#150 organizational domain checking?
Hi,
I am really in the dark about the following lines in a mail that I received, and that was processed with opendmarc v1.3.1:
Authentication-Results: XXXXXXXXXX; dmarc=none header.from=e.paypal.nl
Authentication-Results: XXXXXXXXXX;
dkim=pass (1024-bit key; secure) header.d=e.paypal.nl header.i=@e.paypal.nl header.b=vTFLcOyK;
dkim-atps=neutral
I am puzzled about the "dmarc=none" result, because (i) there appears to be aligment between the signing dkim domain, and the From: header domain; both read "e.paypal.nl", and (ii) Paypal publishes a DMARC record that reads:
_dmarc.paypal.nl. 300 IN TXT "v=DMARC1\; p=reject\; rua=mailto:d@rua.agari.com\; ruf=mailto:dk@bounce.paypal.com,mailto:d@ruf.agari.com"
Based on by RFC 7489 (DMARC), 6.6.3 (Policy Discovery), I would expect opendmarc to query the DNS for a DMARC TXT record at the DNS domain matching the Organizational Domain (i.e. paypal.nl) in place of the RFC5322.From domain in the message (i.e. e.paypal.nl), and thus to find the above record. The above record does not specify a dkim alignment mode (adkim=), but the default should be 'r' (relaxed), as a result of which I would expect the record to be applicable, and the dmarc authentication result in the above AR-header to read "dmarc=pass".
Can somebody please enlighten me by pointing out the error in my reasoning, or is this perhaps a bug?
Best regards,
Alexander
Hello,
if you want opendmarc to check Organizational Domains policy you need to use PublicSuffixList, which you can download here: https://publicsuffix.org/list/public_suffix_list.dat .
opendmarc.conf documentation:
PublicSuffixList (string)
Specifies the path to a file that contains top-level domains (TLDs) that will be used to compute the Organizational Domain for a given domain name, as described in the DMARC specification. If not provided, the filter will not be able to determine the Organizational Domain and only the presented domain will be evaluated.
If you are already using the list then I dont know whats wrong.
Btw there is probably a bug when using the list opendmarc isnt respecting the subdomain policy (https://sourceforge.net/p/opendmarc/tickets/149/).
Best regards
Petr
Hi Petr,
Thanks a lot for your clarification! I missed the PublicSuffixList option in the documentation.
Best regards,
Alexander
P.S. ...and in hindsight, I guess the phrase "The above record does not specify a dkim alignment mode (adkim=), but the default should be 'r' (relaxed), as a result of which I would expect the record to be applicable," in my initial question is probably better ignored. Don't know what I was thinking in that moment of confusion and despair : )
Last edit: Alexander 2016-01-31