I suspected that the current language is the best that we have, but it is far from an algorithm. Below are the algorithm details that I would expect should be addressed.
The dilemma - If we mandate more detailed checks, we add complexity which hurts throughput. - If we take no position, we hinder interoperability. - If we say MUST NOT check, we provide guidance about how to defeat the test with false positives. For MX lookup: Is the condition satisfied if at least one MX record exists, or do we need to examine contents? If we examine contents, do we only look at host name formats, or do we resolve it to an IP address? If we resolve to an IP address, do we check for non-routable addresses (loopback, private, multicast)? If we resolve to an IP address, and all of the returned addresses are in a different address space than the source IP, is the condition satisfactory or failed? If failed, do we proceed to the A lookup or stop? For A/AAAA lookup The A/AAAA test will generate a lot of false positives. Do we accept that DMARC-publishing domains will still be using Implicit MX, or do we create an expectation, for purposes of this test, that DMARC-publishing domains will use only MX records? Do we check just the address space that matches the source IP, or both IPv4 and IPv6? Do we check the returned IP for non-routable addresses? For an A record that is not equal to a DNS domain: Do we check the host name to determine whether it is a domain name or a host record within a parent domain? If the host name is determined to be a host record within a parent domain, is the domain DMARC policy determined by the host name (which will produce No Policy Found) or is the DMARC policy lookup applied to the parent domain of the host record?
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc