ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com set milestone to Deliverable ietf-wg-dmarc/dmarc-draftissues#3 (changes to DMARC base spec + DMARC Usage Guide
Closed ietf-svn-bot closed 2 years ago
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com set milestone to Deliverable ietf-wg-dmarc/dmarc-draftissues#3 (changes to DMARC base spec + DMARC Usage Guide
toddherr
commented
2 years ago Current tree walk implementation goes well beyond single level proposed here. Recommend closing ticket.
type_enhancement| by dougfoster.emailstandards@gmail.comDMARC Policies can only be configured within leaf nodes underneath a DNS domain, while email suffixes can be configured as either DNS domain names or host names within a DNS domain. When the email suffix is not a DNS domain, the domain owner cannot specify a DMARC policy. Therefore, the evaluator can only use the SP clause of the organizational domain policy. An optimal design should provide a granular option for any email suffix.
One solution to this problem would be to allow DMARC policies to be implemented as TXT records that match the name of the email suffix. This approach seems too disruptive to existing implementations.
Instead, I propose a one-level domain walk when a DMARC policy does not exist for the email suffix, and the email suffix is two or more segments below the organizational domain. This allows non-domain email suffixes to benefit from the SP clause of the parent subdomain’s DMARC policy, rather than being protected only by the organizational SP policy. The SP clause of subdomain DMARC policies are currently unused, so the proposal is upward compatible.
Risk Assessment:
If the Organizational SP policy matches the new parent subdomain SP policy, then the evaluation result will be the same whether or not the evaluator uses the one-level walk feature.
If the Organizational SP policy is weaker than the parent subdomain SP policy, then evaluators which do not implement the one-level walk will apply the same result as if the additional SP policy did not exist. Evaluators which do implement the one-level walk will benefit from the stricter policy.
If an Organizational SP policy is stronger than the parent subdomain SP policy, then evaluators which do not use the one-level domain walk will obtain a result which is stricter than the domain owner intends, while those that evaluate the one-level walk will obtain the weaker policy that the domain owner intends. In the absence of a one-level walk, the domain owner can only ensure a weak policy at the lower policy by applying a weak SP policy for all levels.
Issue migrated from trac:121 at 2022-01-24 16:54:21 +0000