#210 Strict alignment checks allows subdomains to pass

[Matthew Palmer]

If a domain has strict alignment configured and a message's MAIL FROM or the DKIM signature is by a subdomain, the alignment check will pass although it should not.

Example: From: test@inside.com, strict alignment, send a message from MAIL FROM: test@subdomain.inside.com. If SPF checks pass the message will pass alignment checks.

Per the RFC

For example, if a message passes an SPF check with an
RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address
portion of the RFC5322.From field contains "payments@example.com",
the Authenticated RFC5321.MailFrom domain identifier and the
RFC5322.From domain are considered to be "in alignment" in relaxed
mode, but not in strict mode.

This appears to occur from the opendmarc_policy_check_alignment call, in this scenario the from_domain is really the tld and the spf_domain/dkim_domain is the subdomain, meaning they are provided in a different order than expected. Because of this the subdomain (provided as the tld) will be used for the opendmarc_get_tld call, resulting in a match occuring.

[Vít Listík]

We have also encountered this problem.
I is a problem in the library, it can be proven with a test in file libopendmarc/tests/test_alignment.c

/* 11 */ {"a.example.com",       "b.example.com",   DMARC_RECORD_A_STRICT, -1},
/* 12 */ {"example.com",       "b.example.com", DMARC_RECORD_A_STRICT,  -1},
/* 13 */ {"a.example.com",       "seznam.com",  DMARC_RECORD_A_STRICT,  -1},

which all fail