Public bug reported:
If DNS lookup of TXT records for a domain finds more than one v=DMARC1; record, it checks them all for policy = reject or quarantine. RFC 7849, Sec 6.6.3 item 5 says 5. If the remaining set contains multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message. Thus, if we find multiple records we should assume no DMARC policy for this domain.
** Affects: mailman Importance: Low Status: Triaged
Here's the 5 items: https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.3
If item 2 matches multiple v=DMARC1 records, and therefore item 3 is ignored, does item 5 even apply?
** Branch linked: lp:mailman/2.1
** Changed in: mailman Status: Triaged => Fix Committed
We are concerned about a domain which has multiple v=DMARC1 TXT records. This is exactly the case that item 5 addresses. I.e. a domain which publishes multiple _dmarc TXT records with v=DMARC1 is treated as publishing no policy.
I guess RFC 7849 is just not clear to me that item #5 applies if item 3 contains more than 1 v=DMARC1 record. I say this because item 2 and 4 are identical, and to me that signifies that the items are a logical path, not a list of mandatory principals.
That said, to err on the side of common sense, makes good sense, otherwise we'd have to choose which v=DMARC1 record to honor.
The items are steps in a process, not an unordered list of rules.
Step 3 says if There are no DMARC records for the domain, check the organizational domain if different. Thus, step 4 is saying discard any non-v=DMARC1 records from the organizational domain.
If the From: domain has any v=DMARC1 records, we skip step 3 and step 4 is moot because of step 2 and we get to step 5.
If the From: domain has no v=DMARC1 records, we check the organizational domain if different per step 3 and then we get to steps 4 and 5
RFCs should really include logic trees. Thanks Mark.
** Changed in: mailman Status: Fix Committed => Fix Released