[opendmarc-users] Does my opendmarc 1.3.2 parse domains correctly?

Dominic Raferd dominic at timedicer.co.uk
Thu Mar 30 07:28:10 PDT 2017 

On 30 March 2017 at 15:07, Juri Haberland <juri at sapienti-sat.org> wrote:

> Dominic Raferd wrote:
> > On 30/03/2017 12:25, Juri Haberland wrote:
> >> Dominic Raferd wrote:
>
> >>> Authentication-Results: mx.google.com;
> >>>         dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=emv5.com
> >>> Authentication-Results: timedicer.co.uk/3DEFB428BB; dmarc=pass (p=none
> >>> dis=none)
> ​​
> header.from=skimium.emv5.com
> >>> ...
> >>> From: "Skimium.com" <conso at skimium.emv5.com>
>
> >> Why do you think OpenDMARC does it wrong? Looking at section 11.1 of the
> >> RFC7489 (https://tools.ietf.org/html/rfc7489#page-42) the header.from
> field
> >> should have:
> >>> Value:  the domain portion of the RFC5322.From field
> >> I read this as the compelete domain part or in your case "
> skimium.emv5.com",
> >> not the parent domain "emv5.com".
> >>
> >> So, IMHO Google has it wrong...
>
> > Interesting Juri, but I am reading section 9 of
> > https://dmarc.org/draft-dmarc-base-00-01.html. Where there is no DMARC
> > TXT record for the given domain, the receiver 'MUST query the DNS for a
> > DMARC TXT record at the DNS domain matching the Organizational Domain in
> > place of the RFC5322.From domain in the message (if different). This
> > record can contain policy to be asserted for subdomains of the
> > Organizational Domain'.
>
> > So I think Google may be right to be testing against emv5.com (I assume
> > that because there is no explicit 'sp' policy, the declared 'p' policy
> > for emv5.com would apply to subdomains such as skimium.emv5.com).
>
> Yes, absolutely, that's how DMARC is designed to work.
>
> > Maybe openDMARC has done this testing too (i.e. against emv5.com) but
> > just not reported it the same way - if so, I think Google's reporting is
> > better because it makes it clear against which DMARC record the test has
> > been performed.
>
> Of course OpenDMARC did the same tests - it just does not report the
> sub-domain policy in its AR header. That's what really confused you, right?
> The (p=NONE sp=NONE dis=NONE) vs. (p=none dis=none)?
> These are only optional comments that are not standardized in any way -
> OpenDMARC borrowed that idea from Google and Google just recently enhanced
> its
> comment to include the sub-domain policy - last year they looked like that:
> (p=NONE dis=NONE).
>
> I'll open a feature request/ticket for OpenDMARC to include that piece of
> information as well.


​Thanks Juri. It's not so much the absence of sp= (although that would be
nice to have appearing as well) it's that google shows 'header.from=emv5.com'
which is actually the domain that was/should_have_been tested (because
there is no DMARC TXT record for skimium.emv5.com) whereas openDMARC shows '
​
header.from=skimium.emv5.com' so you don't know that openDMARC *actually*
looked at the DMARC TXT record for emv5.com (as it did, if I understand you
correctly).

Dominic
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.trusteddomain.org/pipermail/opendmarc-users/attachments/20170330/5e91e121/attachment-0001.htm>

More information about the opendmarc-users mailing list