DMARC is an authentication test also. The authentication of the first identifier (SPF or DKIM) serves as a proxy to authenticate the second identifer (FROM), which is conditioned on a satisfactory relationship (equal or aligned) between the two domains.
You began to address the issue in your recent post, which included this: I think that if we changed the relaxed definition to the same as or a sub-domain of the From domain it would avoid potential issues like that without practical impact. I don't think I have ever seen legitimate mail where Mail From or DKIM signing domain wasn't either the same or a sub-domain of From that were in the same org domain. You still need a way to protect the PSL names themselves, and this paragraph does not do so. Exact match to the authenticated domain is always sufficient to authenticate the FROM domain. >From a trust standpoint, the greatest trust occurs when the authenticated identifier (SPF or DKIM) is the parent of the second identifier (FROM). Based on my observed data, I agree that the norm is for FROM to be the parent or the equal, rarely the child. I should be able to provide some data. I will not have data about cousin relationships (unit1.example.com aligned with unit2.example.com). Doug On Sun, Oct 31, 2021 at 11:30 AM Scott Kitterman <skl...@kitterman.com> wrote: > Neither SPF nor DKIM use the PSL, so I still don't understand. What do > you mean by "authentication testing"? > > Scott K > >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc