[opendmarc-users] Does my opendmarc 1.3.2 parse domains correctly?

Dominic Raferd dominic at timedicer.co.uk
Thu Mar 30 06:48:26 PDT 2017


On 30/03/2017 12:25, Juri Haberland wrote:
> Dominic Raferd wrote:
>
>> I am puzzled looking at the Authentication-Results headers generated by
>> mx.google.com compared with our own (timedicer.co.uk) in a recent incoming
>> email (text slightly obfuscated):
>>
>> Return-Path: <conso at skimium.emv5.com>
>> ...
>> Authentication-Results: mx.google.com;
>>         dkim=pass header.i=@emv5.com;
>>         spf=fail (google.com: domain of conso at skimium.emv5.com does not
>> designate 163.131.228.222 as permitted sender) smtp.mailfrom=
>> conso at skimium.emv5.com;
>>         dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emv5.com
>> Authentication-Results: timedicer.co.uk/3DEFB428BB; dmarc=pass (p=none
>> dis=none) header.from=skimium.emv5.com
>> ...
>> From: "Skimium.com" <conso at skimium.emv5.com>
>> [...] But I am puzzled that - for dmarc -
>> mx.google.com has header.from=emv5.com whereas my server (timedicer.co.uk)
>> has header.from=skimium.emv5.com. In this case it made no difference (sp
>> policy matches p policy, both are NONE), but does this mean my server is
>> not parsing the domain name correctly?
> Why do you think OpenDMARC does it wrong? Looking at section 11.1 of the
> RFC7489 (https://tools.ietf.org/html/rfc7489#page-42) the header.from field
> should have:
>> Value:  the domain portion of the RFC5322.From field
> I read this as the compelete domain part or in your case "skimium.emv5.com",
> not the parent domain "emv5.com".
>
> So, IMHO Google has it wrong...
Interesting Juri, but I am reading section 9 of 
https://dmarc.org/draft-dmarc-base-00-01.html. Where there is no DMARC 
TXT record for the given domain, the receiver 'MUST query the DNS for a 
DMARC TXT record at the DNS domain matching the Organizational Domain in 
place of the RFC5322.From domain in the message (if different). This 
record can contain policy to be asserted for subdomains of the 
Organizational Domain'.

In this case 'skimium.emv5.com' has no DMARC TXT record, whereas 
'emv5.com' has a DMARC TXT record (with p=none, and no sp=):
$ dig +short _dmarc.emv5.com TXT
"v=DMARC1; p=none;rua=mailto:dmarc-722-08-92xze at emvdmarc.com; rf=afrf; 
pct=100;"

So I think Google may be right to be testing against emv5.com (I assume 
that because there is no explicit 'sp' policy, the declared 'p' policy 
for emv5.com would apply to subdomains such as skimium.emv5.com).

Maybe openDMARC has done this testing too (i.e. against emv5.com) but 
just not reported it the same way - if so, I think Google's reporting is 
better because it makes it clear against which DMARC record the test has 
been performed.

Dominic


More information about the opendmarc-users mailing list