Käyttäjän työkalut

Sivuston työkalut


faq:ikidmarcbis

IKI & DMARCbis

Trying to parse the tree walking procedure of the DMARCbis, this is my summary of the process.

This is real world example with iki.fi. Iki.fi is Public Suffix Domain which also sends emails out, meaning kivinen@iki.fi, haa@iki.fi etc are valid email addresses which all belong to iki.fi and iki.fi would like to get reports for those and specify policy for them also.

Under iki.fi there is subdomains which are owned by other people, i.e., kivinen.iki.fi domain is owned by the same member who owns the kivinen@iki.fi email address and so on. There is also host names which are part of iki.fi for example mail.iki.fi, smtp.iki.fi, jatkuu.iki.fi, listat.iki.fi etc.

Now if we have following dmarc records:

  • iki.fi:
    • v=DMARC1; p=none; rua=iki-report@iki.fi; psd=y; adkim=s; aspf=s
  • kivinen.iki.fi: \
    • v=DMARC1; p=quarantine; rua=report@kivinen.iki.fi; psd=n
  • haa.iki.fi: no dmarc record
  • listat.iki.fi:
    • v=DMARC1; p=none; rua=iki-report@iki.fi; adkim=r

kivinen@iki.fi

  • From kivinen@iki.fi
  • RFC5321.MailFrom kivinen@iki.fi
  • Author domain iki.fi
  • dkim has d=iki.fi
  • spf is has a-records of the smtp.iki.fi which is the sender of the mails.

If author domain is iki.fi then in section 4.10.1 we start at author domain and fetch dmarc record from _dmarc.iki.fi, and find the record above. The DMARC policy discovery stops there, and to find what is the organizational domain we follow section 4.10.2 and find that authenticated domain and all authenticated identifiers are same domain thus this common domain is treated as organizational domain. The psd=y tag of the iki.fi does not have any effect.

  • Authenticated identifiers: iki.fi
  • Organizational domain: iki.fi

root@kivinen.iki.fi

  • From root@kivinen.iki.fi
  • RFC5321.MailFrom root@kivinen.iki.fi
  • Author domain kivinen.iki.fi
  • dkim has d=kivinen.iki.fi
  • no spf records.

Author domain is kivinen.iki.fi, and lookup will find record from _dmarc.kivinen.iki.fi and as all domains are again aligned, then same domain is used as organization domain and process ends. The psd=n of kivinen.iki.fi or psd=y of iki.fi tags do not have any effect.

  • Authenticated identifiers: kivinen.iki.fi
  • Organizational domain: kivinen.iki.fi

haa@haa.iki.fi

  • From haa@haa.iki.fi
  • RFC5321.MailFrom haa@haa.iki.fi
  • Author domain haa.iki.fi
  • no dkim headers
  • no spf records.

author domain is haa.iki.fi, and we do not find dmarc record from _dmarc.haa.iki.fi, thus we start doing tree walk procedure. The starting point is set to iki.fi. We do query of that in step 1 of 4.10, and in step 2 find out that it has psd=y, thus we do not stop, we continue to step 3 etc and move to next domain. In next step we do lookup for the _dmarc.fi and do not find any dmarc record, and then we finish. We did not find any dmarc record for author domain. To find the organizational domain we follow process in 4.10.2 and going from the longest to shortest, we find that iki.fi had dmarc record which had psd=y, thus we pick organizational domain one level below from this, thus haa.iki.fi.

  • Authenticated identifiers: none
  • Organizational domain: haa.iki.fi

httpd@hups.kivinen.iki.fi

  • From httpd@hups.kivinen.iki.fi
  • RFC5321.MailFrom httpd@hups.kivinen.iki.fi
  • Author domain hups.kivinen.iki.fi
  • dkim has d=kivinen.iki.fi
  • no spf records

If the email is from httpd@hups.kivinen.iki.fi, then author domain is hups.kivinen.iki.fi. There is no dmarc record for _dmarc.hups.kivinen.iki.fi, thus we start tree walk with starting point of kivinen.iki.fi. We do find record _dmarc.kivinen.iki.fi with psd=n, thus we stop there, and then organizational domain is set to kivinen.iki.fi, aligning with dkim.

  • Authenticated identifiers: kivinen.iki.fi
  • Organizational domain: kivinen.iki.fi

mailmain@listat.iki.fi

  • From mailman@listat.iki.fi
  • RFC5321.MailFrom mailman@listat.iki.fi
  • Author domain listat.iki.fi
  • Dkim has d=iki.fi
  • no spf records

The list server listat.iki.fi is sending email from mailman@listat.iki.fi with dkim d=iki.fi, and the first lookup will find dmarc record from _dmarc.listat.iki.fi. Next is to find organizational domain, but as the author domain (listat.iki.fi) and the authenticated identifier for dkim (iki.fi) do not match, we need to do tree walk with starting point of iki.fi. There is dmarc record there, but it does not have psd=n (it has psd=y) so the process continues, and tree walk next tries _dmarc.fi and does not find anything, but then in the 4.10.2 step 2 we find that _dmarc.iki.fi had psd=y, thus organizational domain will be one level below that, i.e., listat.iki.fi, and as the _dmarc.listat.iki.fi has adkim=r that is used and d=iki.fi matches as the listat.iki.fi is subdomain if it.

  • Authenticated identifiers: iki.fi
  • Organizational domain: listat.iki.fi
faq/ikidmarcbis.txt · Viimeksi muutettu: 2024-07-21 18:11 / kivinen