With this comment, we see the pernicious effect of using a binary psd=(y|n) token to represent a multi-valued role. When the role indicator is missing, there is no default value, instead it must be inferred from the context. Since the author of the proposed text is confused on this point, it is certain that the general community will be confused as well.
On Wed, Mar 16, 2022 at 11:27 PM Scott Kitterman <[email protected]> wrote: > On Wednesday, March 16, 2022 11:02:00 PM EDT John Levine wrote: > > It appears that Scott Kitterman <[email protected]> said: > > >It took a fair amount of editing and I expect you all will have further > > >suggestions, so instead of getting up to my elbows in XML, I took the > > >published DMARCbis-05 text and updated it directly. The modified > version > > >and an rfcdiff are attached. > > > > It's closer, but I think it still needs some reorganization. I think > this > > is where we want to end up: > > > > Policy domain: if a domain has a dmarc record, that's the policy, > otherwise > > use the org domain's policy or if no org domain policy, PSD policy. > > > > You need to find org domains if > > a) the domain has no DMARC record so you use the org domain's instead, OR > > b) the DKIM domain doesn't match the from header domain and policy > adkim=r. > > OR c) the SPF domain doesn't match the from header domain and policy > > aspf=r. > > > > To find the org domain for a domain: > > chop the domain to the last five labels and walk up the tree. > > stop when you find a DMARC record with psd or you hit the root. > > if a record has psd=n, that's the org domain > > if a record has psd=y and it isn't the original domain, the org domain > is > > the one below it otherwise the org domain is the last (highest) DMARC > > record you found > > > > Relaxed alignment doesn't change, if two domains have the same org > domain, > > they're aligned. > > > > Minor nit: if a name has two or more DMARC records, that's invalid so > > pretend it had none. > > Thanks. I think that makes sense. Based on an offlist comment I got, I > think > it needs to say has an explicit psd=n in the record or something like > that. > Since psd=n is the default, it's implicitly true for any record that > doesn't > have psd=y in it. > > I'll take another shot at it, but I'm unlikely to finish it tonight. > > Scott K > > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
