[opendmarc-users] Does my opendmarc 1.3.2 parse domains correctly?
Dominic Raferd
dominic at timedicer.co.uk
Thu Mar 30 06:48:26 PDT 2017
On 30/03/2017 12:25, Juri Haberland wrote:
> Dominic Raferd wrote:
>
>> I am puzzled looking at the Authentication-Results headers generated by
>> mx.google.com compared with our own (timedicer.co.uk) in a recent incoming
>> email (text slightly obfuscated):
>>
>> Return-Path: <conso at skimium.emv5.com>
>> ...
>> Authentication-Results: mx.google.com;
>> dkim=pass header.i=@emv5.com;
>> spf=fail (google.com: domain of conso at skimium.emv5.com does not
>> designate 163.131.228.222 as permitted sender) smtp.mailfrom=
>> conso at skimium.emv5.com;
>> dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emv5.com
>> Authentication-Results: timedicer.co.uk/3DEFB428BB; dmarc=pass (p=none
>> dis=none) header.from=skimium.emv5.com
>> ...
>> From: "Skimium.com" <conso at skimium.emv5.com>
>> [...] But I am puzzled that - for dmarc -
>> mx.google.com has header.from=emv5.com whereas my server (timedicer.co.uk)
>> has header.from=skimium.emv5.com. In this case it made no difference (sp
>> policy matches p policy, both are NONE), but does this mean my server is
>> not parsing the domain name correctly?
> Why do you think OpenDMARC does it wrong? Looking at section 11.1 of the
> RFC7489 (https://tools.ietf.org/html/rfc7489#page-42) the header.from field
> should have:
>> Value: the domain portion of the RFC5322.From field
> I read this as the compelete domain part or in your case "skimium.emv5.com",
> not the parent domain "emv5.com".
>
> So, IMHO Google has it wrong...
Interesting Juri, but I am reading section 9 of
https://dmarc.org/draft-dmarc-base-00-01.html. Where there is no DMARC
TXT record for the given domain, the receiver 'MUST query the DNS for a
DMARC TXT record at the DNS domain matching the Organizational Domain in
place of the RFC5322.From domain in the message (if different). This
record can contain policy to be asserted for subdomains of the
Organizational Domain'.
In this case 'skimium.emv5.com' has no DMARC TXT record, whereas
'emv5.com' has a DMARC TXT record (with p=none, and no sp=):
$ dig +short _dmarc.emv5.com TXT
"v=DMARC1; p=none;rua=mailto:dmarc-722-08-92xze at emvdmarc.com; rf=afrf;
pct=100;"
So I think Google may be right to be testing against emv5.com (I assume
that because there is no explicit 'sp' policy, the declared 'p' policy
for emv5.com would apply to subdomains such as skimium.emv5.com).
Maybe openDMARC has done this testing too (i.e. against emv5.com) but
just not reported it the same way - if so, I think Google's reporting is
better because it makes it clear against which DMARC record the test has
been performed.
Dominic
More information about the opendmarc-users
mailing list