When using the RFC 7489 and the PSL to jump to an organizational domain, no verification is possible, but the assumption is that the PSL is free of malice, so verification is not essential.
However, when using an “orgname=FQDN” token to jump up the DNS tree, malice is possible, so verification is mandatory, not merely desirable. The target domain must be validated as an organizational domain, and the intervening path must be validated as free of organization boundaries. The initial verification requires the presence an “orgname” token that points to the current domain, and the absence of any token that indicates that the domain is a PSD or a private registration point. To rule out an intermediary boundary, I propose the “orgbelow” token, to indicate whether organization boundaries may exist below the organization domain. My first thought was “orgbelow=number”, where a positive integer says that there MAY be an organization boundary starting at N segments below the organization domain, and a zero means that there are no boundaries below the organization domain. For example, if the policy has “orgbelow=3”, and the tree jump moved up only 2 levels, then the From domain is linked to the Organization domain without a tree walk. But this is probably too complicated for reliable usage, so “orgbelow=(true,false)” may be the better choice. Normal organizations will use “orgbelow=false”, while organizations that include private registries will use “orgbelow=true” When “orgbelow=true”, the organization domain must be verified with the PSL or a tree walk, preferably both. Error Handling A search which uses the PSL, because no DMARCbis tokens are present, then the entire process is based on RFC 7489 and the PSL. However, when a search passed on DMARCbis tokens must complete using DMARCbis tokens. This means that the target organizational domain must have a DMARC policy, and it must contain a self-referencing “orgname” token and an “orgbelow” token. If these tokens are not present, the result is PERMERRROR, and is best treated as equivalent to FAIL.
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
