On Wed, Mar 30, 2022 at 8:50 AM Brotman, Alex <Alex_Brotman=
[email protected]> wrote:
> >From section 4.6:
>
> To illustrate, for a message with the arbitrary RFC5322.From domain
> of "a.b.c.d.e.mail.example.com", a full DNS Tree Walk would require
> the following five queries, in order to locate the policy or
> Organizational Domain:
>
> * _dmarc.a.b.c.d.e.mail.example.com
>
> * _dmarc.e.mail.example.com
>
> * _dmarc.mail.example.com
>
> * _dmarc.example.com
>
> * _dmarc.com
>
>
> What should the evaluator do if one of these results in a CNAME that
> either:
>
> a) points outside of the tree
>
I would say "Follow the CNAME" - consider LargeCo which points many DMARC
records
of domains in their portfolio to a record in their main domain. Or
outsourced DMARC
to third party.
b) results in a loop pointing at a previously evaluated record
>
CNAME loops are usually detected in resolvers, but loops should return no
record found
tim
>
> --
> Alex Brotman
> Sr. Engineer, Anti-Abuse & Messaging Policy
> Comcast
>
> _______________________________________________
> dmarc mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dmarc
>
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
