It appears that Emil Gustafsson <[email protected]> said: >-=-=-=-=-=- > >Since the concept of non-existing domains is important from this privacy >perspective, should we call out how we suggest that is determined? >On top of my head, using the example from the dmarcbis, would the DNS >lookups actually become 6 in this case (plus one WHOIS lookup)? > > 1. _dmarc.a.b.c.d.e.mail.example.com *[does not exist]* > 2. _dmarc.e.mail.example.com *[does not exist]* > 3. _dmarc.mail.example.com *[does not exist]* > 4. _dmarc.example.com *[does not exist]* > 5. _dmarc.com *[do exist]*
OK so far. > 6. example.com Nope. If _dmarc.com says it's a PSD, then example.com is the org domain. But since _dmarc.example.com does not exist, it declares no policies and asks for no reports. The np= flag applies to the From: domain so I suppose you'd check a.b.c.d.e.mail.example.com if you hadn't already. If the PSD sets a policy, you can apply that in the usual way, checking the DKIM signatures, if any, and SPF results, if any. The only way I can see the org domain would matter is if there were a signature or envelope from in some other subdomain, e,g, foo.example.com, in which case you apply the usual alignment rules. > - If this succeeds; we know the domain exists > - If this does not exist - should we recommend making a WHOIS lookup > for example.com? Good lord, no. I suppose we could say that a domain doesn't exist means you do a DNS lookup and see if the result is NXDOMAIN but that seems obvious. R's, John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
