But this is only for “org-domain” evaluation, the example from Doug was about “adkim:s vs adkim:r”, but 4.8 speaks about “psd”. If at all if “example.com” would have a “psd:y” entry than my first sentence would even be a necessity, as there should be no alignment possible between a “domain” and a “public-suffix-domain”. Reading through 4.8, I think a more important question pops up, my expectation is that PSDs cannot be aligned in sense of DMARCbis to the 5322.From header domain, but 4.8 does not really answer that. And I’m not sure anymore if that is only my opinion and what the groups intend is with DMARCbis in this case.
/ Tobias Herkula From: dmarc <[email protected]> On Behalf Of Murray S. Kucherawy Sent: Tuesday, March 12, 2024 8:49 PM To: IETF DMARC WG <[email protected]> Subject: Re: [dmarc-ietf] Problem with multiple policies, different alignment On Tue, Mar 12, 2024 at 6:23 AM Tobias Herkula <[email protected]<mailto:[email protected]>> wrote: The DMARC Record on the DKIM signing domain is not relevant for DMARC evaluation, so if the 5322.From header domain is “example.com<http://example.com>” the “adkim:r” is relevant for evaluation regarding your example setup and would consider a DKIM signature domain of “sub1.example.com<http://sub1.example.com>” as aligned. It’s the same behavior as vice versa. As if the 5322.From header domain is “sub1.example.com<http://sub1.example.com>” the “adkim:s” would apply and a DKIM signature Domain of “example.com<http://example.com>” should not be considered aligned. Well, Section 4.8 in -30 reads: == BEGIN == For Organizational Domain discovery, it may be necessary to perform multiple DNS Tree Walks to determine if any two domains are in alignment. This means that a DNS Tree Walk to discover an Organizational Domain might start at any of the following locations: • * The domain found in the RFC5322.From header of the message being evaluated. • * The domain found in the RFC5321.MailFrom header if there is an SPF pass result for the message being evaluated. • * Any DKIM d= domain if there is a DKIM pass result for that domain for the message being evaluated.=== END === So it's not clear that the "d=" domain isn't relevant. Perhaps this list should be ordered? -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
