I think this refinement of the concept will work better: 1) Check to see if the From domain participates in DMARC Starting with the FROM domain, perform the previously specified tree walk (start with the exact-match FROM domain, jumping to level 5 if necessary, then continuing to walk up the tree.) - - If no policy is found, the domain does not participate in DMARC and processing terminates. The DMARC result is "NO POLICY".
-- If a policy is found with PSD=y, the domain does not participate in DMARC but may need to be tested for non-existence. If the policy also specifies NP=reject, query the next-lower domain name for a resource record. If the DNS query result is NXDOMAIN, processing stops and the DMARC policy is also "NXDOMAIN". (I recommend using NXDOMAIN as a separate result code from REJECT, as it seems to be a stronger repudiation.) -- if a policy is found without PSD=y, this is the policy that will be used. This policy domain will be used for alignment tests, since it may be shorter than the From domain. 2) If the domain participates in DMARC, check for alignment of an SMTP domain or DKIM domain Find the longest subdomain that is shared between the policy domain and the domain being tested. If the result is the policy domain, the names are in alignment. If the result is shorter than the policy domain, start at that point and walk up the tree until a DMARC policy is found. If a policy is found, the names are in alignment. One the match occurs higher than the policy domain, the policy values are ignored, because the policy domain is always used. If no policy is found, the names are not in alignment. Proceed to the next name to be tested until a match is found or all candidate names have failed. Design goals satisfied: - no PSL - no dependence on PSD=y - support for PSD=y when it exists - evaluators cannot use DMARC authentication unless a DMARC policy actually exists. Doug Foster On Thu, Jan 20, 2022 at 8:00 AM Alessandro Vesely <ves...@tana.it> wrote: > On Wed 19/Jan/2022 19:38:15 +0100 John Levine wrote: > > What I always intended with the tree walk is that you walk up the tree > and if you find > > a DMARC record that isn't a PSD, that's your org domain. To see if two > names are in relaxed > > alignment, do a tree walk for both and if they end at the same place, > they're aligned. As > > a special case albeit a very common one, if one name is a descendant of > the other, and there > > are no DMARC records in between, they're aligned. > > > Why would a DMARC record in between invalidate the alignment? > > DKIM-Signature: d=a.b.example.com [...] > From: j...@c.example.com > > _dmarc.example.com IN TXT "v=DMARC1; p=reject;" > _dmarc.b.example.com. IN TXT "v=DMARC1; p=none; inbetween=y" > > Is that aligned? > > Best > Ale > -- > > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc