On Thu 28/Jul/2022 13:23:45 +0200 Scott Kitterman wrote:
On Wednesday, July 27, 2022 4:05:27 AM EDT Alessandro Vesely wrote:
On Mon 25/Jul/2022 17:15:34 +0200 Scott Kitterman wrote:
On Monday, July 25, 2022 9:59:02 AM EDT Alessandro Vesely wrote:
...
Here's what's currently in Git between the shortcuts and the numbered
steps
(it's in Markdown, vice final RFC text, but I think it's clear enough):
To discover the Organizational Domain for a domain, perform the DNS Tree
Walk described in (#dns-tree-walk) as needed for any of the domains in
question.
What are the "domains in question"?
For each Tree Walk that retrieved valid DMARC records, select the
Organizational Domain from the domains for which valid DMARC records were
retrieved from the longest to the shortest:
If we change this to:
To discover the Organizational Domain for these domains, perform the DNS
Tree Walk described in (#dns-tree-walk) as needed for the domains in
question. For each Tree Walk that retrieved valid DMARC records, select
the Organizational Domain from the domains for which valid DMARC records
were retrieved from the longest to the shortest:
Does that resolve your concern? I changed "for a domain" to "for these
domains" to address your concern about relaxing requirements. I think
you're wrong and it makes absolutely no difference, but if you think it's
better, believe it would do. I do think the two sentences would better
be in one paragraph as they are not really separate ideas.
How about moving the reference to the Tree Walk right to the first
sentence at the beginning of the section, for example like so:
For Organizational Domain discovery, in general it is necessary to
perform two DNS Tree Walks (#dns-tree-walk)" in order to determine
if any two domains are in alignment. Noteworthy exceptions are
described in (#shortcuts). A DNS Tree Walk to discover an
Organizational Domain can start only at one of the following
locations:
* The domain in the RFC5322.From header of the message.
* The RFC5321.MailFrom domain if there is an SPF pass result for
the message.
* Any DKIM d= domain if there is a DKIM pass result for the
message for that domain.
For each Tree Walk that retrieved valid DMARC records, select the
Organizational Domain from the domains for which valid DMARC
records were retrieved from the longest to the shortest:
1 ...
Let's focus on this part, as I think it's most important.
In general, I think that's reasonable, but I think it needs work yet. How
about this (and I'm fine with moving the note to the end):
For Organizational Domain discovery, it will be necessary to perform one or
more DNS Tree Walks (#dns-tree-walk) to determine if any two domains are in
alignment. This means that a DNS Tree Walk to discover an Organizational
Domain will start at one of the following locations:
We are trying to stuff two sentences in one. It is not clear if we're
discovering the org domain or establishing alignment.
* The domain in the RFC5322.From header of the message.
* The RFC5321.MailFrom domain if there is an SPF pass result for the
message.
* Any DKIM d= domain if there is a DKIM pass result for the message for
that domain.
To determine the Organizational Domain for any of these domains, perform the
DNS Tree Walk as needed the selected domain.
Splitting the first sentence, this becomes one of its parts.
For each Tree Walk that
retrieved valid DMARC records, select the Organizational Domain from the
domains for which valid DMARC records were retrieved from the longest to the
shortest:
Could that be shortened? Each step requires a DMARC record, so the domains w/o
record don't play.
Here's another wording. I repeat the numbered steps but only change the
paragraph after them:
To discover the Organizational Domain of a domain, it is necessary to
analyze the DNS Tree Walk (#dns-tree-walk)" which starts from it. That may
be necessary in order to establish alignment between two domains. This
means that the starting domain is one of the following:
* The domain in the RFC5322.From header of the message.
* The RFC5321.MailFrom domain if there is an SPF pass result for
the message.
* Any DKIM d= domain if there is a DKIM pass result for the
message for that domain.
For a Tree Walk that retrieved a valid DMARC record, select the
Organizational Domain from its domains, from the longest toward the
shortest:
1. If a valid DMARC record contains the psd= tag set to 'n' (psd=n),
this is the Organizational Domain and the selection process is
complete.
2. If a valid DMARC record, other than the one for the domain where
the tree walk started, contains the psd= tag set to 'y' (psd=y),
the Organizational Domain is the domain one label below this one
in the DNS hierarchy, and the selection process is complete.
3. Otherwise select the record for the domain with the fewest number
of labels. This is the Organizational Domain and the selection
process is complete.
If this process does not determine the Organizational Domain, then
the Organizational Domain is the starting domain.
The last paragraph is a puzzle. If a tree walk retrieved a DMARC record, then
there must exist a domain with a record with the fewest number of labels. It
is not needed any more. Let's replace it with:
For Tree Walks that retrieved no DMARC record, the Organizational Domain is
undefined. No alignment can be established in such cases.
Best
Ale
--
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc