Re: [dmarc-discuss] dmarc and delegated zones

Tue, 17 Feb 2015 07:10:49 -0800 


On 2/17/2015 1:53 AM, John Levine wrote:

Can a delegated zone have its own DKIM, SPF and DMARC records?

There's no way to answer this question, because DKIM, SPF, and DMARC
have no relationship whatsoever to zone delegations.  They're defined in terms 
of domain names, and zone cuts don't matter.



thank you for the explanation. It explains why I didn't see any 
description of with zones and DKIM in the documentation.




You can put DKIM, SPF, and DMARC records at any domain name.  SPF
looks up whatever domain name is in the envelope bounce address, DKIM
looks up whatever domain name is in the d= field of the DKIM signature,
and DMARC usually looks up the domain in the From: address.

The only exception is there is a hack in DMARC such that if the lookup for the DMARC 
record doesn't find anything, it can look for an "organizational" domain name, 
typically using the Mozilla Public
Suffix List.  For example, if the From: address were
sa...@newjersey.example.com and there were no DMARC record at
_dmarc.newjersey.example.com, it could also look for
_dmarc.example.com.  The organizational domain is chosen by counting
dots in the name, not by looking at zone cuts.



I need to go back and re-read the documentation/standard because that 
did not come across in my reading.



If I understand you correctly, even though zones don't matter to how I 
create the records, the zones could be a useful tool for me delegating 
management of the records. If I have one set of records for example.com 
in one organization and another set of exhibit records in New 
Jersey.example.com managed by my organization then I can manage the 
records independent of the parent organization.



Are there any collisions between the DMARC records configuritions in the 
parent domain versus a subdomain that I need to worry about?



my interpretation of what I've read leads me to believe I'm better off 
keeping all of the header addresses in the same domain and using a 
reply-to to direct responses to a real human instead of trying to make 
the from: address the humans address.

_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss

NOTE: Participating in this list means you agree to the DMARC Note Well terms 
(http://www.dmarc.org/note_well.html)






















					Reply via email to