So if the first tree walk stops at a a PSD=y policy, then the match string used for alignment is the organizational domain, one segment down from the PSD policy. Any SPF or DKIM domain must match or be a child of the organizational domain, so there is no secondary tree walk,
Does that correct the problem? On Thu, Jan 20, 2022 at 11:58 AM Scott Kitterman <[email protected]> wrote: > On Thursday, January 20, 2022 9:57:48 AM EST Douglas Foster wrote: > ... > > -- If a policy is found with PSD=y, the domain does not participate in > > DMARC but may need to be tested for non-existence. If the policy also > > specifies NP=reject, query the next-lower domain name for a resource > > record. If the DNS query result is NXDOMAIN, processing stops and the > > DMARC policy is also "NXDOMAIN". (I recommend using NXDOMAIN as a > separate > > result code from REJECT, as it seems to be a stronger repudiation.) > ... > > No. In this case policy discovery is complete and that's the policy that > should be applied. Additionally, that's not how the np= tag works. > > All psd=y means is don't use this domain for determining alignment. For > policy discovery it's like any other. > > Scott K > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
