Hi,
this paragraph is fine:
To illustrate, in relaxed mode, if a verified DKIM signature
successfully verifies with a "d=" domain of "example.com", and the
RFC5322.From address is "ale...@news.example.com", the DKIM "d="
domain and the RFC5322.From domain are considered to be "in
alignment", because both domains have the same Organizational Domain
of "example.com". In strict mode, this test would fail because the
d= domain does not exactly match the RFC5322.From domain.
However, the following one is deceiving:
However, a DKIM signature bearing a value of "d=com" would never
allow an "in alignment" result, as "com" should be identified as a
PSD and therefore cannot be an Organizational Domain.
Should a PSL-free implementation walk the tree of the d= domain to determine
the organizational domain of the signature? That's not necessary. I'd point
out something like so:
Note that, since the signature was verified and the public key retrieved,
it is sufficient to verify that the signing domain is either the
Organizational Domain or a subdomain of it.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
