Do you propose that we ignore private registrars completely? Doug
On Tue, Feb 22, 2022 at 11:09 PM Scott Kitterman <[email protected]> wrote: > On Monday, February 21, 2022 6:45:09 PM EST John Levine wrote: > > It appears that Scott Kitterman <[email protected]> said: > > >Today, if I send mail from 5322.From example.kitterman.com that is > signed > > >by dkim.kitterman.com, if example.kitterman.com has a DMARC record, > then > > >that would be the policy domain, but the message would meet the > > >requirement for relaxed alignment because both example.kitterman.com > and > > >dkim.kitterman.com have the same org domain (kitterman.com). I don't > > >think what I'm proposing is any different. > > > > It looked like the tree walk to find the policy domain was different from > > the one to find the org domain. If they're the same, that makes things > > simpler and we now have to nail down exactly what that tree walk is: > first > > record, last record before a PSD? > > > > This would be easier if we could count on PSDs to put psd=y in their > records > > but I fear it will be a long time until that happens reliably. > > The problem with last record before a psd=y record is you never know when > you > are done. > > Currently you could have: > > a.b.c.org.psd.com > > 'org' is the org domain. In RFC 7489 terms it's PSL + 1, so org domain is > org.psd.com. If you tree walk up you'd check (skipping b.c.d.org.psd.com > because you skip up to the one that's five long): > > _dmarc.a.b.c.d.org.psd.com > _dmarc.c.d.org.psd.com > _dmarc.d.org.psd.com > _dmarc.org.psd.com > _dmarc.psd.com > _dmarc.com > > Except in the rare case that _dmarc.psd.com has a psd=y record you have > to go > all the way to the top to know which is the last non-psd=y record. If > someone > publishes records based on the RFC 7489 approach, only a.b.c.d.org.psd and > org.psd's records are consulted, so there's no reason to publish for the > intermediate domains unless they send mail too. Going from found a DMARC > record to didn't find a DMARC record doesn't tell you anything. If you > tree- > walk down the tree then you look up: > > _dmarc.com > _dmarc.psd.com > _dmarc.org.psd.com > > and you are done. Admittedly this is just mostly an efficiency hack. You > can > get the same result either way. It does seem awkward to me to do all the > lookups in order to find out when to stop. I like walk up for policy and > walk > down for org domain determination, but it's not essential. > > Scott K > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
