On Saturday, June 25, 2022 8:42:31 PM EDT John R. Levine wrote: > I made a pull requests with a few tweaks to the tree walk so it will > get the right answer even with psd tags at multiple levels. > > https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/pull/47 > > One question is what do you do if the DMARC record for your original From: > domain has psd=y. My text says you ignore it since if you're sending > mail, you're not really a PSD.
I think this is correct, although I think it doesn't quite do that (and I think it's good the way it is. As I read it, let's say gov.example where gov.example sends mail, but has psd=y in its record (and example either has no record or it also has psd=y) 5322.From = gov.example 5321.MailFrom = gov.example d= signing domain = gov.example In this case, in trying to determine the organizational domain we would look at Section 4.8, Organizational Domain Discovery, and the first item under the note regarding when a Tree Walk is required: > * The RFC5322.From domain and the RFC5321.MailFrom domain (if SPF > > authenticated), and/or the DKIM d= domain (if present and > authenticated) are all the same and that domain has a DMARC > record. In this case, this common domain is treated as the > Organizational Domain. Since the domains are all the same, they all have the same organizational domain and align. Even if this note wasn't present, you would still get the same result if you did the Tree Walk anyway. Looking to Section 4.6, DNS Tree Walk, you would do the query for _dmarc.gov.example in step 1 and get a result. With step 2, as modified by your pull request, the single record that was retrieved does not contain psd=n, so we continue and check DMARC for _dmarc.example and find either that it has a psd=y record and previous record is the org domain or that it has no DMARC record and then the last record retrieved is the org domain. Either way, gov.example is the org domain for the message. I think this is fine. I don't think there's an inherent reason why we shouldn't allow for PSDs to send mail and this is also the way RFC 9091 would parse it. What won't work for PSDs is to use a mix of the PSD domain and a subdomain in the different identities. In that case the identities using the subdomain would have one level below gov.example as their org domain, so they wouldn't align. I think it's a reasonable constraint that a domain can either be a PSD or use subdomains, not both. My suggestion is we put your changes into the next revision and then move on to the next problem. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
