On Tue, Mar 12, 2024 at 6:23 AM Tobias Herkula <tobias.herkula= 401und1...@dmarc.ietf.org> wrote:
> The DMARC Record on the DKIM signing domain is not relevant for DMARC > evaluation, so if the 5322.From header domain is “example.com” the > “adkim:r” is relevant for evaluation regarding your example setup and would > consider a DKIM signature domain of “sub1.example.com” as aligned. It’s > the same behavior as vice versa. As if the 5322.From header domain is “ > sub1.example.com” the “adkim:s” would apply and a DKIM signature Domain > of “example.com” should not be considered aligned. > Well, Section 4.8 in -30 reads: == BEGIN == For Organizational Domain discovery, it may be necessary to perform multiple DNS Tree Walks to determine if any two domains are in alignment. This means that a DNS Tree Walk to discover an Organizational Domain might start at any of the following locations: - * The domain found in the RFC5322.From header of the message being evaluated. - * The domain found in the RFC5321.MailFrom header if there is an SPF pass result for the message being evaluated. - * Any DKIM d= domain if there is a DKIM pass result for that domain for the message being evaluated.=== END === So it's not clear that the "d=" domain isn't relevant. Perhaps this list should be ordered? -MSK
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc