We are stopping at the bottom-most policy because we cannot know for certain whether the parent is part of the organization, or a private registrar. We are also inclined to assume that the difference does not matter, because RFC 7489 allows relaxed alignment to be more relaxed than complex organizations want. Therefore, for purposes of DMARCbis, the policy domain will be the organizational domain, and the alignment scope will be the subtree below the policy domain. When the policy domain is " dmas.virginia.gov", this means that "virginia.gov" can no longer sign to authenticate the message.
This could be symmetric or asymmetric. The one-sided tree walk would only look at the "From" domain. If the From domain is "virginia.gov" or a descendant of it that does not have a DMARC policy, the "virginia.gov" is the organizational domain. If we don't do a tree walk on " dmas.virginia.gov", then we conclude that it is in the same organization, so "dmas.virginia.gov" can sign for both "virgina.gov" and "scc.virginia.gov" The two-sided tree walk looks at both domains, sees that "dmas.virginia.gov" is in its own organization, and is therefore unable to sign for either " virginia.gov" or siblings like "scc.virginia.gov". The two-sided tree walk is the most logically consistent, but requires more effort at evaluation time. Either choice may break some existing usage. Both are still guessing strategies, so I still prefer some policy options to allow domain owners fine-grained control over the process. Doug Foster On Wed, Mar 1, 2023 at 10:08 AM Jesse Thompson <z...@fastmail.com> wrote: > On 3/1/2023 6:12 AM, Douglas Foster wrote: > > A sub-issue to consider: Should we do a Tree Walk on the authenticating > domain? > For example, assume that "virgina.gov" and "dmas.virginia.gov" both have > DMARC policies with relaxed alignment. Should "dmas.virginia.gov" be > prohibited from authenticating "virginia.gov"? > My gut says yes, but it adds some overhead to enforce that rule. > > My gut says that might break ESPs who are using subdomains for SPF relaxed > alignment. Unless you are saying that it's safe for treewalk changes to > break MAILFROM=bounces.dmas.virginia.gov rfc5322.From=virginia.gov, then > maybe there is some data to suggest that it is rare. > > Dare I suggest that virginia.gov be able to define the subdomains to > which SPF relaxed alignment should apply? As a domain owner, I might be > inclined to reserve something like bounces.virginia.gov for all MAIL FROM > sub-sub-domains that are used for delegating ESP traffic and manage it > similar to DKIM selectors. aspf=s for any subdomains that aren't otherwise > defined. > > In my experience talking to state governments (as well as reflecting back > on my own time in state government), domain owners are seeing a lot of ESP > usage sprawl among their sub-domains/agencies/departments and they are > frustrated that they can't manage or govern it effectively. In this late > stage of the game, they won't be able to publish aspf=s to keep agencies > from delegating ESP usage of virginia.gov when the domain owner would > otherwise not want them to. > > Jesse > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc