[Bug 1549420] Re: DMARC munging fails on subdomains that use parent domain policy

Mark Sapiro mark at msapiro.net
Thu Feb 25 22:33:15 EST 2016 

RFC 7489 is pretty clear.

Sec 6.6.2 gives the first 2 steps as:

   1.  Extract the RFC5322.From domain from the message (as above).

   2.  Query the DNS for a DMARC policy record.  Continue if one is
       found, or terminate DMARC evaluation otherwise.  See
       Section 6.6.3 for details.

and 6.6.3 gives the first 3 steps as:

   1.  Mail Receivers MUST query the DNS for a DMARC TXT record at the
       DNS domain matching the one found in the RFC5322.From domain in
       the message.  A possibly empty set of records is returned.

   2.  Records that do not start with a "v=" tag that identifies the
       current version of DMARC are discarded.

   3.  If the set is now empty, the Mail Receiver MUST query the DNS for
       a DMARC TXT record at the DNS domain matching the Organizational
       Domain in place of the RFC5322.From domain in the message (if
       different).  This record can contain policy to be asserted for
       subdomains of the Organizational Domain.  A possibly empty set of
       records is returned.

I.e. If the From: domain doesn't have a valid DMARC policy record, you
MUST query the Organizational Domain.

All of this occurs before any DKIM and SPF checks which are steps 3 and
4 of the sec 6.6.2 procedure.

I have refactored the fix to use the data from
https://publicsuffix.org/list/public_suffix_list.dat and apply the
algorithm described at https://publicsuffix.org/list/ to determine the
organizational domain and to query that in cases where the From: domain
has no DMARC record and the computed organizational domain is different.

The refactored fix will read the data only once after Mailman is
(re)started and build a dictionary kept in global memory to use in
implementing the algorithm. See http://bazaar.launchpad.net/~mailman-
coders/mailman/2.1/revision/1620 for the original fix and
http://bazaar.launchpad.net/~mailman-coders/mailman/2.1/revision/1621
for the refactoring.

-- 
You received this bug notification because you are a member of Mailman
Coders, which is subscribed to GNU Mailman.
https://bugs.launchpad.net/bugs/1549420

Title:
  DMARC munging fails on subdomains that use parent domain policy

To manage notifications about this bug go to:
https://bugs.launchpad.net/mailman/+bug/1549420/+subscriptions

More information about the Mailman-coders mailing list