On Wed 23/Feb/2022 05:09:19 +0100 Scott Kitterman wrote:
On Monday, February 21, 2022 6:45:09 PM EST John Levine wrote:
It appears that Scott Kitterman <[email protected]> said:
Today, if I send mail from 5322.From example.kitterman.com that is signed
by dkim.kitterman.com, if example.kitterman.com has a DMARC record, then
that would be the policy domain, but the message would meet the
requirement for relaxed alignment because both example.kitterman.com and
dkim.kitterman.com have the same org domain (kitterman.com). I don't
think what I'm proposing is any different.
It looked like the tree walk to find the policy domain was different from
the one to find the org domain. If they're the same, that makes things
simpler and we now have to nail down exactly what that tree walk is: first
record, last record before a PSD?
This would be easier if we could count on PSDs to put psd=y in their records
but I fear it will be a long time until that happens reliably.
The problem with last record before a psd=y record is you never know when you
are done.
Currently you could have:
a.b.c.org.psd.com
'org' is the org domain. In RFC 7489 terms it's PSL + 1, so org domain is
org.psd.com. If you tree walk up you'd check (skipping b.c.d.org.psd.com
because you skip up to the one that's five long):
_dmarc.a.b.c.d.org.psd.com
_dmarc.c.d.org.psd.com
_dmarc.d.org.psd.com
_dmarc.org.psd.com
_dmarc.psd.com
_dmarc.com
If you found psd=y at _dmarc.psd.com, then you don't need to lookup _dmarc.com.
Similarly, if you found org=y at _dmarc.org.psd.com, then you don't need to
lookup _dmarc.psd.com.
Except in the rare case that _dmarc.psd.com has a psd=y record you have to go
all the way to the top to know which is the last non-psd=y record. If someone
publishes records based on the RFC 7489 approach, only a.b.c.d.org.psd and
org.psd's records are consulted, so there's no reason to publish for the
intermediate domains unless they send mail too.
Unless they have special needs, there's no reason to publish a record at
a.b.c.d.org.psd.com either. However, if they do publish a DMARC record, then
determining the org domain is only needed for alignment. If no identifiers end
in .com, for example, there is no need to determine the org domain.
Going from found a DMARC record to didn't find a DMARC record doesn't tell
you anything. If you tree- walk down the tree then you look up: >
_dmarc.com
_dmarc.psd.com
_dmarc.org.psd.com
and you are done. Admittedly this is just mostly an efficiency hack. You can
get the same result either way. It does seem awkward to me to do all the
lookups in order to find out when to stop. I like walk up for policy and walk
down for org domain determination, but it's not essential.
I don't follow this. If _dmarc.psd.com has no psd=y, you cannot determine the
org domain correctly. Most often, walking downward you find the same records
you found when walking upward. If you cared to memorize them, the downward
walk is pure thought. You find no further info that way.
If you find no flags, you need to still consult the PSL. It is good enough to
avoid cross domain (mis)alignments. I understand that this way one of the
advantages of the tree walk —to get rid of the PSL— is lost. However, the
other advantage, to get something more accurate than the PSL, can still be met
if we work out the flags well.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
