On Monday, February 21, 2022 6:45:09 PM EST John Levine wrote: > It appears that Scott Kitterman <[email protected]> said: > >Today, if I send mail from 5322.From example.kitterman.com that is signed > >by dkim.kitterman.com, if example.kitterman.com has a DMARC record, then > >that would be the policy domain, but the message would meet the > >requirement for relaxed alignment because both example.kitterman.com and > >dkim.kitterman.com have the same org domain (kitterman.com). I don't > >think what I'm proposing is any different. > > It looked like the tree walk to find the policy domain was different from > the one to find the org domain. If they're the same, that makes things > simpler and we now have to nail down exactly what that tree walk is: first > record, last record before a PSD? > > This would be easier if we could count on PSDs to put psd=y in their records > but I fear it will be a long time until that happens reliably.
The problem with last record before a psd=y record is you never know when you are done. Currently you could have: a.b.c.org.psd.com 'org' is the org domain. In RFC 7489 terms it's PSL + 1, so org domain is org.psd.com. If you tree walk up you'd check (skipping b.c.d.org.psd.com because you skip up to the one that's five long): _dmarc.a.b.c.d.org.psd.com _dmarc.c.d.org.psd.com _dmarc.d.org.psd.com _dmarc.org.psd.com _dmarc.psd.com _dmarc.com Except in the rare case that _dmarc.psd.com has a psd=y record you have to go all the way to the top to know which is the last non-psd=y record. If someone publishes records based on the RFC 7489 approach, only a.b.c.d.org.psd and org.psd's records are consulted, so there's no reason to publish for the intermediate domains unless they send mail too. Going from found a DMARC record to didn't find a DMARC record doesn't tell you anything. If you tree- walk down the tree then you look up: _dmarc.com _dmarc.psd.com _dmarc.org.psd.com and you are done. Admittedly this is just mostly an efficiency hack. You can get the same result either way. It does seem awkward to me to do all the lookups in order to find out when to stop. I like walk up for policy and walk down for org domain determination, but it's not essential. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
