On Mon 21/Oct/2024 17:41:03 +0200 internet-drafts wrote:
[...]
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-dmarc-dmarcbis-34
A new snippet is as follows:
The following example illustrates this possibility:
* Mail is sent with an Author Domain of "a.mail.example.com" and
Authenticated Identifiers of "mail.example.com"
* There is no DMARC Policy Record published at
"_dmarc.a.mail.example.com"
* There is one published at "_dmarc.mail.example.com" and this is
intended to be the Organizataional Domain for this message
* There is also a DMARC Policy Record published at
"_dmarc.example.com", with default alignment (relaxed)
* An is able to send mail with the Author Domain of
"evil.example.com" and an Authenticated Identifier of
"mail.example.com"
In this scenario, if a Mail Receiver incorrectly determines the
Organizational Domain to be "example.com", then the attacker's mail
will pass DMARC validation checks.
1) The last bullet has "An is able to send". Missing subject?
2) The correct org domain is example.com, isn't it? The third bullet doesn't
say whether there is a psd=n at _dmarc.mail.example.com. So in what sense is
it /intended/ to be the org domain?
Best
Ale
--
_______________________________________________
dmarc mailing list -- [email protected]
To unsubscribe send an email to [email protected]
