Okay, thank you. As Roland suggested, we took the example as the way it was meant to work, not just one of many examples. Thanks again.
-- Alex Brotman Engineer, Anti-Abuse Comcast x5364 From: MH Michael Hammer (5304) [mailto:mham...@ag.com] Sent: Wednesday, February 10, 2016 9:57 AM To: Brotman, Alexander <alexander_brot...@cable.comcast.com>; dmarc-discuss@dmarc.org Subject: RE: [!!Mass Mail]Re: [dmarc-discuss] Sub-domain validation I concur with Franck on this. From: dmarc-discuss [mailto:dmarc-discuss-boun...@dmarc.org] On Behalf Of Franck Martin via dmarc-discuss Sent: Tuesday, February 09, 2016 4:55 PM To: Brotman, Alexander Cc: dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> Subject: [!!Mass Mail]Re: [dmarc-discuss] Sub-domain validation Relaxed alignment means the identifier domain (SPF or DKIM) have the same organizational domain as the domain in the RFC5322.From. On Tue, Feb 9, 2016 at 1:36 PM, Brotman, Alexander via dmarc-discuss <dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org>> wrote: Hello, I have a question about how to interpret a message for DMARC validation, relating to section 3.1.1, specifically: To illustrate, in relaxed mode, if a validated DKIM signature successfully verifies with a "d=" domain of "example.com<http://example.com>", and the RFC5322.From address is "ale...@news.example.com<mailto:ale...@news.example.com>", the DKIM "d=" domain and the RFC5322.From domain are considered to be "in alignment". In strict mode, this test would fail, since the "d=" domain does not exactly match the FQDN of the address. We've encountered a situation where a sender has a DMARC record, and they've signed the message with "d=sub.example.com<http://sub.example.com>", and the 5322 From Domain is "example.com<http://example.com>". The record does not specify an adkim value, so it should default to relaxed. I'm reading the above as the "relaxed" selector should apply to "sub.example.com<http://sub.example.com>" and something like "foo.sub.example.com<http://foo.sub.example.com>", but not to "example.com<http://example.com>". From the way the above reads, this part of the validation should fail as there isn't a valid DKIM signature available for the 5322 domain. Is this correct? Thank you -- Alex Brotman Engineer, Anti-Abuse Comcast x5364 _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org<mailto:dmarc-discuss@dmarc.org> http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
_______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
