I have been building a DMARC implementation, starting with a simple function: TreeWalk(domain) which returns:
- Policy found or not found indicator - Policy Domain - Organizational Domain - Policy record My thought was that the Tree Walk result was independent of the domain identifier being checked, but this is not true. Assume these DMARC policies: - example.com aspf:r adkim:r - sub1.example.com aspf:s akim:s When the message contains: - From: u...@sub1.example.com - DKIM: d=example.com Strict alignment on the From domain makes the organizational domain unimportant, so the PSL lookup or Tree Walk are not necessary. The organizational domain used for reporting purposes is sub1.example.com. The DKIM signature is not aligned. But when the message contains the reverse, the logic gets complicated: - From: u...@example.com - DKIM: d=sub1.example.com If we apply the same Tree Walk to this message, we have a problem. The >From domain Tree Walk returns "example.com" as the organizational domain, and the Tree Walk of the DKIM domain returns "sub1.example.com" as the organizational domain because of strict alignment. So the result appears to be unaligned. Consequently, the Tree Walk needs to be sensitive to the identifier being checked. If the identifier is not the From address, the Tree Walk is only interested in the existence of a policy and the PSL tags, and the special case related to strict alignment needs to be bypassed. I don't think this case was covered in previous discussions. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc