When I have implemented RFCs in the past, I have found the examples to be critical to making sure I understand the RFC correctly. Generally, among my first goals is to ensure I can replicate the examples. There has been enough back and forth on the list about how the tree walk does/does not work (with examples) that I think we should have specific examples for this.
I think that it would best fit in B.3. Mail Receiver Example as a new B.3.2. Here's an initial shot at it: B.3.2 Organizational and Policy Domain Examples B.3.2.1 Simple Organizational and Policy Example A mail receiver receives an email with 5322.From domain = example.com, 5322.MailFrom domain = example.com, and a DKIM signature with d = signing.example.com. _dmarc.example.com and _dmarc.signing.example.com both have DMARC records (_dmarc.com does not). If SPF or DKIM yield pass results, they still have to be aligned to support a DMARC pass. Since not all domains are the same, if the alignment is relaxed then the tree walk is performed to determine the organizational domain for each: 5322.From: query _dmarc.example.com and _dmarc.com; example.com is the last element of the DNS tree with a DMARC record, so it is the organizational domain for example.com. 5322.MailFrom: Already determined organizational domain for example.com is example. com. SPF is aligned. DKIM d= domain: query _dmarc.signing.example.com, _dmarc.example.com, and _dmarc.com. Both signing.example.com and example.com have DMARC records, but example.com is the highest element in the tree with a DMARC record, so example.com is the organizational domain. Since this is also the organizational domain for 5322.From, DKIM is aligned for relaxed alignment. Since both SPF and DKIM are aligned, they can be used to determine if the message has a DMARC pass result. If the result is not pass, then the policy domain's DMARC record is used to determine the appropriate policy. In this case, since the 5322.From domain has a DMARC record, that is the policy domain. B.3.2.2 Deep Tree Walk Example A mail receiver receives an email with 5322.From domain = a.b.c.d.e.f.g.h.i.j.k.example.com, 5322.MailFrom domain = example.com, and a DKIM signature with d = signing.example.com. _dmarc.example.com and _dmarc.signing.example.com both have DMARC records (_dmarc.com does not). If SPF or DKIM yield pass results, they still have to be aligned to support a DMARC pass. Since not all domains are the same, if the alignment is relaxed then the tree walk is performed to determine the organizational domain for each: 5322.From: query _dmarc.a.b.c.d.e.f.g.h.i.j.k.example.com, skip to _dmarc.j.k.example.com, then query _dmarc.k.example.com, _dmarc.example.com, and _dmarc.com. None of a.b.c.d.e.f.g.h.i.j.k.example.com, j.k.example.com, or k.example.com have a DMARC record. example.com is the last element of the DNS tree with a DMARC record, so it is the organizational domain for example.com. 5322.MailFrom: Already determined organizational domain for example.com is example. com. SPF is aligned. DKIM d= domain: query _dmarc.signing.example.com, _dmarc.example.com, and _dmarc.com. Both signing.example.com and example.com have DMARC records, but example.com is the highest element in the tree with a DMARC record, so example.com is the organizational domain. Since this is also the organizational domain for 5322.From, DKIM is aligned for relaxed alignment. Since both SPF and DKIM are aligned, they can be used to determine if the message has a DMARC pass result. If the result is not pass, then the policy domain's DMARC record is used to determine the appropriate policy. In this case, the 5322.From domain does not have a DMARC record, so the policy domain is the highest element in the DNS tree with a DMARC record, example.com. B.3.2.3 PSD Example A mail receiver receives an email with 5322.From domain = notyourbank.example, 5322.MailFrom domain = notyourbank.example, and a DKIM signature with d = notyourbank.example. _dmarc.notyourbank.example does not have a DMARC record. and _dmarc.example has a DMARC record which includes the psd=y tag/value. Since all three domains are the same, they are aligned (strict or relaxed). Since both SPF and DKIM are aligned, they can be used to determine if the message has a DMARC pass result. If the result is not pass, then the policy domain's DMARC record is used to determine the appropriate policy. In this case, the 5322.From domain does not have a DMARC record, so the policy domain is the highest element in the DNS tree with a DMARC record, example. Because the _dmarc.example record has psd=y it is only used for determining the policy domain, not for organizational domain determination. How's that? Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
