Re: [dmarc-discuss] Sub-domain validation
Relaxed alignment means the identifier domain (SPF or DKIM) have the same organizational domain as the domain in the RFC5322.From. On Tue, Feb 9, 2016 at 1:36 PM, Brotman, Alexander via dmarc-discuss < dmarc-discuss@dmarc.org> wrote: > Hello, > > I have a question about how to interpret a message for DMARC validation, > relating to section 3.1.1, specifically: > >To illustrate, in relaxed mode, if a validated DKIM signature >successfully verifies with a "d=" domain of "example.com", and the >RFC5322.From address is "ale...@news.example.com", the DKIM "d=" >domain and the RFC5322.From domain are considered to be "in >alignment". In strict mode, this test would fail, since the "d=" >domain does not exactly match the FQDN of the address. > > We've encountered a situation where a sender has a DMARC record, and > they've signed the message with "d=sub.example.com", and the 5322 From > Domain is "example.com". The record does not specify an adkim value, so > it should default to relaxed. > > I'm reading the above as the "relaxed" selector should apply to " > sub.example.com" and something like "foo.sub.example.com", but not to " > example.com". From the way the above reads, this part of the validation > should fail as there isn't a valid DKIM signature available for the 5322 > domain. Is this correct? > > Thank you > > -- > Alex Brotman > Engineer, Anti-Abuse > Comcast > x5364 > > > > ___ > dmarc-discuss mailing list > dmarc-discuss@dmarc.org > http://www.dmarc.org/mailman/listinfo/dmarc-discuss > > NOTE: Participating in this list means you agree to the DMARC Note Well > terms (http://www.dmarc.org/note_well.html) > ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
[dmarc-discuss] Sub-domain validation
Hello, I have a question about how to interpret a message for DMARC validation, relating to section 3.1.1, specifically: To illustrate, in relaxed mode, if a validated DKIM signature successfully verifies with a "d=" domain of "example.com", and the RFC5322.From address is "ale...@news.example.com", the DKIM "d=" domain and the RFC5322.From domain are considered to be "in alignment". In strict mode, this test would fail, since the "d=" domain does not exactly match the FQDN of the address. We've encountered a situation where a sender has a DMARC record, and they've signed the message with "d=sub.example.com", and the 5322 From Domain is "example.com". The record does not specify an adkim value, so it should default to relaxed. I'm reading the above as the "relaxed" selector should apply to "sub.example.com" and something like "foo.sub.example.com", but not to "example.com". From the way the above reads, this part of the validation should fail as there isn't a valid DKIM signature available for the 5322 domain. Is this correct? Thank you -- Alex Brotman Engineer, Anti-Abuse Comcast x5364 ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
Re: [dmarc-discuss] Sub-domain validation
Brotman, Alexander wrote: > I have a question about how to interpret a message for DMARC validation, > relating to section 3.1.1, specifically: > >To illustrate, in relaxed mode, if a validated DKIM signature >successfully verifies with a "d=" domain of "example.com", and the >RFC5322.From address is "ale...@news.example.com", the DKIM "d=" >domain and the RFC5322.From domain are considered to be "in >alignment". In strict mode, this test would fail, since the "d=" >domain does not exactly match the FQDN of the address. > > We've encountered a situation where a sender has a DMARC record, and they've > signed the message with > "d=sub.example.com", and the 5322 From Domain is "example.com". The record > does not specify an > adkim value, so it should default to relaxed. > > I'm reading the above as the "relaxed" selector should apply to > "sub.example.com" and something > like "foo.sub.example.com", but not to "example.com". From the way the above > reads, this part of > the validation should fail as there isn't a valid DKIM signature available > for the 5322 domain. Is this > correct? No. You appear to be confusing the quoted example (merely one case) with the spec (all possible cases). - For a relaxed match the spec merely requires that the organisational domains be the same (which is true in each of the cases that you describe). - The quoted example merely describes one situation, that being what an example is. The fact that there are other cases that don't match the example above doesn't mean that they aren't supported. - Roland ___ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)