toddherr
commented
5 months ago Text has been updated and pushed to working branch.
Closed toddherr closed 5 months ago
toddherr
commented
5 months ago Text has been updated and pushed to working branch.
Section 4.7, DMARC Policy Discovery, starts with the following sentence:
For policy discovery, a DNS Tree Walk starts at the domain found in the RFC5322.From header of the message being evaluated.I think the above is muddy, especially given that step 2 of the Tree Walk reads:Records that do not start with a "v=" tag that identifies the current version of DMARC are discarded. If multiple DMARC records are returned, they are all discarded. If a single record remains and it contains a "psd=n" tag, stopWhen it comes to policy discovery, if the RFC5322.From domain has a published policy record, it's the policy regardless of the value of the 'psd' tag, is it not? Step 2 of the Tree Walk would seem to indicate that if such a record didn't have psd=n then the Tree Walk would continue for policy discovery.
I believe that the first sentence in Section 4.7 should be replaced as follows:
For policy discovery, first query for a DMARC policy record at the name created by prepending the label "_dmarc" to the RFC5322.From domain. If no valid DMARC policy record is found there, then perform a DNS Tree Walk starting with the parent domain of the RFC5322.From domain. I think Section 4.8 is okay, because a Tree Walk will always have to be performed for Organizational Domain Discovery, but for Policy Discovery, the Tree Walk is only necessary if there's no policy published specifically for the RFC5322.From domain.