH