[opendmarc-users] Does my opendmarc 1.3.2 parse domains correctly?
Juri Haberland
juri at sapienti-sat.org
Thu Mar 30 07:07:15 PDT 2017
Dominic Raferd wrote:
> On 30/03/2017 12:25, Juri Haberland wrote:
>> Dominic Raferd wrote:
>>> Authentication-Results: mx.google.com;
>>> dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emv5.com
>>> Authentication-Results: timedicer.co.uk/3DEFB428BB; dmarc=pass (p=none
>>> dis=none) header.from=skimium.emv5.com
>>> ...
>>> From: "Skimium.com" <conso at skimium.emv5.com>
>> Why do you think OpenDMARC does it wrong? Looking at section 11.1 of the
>> RFC7489 (https://tools.ietf.org/html/rfc7489#page-42) the header.from field
>> should have:
>>> Value: the domain portion of the RFC5322.From field
>> I read this as the compelete domain part or in your case "skimium.emv5.com",
>> not the parent domain "emv5.com".
>>
>> So, IMHO Google has it wrong...
> Interesting Juri, but I am reading section 9 of
> https://dmarc.org/draft-dmarc-base-00-01.html. Where there is no DMARC
> TXT record for the given domain, the receiver 'MUST query the DNS for a
> DMARC TXT record at the DNS domain matching the Organizational Domain in
> place of the RFC5322.From domain in the message (if different). This
> record can contain policy to be asserted for subdomains of the
> Organizational Domain'.
> So I think Google may be right to be testing against emv5.com (I assume
> that because there is no explicit 'sp' policy, the declared 'p' policy
> for emv5.com would apply to subdomains such as skimium.emv5.com).
Yes, absolutely, that's how DMARC is designed to work.
> Maybe openDMARC has done this testing too (i.e. against emv5.com) but
> just not reported it the same way - if so, I think Google's reporting is
> better because it makes it clear against which DMARC record the test has
> been performed.
Of course OpenDMARC did the same tests - it just does not report the
sub-domain policy in its AR header. That's what really confused you, right?
The (p=NONE sp=NONE dis=NONE) vs. (p=none dis=none)?
These are only optional comments that are not standardized in any way -
OpenDMARC borrowed that idea from Google and Google just recently enhanced its
comment to include the sub-domain policy - last year they looked like that:
(p=NONE dis=NONE).
I'll open a feature request/ticket for OpenDMARC to include that piece of
information as well.
Juri
More information about the opendmarc-users
mailing list