Using RFC 7489 rules, an SP policy can only be applied at the organization level, and an SP clause on any sub-organization policy will be bypassed and ignored.
We have been describing the tree walk on the assumption that the SP policy will be applied based on the first policy found as the walk proceeds. If the first policy found is an intermediate policy, the policy instruction may be different than if the walk proceeded to the organization policy. Is this acceptable, or does it force us to use DMARCv2? I believe that using SP on intermediate policies will provide desirable flexibility for domain owners, while also minimizing DNS query effort by evaluators. It also provides domain owners with the ability to implement a phased rollout of sp=reject. So I think a change is desirable, even if problematic. Option 1 The tree walk could duplicate RFC 7489 by specifying that the walk continues until a PSD policy is found or the TLD is reached. Then the last policy found before the termination point is the organizational policy, and that record’s SP policy is used. (Of course, the PSD policy applies if no prior policy has been found.) Option 2 A partial mitigation is possible if we assume that SP is not currently specified on subdomain policies, since it is supposed to be ignored. (I make no representation that this assumption is universally true.) Then we specify that an intermediate policy is only used if it has an explicit SP clause. When the SP term is absent, the search continues up the tree until an SP clause is found or the termination point is reached. At termination, the last P policy can be applied as an SP policy Option 3 The tree walk stops at the first policy found, whether or not it contains an SP policy. The P policy is used for SP if the SP clause is not present.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
