The DMARC Record on the DKIM signing domain is not relevant for DMARC evaluation, so if the 5322.From header domain is “example.com” the “adkim:r” is relevant for evaluation regarding your example setup and would consider a DKIM signature domain of “sub1.example.com” as aligned. It’s the same behavior as vice versa. As if the 5322.From header domain is “sub1.example.com” the “adkim:s” would apply and a DKIM signature Domain of “example.com” should not be considered aligned.
/ Tobias Herkula From: dmarc <dmarc-boun...@ietf.org> On Behalf Of Douglas Foster Sent: Tuesday, March 12, 2024 12:15 PM To: IETF DMARC WG <dmarc@ietf.org> Subject: [dmarc-ietf] Problem with multiple policies, different alignment I have been building a DMARC implementation, starting with a simple function: TreeWalk(domain) which returns: * Policy found or not found indicator * Policy Domain * Organizational Domain * Policy record My thought was that the Tree Walk result was independent of the domain identifier being checked, but this is not true. Assume these DMARC policies: * example.com<http://example.com> aspf:r adkim:r * sub1.example.com<http://sub1.example.com> aspf:s akim:s When the message contains: * From: u...@sub1.example.com<mailto:u...@sub1.example.com> * DKIM: d=example.com<http://example.com> Strict alignment on the From domain makes the organizational domain unimportant, so the PSL lookup or Tree Walk are not necessary. The organizational domain used for reporting purposes is sub1.example.com<http://sub1.example.com>. The DKIM signature is not aligned. But when the message contains the reverse, the logic gets complicated: * From: u...@example.com<mailto:u...@example.com> * DKIM: d=sub1.example.com<http://sub1.example.com> If we apply the same Tree Walk to this message, we have a problem. The From domain Tree Walk returns "example.com<http://example.com>" as the organizational domain, and the Tree Walk of the DKIM domain returns "sub1.example.com<http://sub1.example.com>" as the organizational domain because of strict alignment. So the result appears to be unaligned. Consequently, the Tree Walk needs to be sensitive to the identifier being checked. If the identifier is not the From address, the Tree Walk is only interested in the existence of a policy and the PSL tags, and the special case related to strict alignment needs to be bypassed. I don't think this case was covered in previous discussions. Doug Foster
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
