Hi,
the need to actually determine the organizational domain is a
misconception. For alignment, it is sufficient to determine that the
organizational domain of two identifier is the same. There is no need
to actually walk up there.
For example, let's reconsider the basic example with an added subdomain:
From: @dept.example.com
DKIM d=signing.dept.example.com
MailFrom mail.dept.example.com
_dmarc.dept.example.com has a classic DMARC record (w/o psd=), so
that's the policy (and reporting) record. To check, say, DKIM, a
verifier queries _dmarc.signing.example.com and gets NXDOMAIN. At
this point it already knows dept.example.com is valid. The org domain
probably is example.com, or maybe it has psd=y, or maybe it has no
record at all, who cares? Whatever it is, it is the same for parent
and child.
In practice, this means that in the common cases it is not necessary
to query _dmarc.com.
I'd propose to collect this and the three shortcuts of Section 4.8 (no
need to perform Tree Walk searches for Organizational Domains) and
move them to an appendix.
To better clean up that section, I'd also remove the paragraph:
To discover the Organizational Domain for a domain, perform the DNS
Tree Walk described in Section 4.6 as needed for any of the domains
in question.
It can be understood as stating that the algorithm which follows
allows to determine the org domain for any domain at hand. Indeed, it
does not say that the algorithm is valid for the needed domains only.
Best
Ale
--
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
