Opened 4 years ago

Last modified 14 months ago

#2 new defect

Flow of operations text in dmarc-base

Reported by: superuser@… Owned by:
Priority: major Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-future-notes Version:
Severity: - Keywords:
Cc:

Description

To: dmarc@…
From: Anne Bennett <anne@…>
Date: Fri, 16 Jan 2015 19:26:41 -0500
Subject: [dmarc-ietf] Flow of operations text in -12

In draft 12, Section "4.3 Flow Diagram", we have text which
I think is somewhat contradicted by text in the later and
more detailed "6.6. Mail Receiver Actions", in particular
with respect to parallelizing some of the checks, and there's
another small problem with the text as well. Quoting 4.3:

  1. Recipient delivery service conducts SPF and DKIM authentication checks by passing the necessary data to their respective modules, each of which require queries to the Author Domain's DNS data (when identifiers are aligned; see below).

... but the "Author Domain" (based on RFC5322.From) is not
necessarily the domain that will be queried by SPF and DKIM
checks, and we won't know if identifiers are aligned until we
look at the results of:

  1. The results of these are passed to the DMARC module along with the Author's domain. The DMARC module attempts to retrieve a policy from the DNS for that domain. If none is found, the DMARC module determines the Organizational Domain and repeats the attempt to retrieve a policy from the DNS. (This is described in further detail in Section 6.6.3.)

"6.6.2" shows clearly that the SPF check (with its DNS queries),
the DKIM checks (with its DNS queries), and the DMARC policy
determination (with its DNS queries) can be done in parallel, and
their results combined when all have arrived, and I imagine that
will turn out to be the best way to do it.

So 4.2 could perhaps be modified:

  1. Recipient delivery service conducts SPF and DKIM authentication checks by passing the necessary data to their respective modules, each of which require queries to DNS data. The results of these checks are passed back to the DMARC module.
  1. Meanwhile, the DMARC module attempts to retrieve a policy from the DNS for that domain. If none is found, the DMARC module determines the Organizational Domain and repeats the attempt to retrieve a policy from the DNS. (This is described in further detail in Section 6.6.3.)

Change History (1)

comment:1 Changed 14 months ago by kboth+ietf@…

  • Component set to dmarc-future-notes
Note: See TracTickets for help on using tickets.