tkol2022
commented
9 months ago Reviewed 12/14
@adhilto Please review and close if this is OBE. If not, please place size label on it.
Also, if this is some rare edge case, then we can change the priority to low.
adhilto
There is a quirk in the DMARC protocol which we left as out-of-scope for the initial proof of concept code that should be handled at some point.
DMARC records can be stored either under the full domain name (e.g.,
test365.cisa.dhs.gov), or under the "organizational domain," which is basically the second-level domain plus the tld (e.g.,dhs.gov). Our code currently handles everything I've described up to this point.The edge case that we aren't handling is that technically there exist "tlds" that in fact consist of multiple labels, mostly because of country-code tlds, e.g., fed.us (see here for a list maintained by Mozilla). So if the domain we're trying to find the DMARC record for were
subdomain.example.fed.us, we would need to check for the DMARC record under two places:Our code currently would check for:
A description of the proper way to do this: https://datatracker.ietf.org/doc/html/rfc7489#section-3.2