On Wednesday, February 23, 2022 6:33:22 AM EST Alessandro Vesely wrote: > On Wed 23/Feb/2022 05:09:19 +0100 Scott Kitterman wrote: > > On Monday, February 21, 2022 6:45:09 PM EST John Levine wrote: > >> It appears that Scott Kitterman <[email protected]> said: > >>>Today, if I send mail from 5322.From example.kitterman.com that is signed > >>>by dkim.kitterman.com, if example.kitterman.com has a DMARC record, then > >>>that would be the policy domain, but the message would meet the > >>>requirement for relaxed alignment because both example.kitterman.com and > >>>dkim.kitterman.com have the same org domain (kitterman.com). I don't > >>>think what I'm proposing is any different. > >>> > >> It looked like the tree walk to find the policy domain was different from > >> the one to find the org domain. If they're the same, that makes things > >> simpler and we now have to nail down exactly what that tree walk is: > >> first > >> record, last record before a PSD? > >> > >> This would be easier if we could count on PSDs to put psd=y in their > >> records but I fear it will be a long time until that happens reliably. > > > > The problem with last record before a psd=y record is you never know when > > you are done. > > > > Currently you could have: > > > > a.b.c.org.psd.com > > > > 'org' is the org domain. In RFC 7489 terms it's PSL + 1, so org domain is > > org.psd.com. If you tree walk up you'd check (skipping b.c.d.org.psd.com > > because you skip up to the one that's five long): > > > > _dmarc.a.b.c.d.org.psd.com > > _dmarc.c.d.org.psd.com > > _dmarc.d.org.psd.com > > _dmarc.org.psd.com > > _dmarc.psd.com > > _dmarc.com > > If you found psd=y at _dmarc.psd.com, then you don't need to lookup > _dmarc.com.
That's true, but I expect that to be the exception, not the typical case (discussed below). > Similarly, if you found org=y at _dmarc.org.psd.com, then you don't need to > lookup _dmarc.psd.com. Since that's undefined, no. > > Except in the rare case that _dmarc.psd.com has a psd=y record you have to > > go all the way to the top to know which is the last non-psd=y record. If > > someone publishes records based on the RFC 7489 approach, only > > a.b.c.d.org.psd and org.psd's records are consulted, so there's no reason > > to publish for the intermediate domains unless they send mail too. > > Unless they have special needs, there's no reason to publish a record at > a.b.c.d.org.psd.com either. However, if they do publish a DMARC record, > then determining the org domain is only needed for alignment. If no > identifiers end in .com, for example, there is no need to determine the org > domain. I agree that records won't typically be needed at low levels within a single org, but the design needs to account for the possibility. It's supported by RFC 7489, so I don't think we should introduce a gratuitous incompatibility. I think for the specific cause of not even being in the same PSD, one might skip determining the ORG domain, but that would only be for efficiency. The protocol shouldn't specify it. > > Going from found a DMARC record to didn't find a DMARC record doesn't tell > > you anything. If you tree- walk down the tree then you look up: > > > _dmarc.com > > _dmarc.psd.com > > _dmarc.org.psd.com > > > > and you are done. Admittedly this is just mostly an efficiency hack. You > > can get the same result either way. It does seem awkward to me to do all > > the lookups in order to find out when to stop. I like walk up for policy > > and walk down for org domain determination, but it's not essential. > > I don't follow this. If _dmarc.psd.com has no psd=y, you cannot determine > the org domain correctly. Most often, walking downward you find the same > records you found when walking upward. If you cared to memorize them, the > downward walk is pure thought. You find no further info that way. Yes. You can. As we have been discussing for nearly half a year. If you did all the lookups on the walk up, that is correct. The thing is, once you find a DMARC record (in this example at _dmarc.a.b.c.d.org.psd.com, there is no need for further lookups to determine policy. As I said, walking down is only for efficiency. You get to the same answer eventually either way, which is why I said I don't think it's essential. In this example it saves you looking up dmarc.c.d.org.psd.com and _dmarc.d.org.psd.com. > If you find no flags, you need to still consult the PSL. It is good enough > to avoid cross domain (mis)alignments. I understand that this way one of > the advantages of the tree walk —to get rid of the PSL— is lost. However, > the other advantage, to get something more accurate than the PSL, can still > be met if we work out the flags well. No. I think that is entirely incorrect. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
