toddherr
commented
1 year ago As of https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-25.html the relevant sections appear to reflect the rough consensus of the working group.
Closed dougfoster-email closed 1 year ago
toddherr
commented
1 year ago As of https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-25.html the relevant sections appear to reflect the rough consensus of the working group.
I have not been able to accept that the current description of the evaluation process is either sufficiently complete or sufficiently clear to meet the needs of developers. Prior attempts to hint at the nature of the problem have been insufficient, so m;y rewrite is attached.
4.6. DMARC Policy Discovery
A set of verified identifiers is collected, to include the RFC5321.MailFrom domain if it produces SPF PASS, and the "d=" domain from any DKIM signature that is verified.
The DMARC policy to be applied to the message will be the record found at one of these three locations, in priority order:
The process for finding these three policy locations is described below, starting at. If no policy is found, DMARCbis does not apply to this message.
4.6.1 Policy query and validation.
At each step in the search process, the reserved subdomain "_dmarc." is appended to the current domain. A DNS query is performed for records with type=TXT.
Any records that do not start with a "v=" tag identifying the current version of DMARC are discarded.
If more than one record remains, all are discarded.
If the remaining record does not contain a valid "p" tag, but a "rua" tag is present and contains at least one syntactically valid reporting URI, the failure disposition policy is interpreted as "p=none". Otherwise the record is discarded.
If a retrieved policy record has an invalid "sp" or "np" tag, but a "rua" tag is present and contains at least one syntactically valid reporting URI, the policy is interpreted as "sp=none". Otherwise, the record is discarded.
4.6.2 Prioritized search for DMARC Policy
A policy search is used to determine the applicable DMARC policy, and where applicble, the organizational domain to be used for relaxed alignment. The policy search is a multi-step process which begins with the RFC532.From domain. If no policy record is found at the RFC5322.From domain, then processing proceeds to to search for an altenate policy record. If a policy is found, these steps are appled:
If the policy specifies PSD=Y, then strict alignment is used: aspf=s and adkim=s are applied even if the policy specifies relaxed alignment.
If any verfied identifier matches the RFC5322.From domain, the result is PASS and evaluation is complete. Otherwise:
If the policy indicates aspf=s (strict), then the SPF PASS identifier is excluded because the match is not exact.
If the policy indicates adkim=s (strict), then any DKIM PASS identifiers are excluded because the match is not exact.
If all verified identifiers have been excluded, the result is FAIL.
If the policy specifies PSD=N, then the current domain is the organizational domaion for relaxed alignment. The Tree Walk is not required, and the process proceeds to to evaluate relaxed alignment.
Otherwise, the tree walk is used to determine the organizational domain. The current domain is stored as the candidate Organizaational Domain.
4.6.3 Tree walk to find other policies and to determine the organizational domain.
If the RFC5322.From domain has five labels or less, the left-most label is removed to determine the inital Tree Walk domain. To prevent abuse of the Tree Walk algorithm, if the RFC5322.From domain has more than five labels, multiple labels are removed to use the four right-most labels of the RFC5322.From domain as the Tree Walk domain.
Once the current Tree Walk domain is selected, it is searched for a valid DMARC record, as described in. When a valid record is found:
If the policy contains a PSD=N term, the current Tree Walk domain is the organizational domain and the retrieved policy is the organizational domain policy. The Tree Walk ends and proceeds to message evaluation.
If the policy contains a PSD=Y termn, then the organizational domain is one label below the current Tree Walk domain. -- IF the RFC5322.From domain returned a valid policy, the RFC5322.From domain policy is used and processing proceeds to
-- If the organizaitonal domain returned a candiddate policy, then the organizational domain policy is used. Otherwise, the PSD policy is used. In either case, processing proceeds to .
If the current policy does not contain a PSD term, the policy and Tree Walk domain are storedd as candidates for the organzational domain and organizational domain policy, superceding any previous candidate, and the Tree Walk continues.
If the Tree Walk domain has at least two labels, the left most label is removed to become the new Tree Walk domain, and the search repeats.
If the Tree Walk domain is a single label, the Tree Walk is complete. The candidate organizational domain and policy are used as the actual organizaitonal domain and policy.
If no candidate domain and policy record have been found, DMARCbis does not apply because no DMARC policy has been found.
4.6.4 Equality check If the selected policy is form the organizational domain or PSD domain, then equality tests are performed:
If the policy specifies PSD=Y, then strict alignment is used: aspf=s and adkim=s are applied even if the policy specifies relaxed alignment.
If any verfied identifier matches the RFC5322.From domain, the result is PASS and evaluation is complete. Otherwise:
If the policy indicates aspf=s (strict), then the SPF PASS identifier is excluded because the match is not exact.
If the policy indicates adkim=s (strict), then any DKIM PASS identifiers are excluded because the match is not exact.
Otherwise, processing proceeds to.
4.6.5 Evaluate Relaxed Alignment
If any verified identifiers are not equal to, or a child of, the organizational domain, then they are not aligned and therefore are excluded.
If any verified identifier exactly matches the organizational domain or any subdomain between the organizational domain and the RFC5322.From domain, then that identifier has relaxed alignment and the result is PASS.
If there are no identifiers that have not been excluded, the result is FAIL.
For each remaining identifier that has not been excluded, a simplified Tree Walk is performed:
A policy check is performed at the matching domain, and at each parent domain, skipping any parent domains with 5 or more labels. If a DMARC policy record is found, and contains a PSD term, then the veified identifier is not aligned and is therefore excluded. EValuation proceeds to the next non-excluded identifier. If no identifiers remain to be evaluated, the DMARC result is FAIL.
If a policy record is not found, or the policy record does not contain a PSD term, then the walk continues up the domain tree. When the walk reaches the organizational domain without finding a PSD term, then the identifier is aligned and the DMARC result is PASS.
4.6.6 Failure disposition
If the DMARC policy record is from the RFC5322.From domain, then the "p=" term is used to determine the domain owner's failure disposition policy. The "np" term for non-existent domains does not apply because the policy record itself demonstrates that the domain exists.
If the DMARC policy record is from the PSD domain, and an "np=" term is present, then the organizational domain is tested for existance. A DNS query is performed on the organizational domain. If the result is NXDOMAIN, the domain does not exist and the "np=" term applies. If the result is NODATA or DATA, the "sp=" term is used.
If the DMARC policy record is from the organizational domain, and an "np=" term is present, then the RFC5322.From domain is tested for existance. A DNS query is performed on the RFC5322.From domain. If the result is NXDOMAIN, the domain does not exist and the "np=" term applies. If the result is NODATA or DATA, the "sp=" term is used.
If the policy record does not have an "sp=" term, the "p=" term is used.
Once the domain owner's disposition policy is obtained, it is used as an input to the evaluator's message disposition decision.
4.6.7 Retain data for reporting If the evaluator implements rua reporting for the RFC5322.From domain, and the policy record contains a "rua" tag with at least one syntactically valid reporting URI, then data about the message and its identifiers is logged for "rua" reporting.
If the evaluator implements ruf reporting for the RFC5322.From domain, and the policy record contains a "ruf" tag with at least one syntactically valid reporting URI, then data about the message is processed immediately for ruf reporting.