On Monday, January 24, 2022 10:15:49 PM EST Scott Kitterman wrote: > On January 25, 2022 12:46:48 AM UTC, John Levine <[email protected]> wrote: > >It appears that Scott Kitterman <[email protected]> said: > >>What I implemented is roughly: > >> > >>For policy determination, first check the From domain, if that has a DMARC > >>record, then that's the policy domain. Otherwise, tree walk up to the > >>apex > >>looking for DMARC records. First domain you find with a record is policy > >>domain, use the policy (p=, sp=, np=) from that domain's DMARC record. > >>This matches my interpretation of dmarcbis-04. > >> > >>For org domain determination (for alignment), if any of the records > >>retrieved during the policy search have psd=y, then add one more label > >>and that's the org domain (as written). From there it's anyone's guess. > >>Unlike John, I continued down the tree and made the first match the org > >>domain. > > > >Seems reasonable. What's the point of going more than one level below the > >PSD? Make it look more like a pure tree walk? > > Yes. For consistency. You'd walk down until you hit a non-psd record or > the limit. Stopping at one more after the psd=y record is an optimization > for a relatively rare case of a PSD record. Other than that case you have > to keep going until you find a DMARC record or hit the limit, since there's > no knowing what's a PSD otherwise.
The attached change would solve the problem, at least to a first approximation. The wording could be tightened up, but this is at least a complete description. Scott K
diff --git a/draft-ietf-dmarc-dmarcbis-05.xml b/draft-ietf-dmarc-dmarcbis-05.xml index 448a156..9dd68a3 100644 --- a/draft-ietf-dmarc-dmarcbis-05.xml +++ b/draft-ietf-dmarc-dmarcbis-05.xml @@ -509,12 +509,16 @@ itself as such using a tag in its published DMARC policy record. An Organization Domain is any subdomain of a PSD that includes exactly one more label than the PSD in its name.</t> <t>For any email message, the Organizational Domain of the RFC5322.From domain -is determined by performing a DNS Tree Walk as described in <xref target="dns-tree-walk"></xref>. +is determined by performing a DNS Tree Walk in the reverse order described in <xref target="dns-tree-walk"></xref>. The target of the search is a valid DMARC record that contains a psd tag with a value of 'y'. Once such a record has been found, the Organizational Domain for the DNS domain matching the one found in the RFC5322.From domain can be -declared to be the target domain queried for in the step just prior to the -query that found the PSD domain.</t> +declared to be the target domain queried for in the next step just after the +query that found the PSD domain. If the first DMARC record returned does not +contain a psd tag with a value of 'y', that domain is the Organizational Domain. +If the maximum depth of the <xref target="dns-tree-walk"></xref> is reached +without a DMARC record being located, the RFC5322.From domain is the +Organizational Domain.</t> <t>For example, given the RFC5322.From domain "a.mail.example.com", a series of DNS queries for DMARC records would be executed starting with "_dmarc.a.mail.example.com" and finishing with "_dmarc.com". The "_dmarc.com"
draft-ietf-dmarc-dmarcbis-05.txt-from-.old.diff.html
Description: application/xhtml
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
