On Thursday, February 24, 2022 11:45:18 AM EST John Levine wrote: > It appears that Scott Kitterman <[email protected]> said: > >We are, but I think it's needed. I think we are in reasonably good shape > >for backward compatibility. I still have a preference for org is last > >non-PSD and not changing the alignment definition over org is first and > >changing the alignment definition. > > Having further pondered evil great aunts (not a recipe for a good night's > sleep) I am coming around to your point of view. > > You're only subject to the evil sibling attack if your org domain does not > publish a DMARC record and your PSD does publish one without psd=y. There > are some PSDs that do that but trying to get their attention to fix it seems > a whole lot easier than trying to add org=y to millions of ordinary > domains, particularly since we have contact with many PSDs via ICANN. > > >If we did this, then we would specify that the upward tree walk terminates > >if a record has psd=n in it. That would allow a defense against the evil/ > >incompetent PSD and their scheming other customer. > > That seems reasonable. It doesn't make things worse for existing users. > > So I think this is the plan: > > 1. Take your domain, chop it to the last five labels if it's longer than > that. > > 2. Walk up the tree starting at the original domain, and at each level look > for a DMARC record. > > 3. If you find one with a psd flag, stop. > > 4. If you find one without a psd flag, remember it and keep going. > > 5. If you reach the root, stop. > > If you found a record with psd=n, that is the org domain. > > If you found a record with psd=y, the label below it is the org domain. > > Otherwise the org domain is the last DMARC record you found. > > The rest doesn't change: > > The policy domain is the original domain if it had a DMARC record, > otherwise the org domain. The org domain might not have a DMARC > record. Relaxed alignment still means that two names have the same org > domain. > > If you found no records at all, there is no org domain and no policy but so > what, there's nothing to do.
Yes, with the minor proviso that is it's longer than 5, you would start with the exact match and then jump to 5, but that's a detail. Unless someone objects, I'll start working on words so we can review the details. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
