On Tue, Nov 24, 2020 at 10:37 AM Dave Crocker <dcroc...@gmail.com> wrote:
> Just to be clear, I'm not challenging the need. Rather I'm just looking
> for text that explains the need. And I'm not finding it...
>
> On 11/24/2020 7:28 AM, Todd Herr wrote:
>
> There are two reasons (at least) for needing the Organizational Domain,
> and they are discussed in RFC 7489:
>
> 1. DMARC also allows for the explicit or implicit expression of policy
> for sub-domains at the Organizational Domain level. This matters for those
> times when _dmarc.RFC5322.From.domain is non-existent and
> RFC5322.From.domain is a sub-domain of the Organizational Domain.
> 2. The default mode for authenticated identifier alignment, relaxed,
> requires only that the Organizational Domains for both identifiers are the
> same, and so the Organizational Domain must be known in order for relaxed
> alignment to be ascertained.
>
> Except that I do not find either of these points provided in the document.
>
For point 1, this is from Section 6.6.3, Policy Discovery:
1. Mail Receivers MUST query the DNS for a DMARC TXT record at the
DNS domain matching the one found in the RFC5322
<https://tools.ietf.org/html/rfc5322>.From domain in
the message. A possibly empty set of records is returned.
2. Records that do not start with a "v=" tag that identifies the
current version of DMARC are discarded.
3. If the set is now empty, the Mail Receiver MUST query the DNS for
a DMARC TXT record at the DNS domain matching the Organizational
Domain in place of the RFC5322
<https://tools.ietf.org/html/rfc5322>.From domain in the message (if
different). This record can contain policy to be asserted for
subdomains of the Organizational Domain. A possibly empty set of
records is returned.
For point 2, this is from Section 3.1.1, DKIM-Authenticated Identifiers:
In relaxed mode, the Organizational Domains of both the [DKIM
<https://tools.ietf.org/html/rfc7489#ref-DKIM>]-
authenticated signing domain (taken from the value of the "d=" tag in
the signature) and that of the RFC5322
<https://tools.ietf.org/html/rfc5322>.From domain must be equal if
the identifiers are to be considered aligned. In strict mode, only
an exact match between both of the Fully Qualified Domain Names
(FQDNs) is considered to produce Identifier Alignment.
Also for point 2, this is from Section 3.1.2, SPF-Authenticated Identifiers:
In relaxed mode, the [SPF
<https://tools.ietf.org/html/rfc7489#ref-SPF>]-authenticated domain
and RFC5322 <https://tools.ietf.org/html/rfc5322>.From
domain must have the same Organizational Domain. In strict mode,
only an exact DNS domain match is considered to produce Identifier
Alignment.
--
*Todd Herr* | Sr. Technical Program Manager
*e:* todd.h...@valimail.com
*p:* 703.220.4153
This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
