On Thu 17/Mar/2022 20:50:39 +0100 John Levine wrote:
It appears that Alessandro Vesely <[email protected]> said:
To find the org domain for a domain:
chop the domain to the last five labels and walk up the tree.
stop when you find a DMARC record with psd or you hit the root.
if a record has psd=n, that's the org domain
if a record has psd=y and it isn't the original domain, the org domain is
the one below it
otherwise the org domain is the last (highest) DMARC record you found
Fine. DMARC /specifies/ that the org domain MUST publish a record.
No, that's not what it says. If you encounter psd=y and go back one,
that can be an org domain without a record. It is currently possible
to have org domains without records and I see no reason to change that.
The reason to require an org record is that filters cannot determine that a
domain is an org domain without it. The only exception is domains registered
right below a PSD publishing psd=y. Otherwise the org domain is the last
(highest) DMARC record you found.
Relaxed alignment doesn't change, if two domains have the same org domain,
they're aligned.
On a mail From:[email protected],
assume we have already determined that the org domain is c.d. Then there is a
signature with d=e.f.c.d. It is aligned based on string comparison.
Repeating the tree walk, we'd get a different result if we find psd=y at
_dmarc.f.c.d. Is that realistic?
Yes, of course it is. Look at some of the PSL entries.
I may be dumb, but I stared at the PSL for a few minutes and couldn't think of
non-aligned subdomains of an org domain. Yes, there are PSDs which are a
substring of another PSD. For example .it and .milano.it, or *.kobe.jp and
!city.kobe.jp. However, prepending the org domain label you obviously get a
unique suffix. Everything at or below the org domain belongs to that org. Any
two identifiers belonging to the same org are mutually aligned.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
