On Thu 17/Mar/2022 04:02:00 +0100 John Levine wrote:
It appears that Scott Kitterman <[email protected]> said:
It took a fair amount of editing and I expect you all will have further
suggestions, so instead of getting up to my elbows in XML, I took the
published DMARCbis-05 text and updated it directly. The modified version and
an rfcdiff are attached.
It's closer, but I think it still needs some reorganization. I think this is
where we
want to end up:
Policy domain: if a domain has a dmarc record, that's the policy, otherwise use
the org
domain's policy or if no org domain policy, PSD policy.
You need to find org domains if
a) the domain has no DMARC record so you use the org domain's instead, OR
b) the DKIM domain doesn't match the from header domain and policy adkim=r. OR
c) the SPF domain doesn't match the from header domain and policy aspf=r.
Good point. It may deserve its own subsection.
To find the org domain for a domain:
chop the domain to the last five labels and walk up the tree.
stop when you find a DMARC record with psd or you hit the root.
if a record has psd=n, that's the org domain
if a record has psd=y and it isn't the original domain, the org domain is
the one below it
otherwise the org domain is the last (highest) DMARC record you found
Fine. DMARC /specifies/ that the org domain MUST publish a record. Whereas it
started off allowing to publish a record at the org level only, as a
simplification w.r.t. SPF, that record is now requisite.
Relaxed alignment doesn't change, if two domains have the same org domain,
they're aligned.
No, we don't repeat the walk for each identifier. On a mail From:[email protected],
assume we have already determined that the org domain is c.d. Then there is a
signature with d=e.f.c.d. It is aligned based on string comparison.
Repeating the tree walk, we'd get a different result if we find psd=y at
_dmarc.f.c.d. Is that realistic?
Minor nit: if a name has two or more DMARC records, that's invalid so pretend
it had none.
Does it make sense to continue the walk in that case?
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
