Re: [mailop] booking.com dmarc

[Carl Byington via mailop]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On Mon, 2019-06-03 at 16:10 -0700, Alan Hodgson via mailop wrote:
> You can sign with a sub-domain or parent domain as long as they share
> the same organizational domain.

My understanding was incorrect. Page 10 of RFC7489 says "In relaxed
mode, the Organizational Domains of both ... must be equal", so

from=a...@sub.sub.example.com -can be signed by example.com, or any
subdomain thereof including joe.example.com.

from=a...@example.com can also be signed by example.com, or any subdomain
thereof including joe.example.com.

Thank you for the correction.


-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.14 (GNU/Linux)

iEYEAREKAAYFAlz2ioUACgkQL6j7milTFsG8YgCfS5Ye4wkGSO5aqG/14YfPEN+Z
OXwAn3rruPZxXdkpa0aLW/JLPlXbTucV
=a9gC
-END PGP SIGNATURE-



___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] booking.com dmarc

[Alan Hodgson via mailop]

On Mon, 2019-06-03 at 15:38 -0700, Carl Byington via mailop wrote:
> We can (manually) compensate for errors in dmarc records. For
> example,booking.com has a p=reject, but we see mail "From:
> .*@booking.com" dkimsigned by sg.booking.com. Strict dmarc would
> reject that. We enforce arequirement that mail from booking.com be
> signed by either booking.comor sg.booking.com. There are other
> domains with similar errors.

Unless I misunderstand something, I'm quite sure this is allowed by
DMARC in relaxed mode (which booking.com uses, as it is the default).
You can sign with a sub-domain or parent domain as long as they share
the same organizational domain.
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop