Don't the alignment rules allow any DKIM signature for the organization to validate any FROM address for the organization -- up, down, or sideways?
To use the sideways example, this means that an RFC 5322.From address of " u...@security.example.edu" can be validated for DMARC: - by SPF PASS on an RFC5321.MailFrom address of "u...@humanities.example.edu", or - by a verified DKIM signature issued by d=Humanities.Example.Edu using a public key published in the Humanities sub-tree. That, at least, is my understanding. Doug On Thu, Nov 18, 2021 at 9:08 AM Todd Herr <todd.h...@valimail.com> wrote: > On Thu, Nov 18, 2021 at 8:11 AM Douglas Foster < > dougfoster.emailstanda...@gmail.com> wrote: > >> >> Do we want to provide a sub-tree alignment option? >> >> Suppose that “security.example.edu” does not want any other part of “ >> example.edu” to be sending emails on their behalf, so they want to limit >> alignment to their sub-tree only. This approach becomes feasible if (a) >> we use tree walk and (b) we implement a clause which indicates “top of tree >> for alignment purposes”. I suspect that this would have some appeal to >> parts of some universities and other complex organizations, but again we >> would need those organizations to affirm that it would be useful. >> >> >> > It seems to me that DMARC already provides the ability for > security.example.edu to ensure that no other part of example.edu can send > mail on their behalf. To accomplish this, security.example.edu can today: > > - Publish an SPF record listing only hosts under its direct control, a > record which ends with "-all" > - Ensure that only hosts under its control can DKIM sign messages > using "security.example.edu" as the signing domain, by making sure > that its private DKIM signing key is only deployed to hosts under its > control > - Publish a DMARC policy record that includes the following three tags > and values: > - p=reject > - adkim=s > - aspf=s > > > -- > > *Todd Herr * | Technical Director, Standards and Ecosystem > *e:* todd.h...@valimail.com > *m:* 703.220.4153 > > This email and all data transmitted with it contains confidential and/or > proprietary information intended solely for the use of individual(s) > authorized to receive it. If you are not an intended and authorized > recipient you are hereby notified of any use, disclosure, copying or > distribution of the information included in this transmission is prohibited > and may be unlawful. Please immediately notify the sender by replying to > this email and then delete it from your system. >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
