There is a quirk in the DMARC protocol which we left as out-of-scope for the initial proof of concept code that should be handled at some point.
DMARC records can be stored either under the full domain name (e.g., test365.cisa.dhs.gov), or under the "organizational domain," which is basically the second-level domain plus the tld (e.g., dhs.gov). Our code currently handles everything I've described up to this point.
The edge case that we aren't handling is that technically there exist "tlds" that in fact consist of multiple labels, mostly because of country-code tlds, e.g., fed.us (see here for a list maintained by Mozilla). So if the domain we're trying to find the DMARC record for were subdomain.example.fed.us, we would need to check for the DMARC record under two places:
There is a quirk in the DMARC protocol which we left as out-of-scope for the initial proof of concept code that should be handled at some point.
DMARC records can be stored either under the full domain name (e.g.,
test365.cisa.dhs.gov
), or under the "organizational domain," which is basically the second-level domain plus the tld (e.g.,dhs.gov
). Our code currently handles everything I've described up to this point.The edge case that we aren't handling is that technically there exist "tlds" that in fact consist of multiple labels, mostly because of country-code tlds, e.g., fed.us (see here for a list maintained by Mozilla). So if the domain we're trying to find the DMARC record for were
subdomain.example.fed.us
, we would need to check for the DMARC record under two places:Our code currently would check for:
A description of the proper way to do this: https://datatracker.ietf.org/doc/html/rfc7489#section-3.2