DMARC lookup should follow RFC 7489 / RFC 9091 fallback behavior #98

New issue

Closed

opened 2026-05-18 05:29:35 +00:00 by nemunaire · 0 comments

nemunaire commented 2026-05-18 05:29:35 +00:00

Owner

Copy link

Problem

The current DMARC validation logic only checks:

_dmarc.<exact-from-domain>

Example:

From: user@foo.bar.example.com

Current lookup:

_dmarc.foo.bar.example.com

If no record exists, the software stops the evaluation and reports that no DMARC policy is present.

This behavior is incorrect according to RFC 7489.

---

Expected behavior

DMARC lookup must fall back to the Organizational Domain when no DMARC record exists on the exact domain.

For:

foo.bar.example.com

the lookup flow should be:

_dmarc.foo.bar.example.com

if absent:

_dmarc.example.com

where example.com is the Organizational Domain determined using the Public Suffix List (PSL).

The lookup must NOT recursively test intermediate subdomains such as:

_dmarc.bar.example.com

---

RFC 9091 support (PSD DMARC)

Optionally, when implementing RFC 9091 support, an additional fallback may be performed to the Public Suffix Domain (PSD).

Example:

_dmarc.com

This lookup should only happen:

• if RFC 9091 support is enabled
• if the receiver implements PSD DMARC
• and if the PSD record explicitly contains:

psd=y

Expected flow with RFC 9091:

_dmarc.foo.bar.example.com
↓
_dmarc.example.com
↓
_dmarc.com

---

References

• RFC 7489: DMARC
• RFC 9091: PSD DMARC Extension
• Public Suffix List (PSL)

## Problem The current DMARC validation logic only checks: ```text _dmarc.<exact-from-domain> ``` Example: ```text From: user@foo.bar.example.com ``` Current lookup: ```text _dmarc.foo.bar.example.com ``` If no record exists, the software stops the evaluation and reports that no DMARC policy is present. This behavior is incorrect according to RFC 7489. --- ## Expected behavior DMARC lookup must fall back to the Organizational Domain when no DMARC record exists on the exact domain. For: ```text foo.bar.example.com ``` the lookup flow should be: ```text _dmarc.foo.bar.example.com ``` if absent: ```text _dmarc.example.com ``` where `example.com` is the Organizational Domain determined using the Public Suffix List (PSL). The lookup must NOT recursively test intermediate subdomains such as: ```text _dmarc.bar.example.com ``` --- ## RFC 9091 support (PSD DMARC) Optionally, when implementing RFC 9091 support, an additional fallback may be performed to the Public Suffix Domain (PSD). Example: ```text _dmarc.com ``` This lookup should only happen: * if RFC 9091 support is enabled * if the receiver implements PSD DMARC * and if the PSD record explicitly contains: ```text psd=y ``` Expected flow with RFC 9091: ```text _dmarc.foo.bar.example.com ↓ _dmarc.example.com ↓ _dmarc.com ``` --- ## References * RFC 7489: DMARC * RFC 9091: PSD DMARC Extension * Public Suffix List (PSL)

nemunaire referenced this issue from a commit 2026-05-19 13:26:13 +00:00

dmarc: implement RFC 7489 org-domain fallback and RFC 9091 PSD DMARC

nemunaire closed this issue 2026-05-19 13:26:13 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

renovate/prettier-plugin-svelte-4.x

renovate/github.com-oapi-codegen-runtime-1.x

renovate/major-vitest-monorepo

build

renovate/npm-svelte-vulnerability

renovate/npm-sveltejs-kit-vulnerability

f/rspamd

f/unsubscribe-link-detection

internal_resolver

renovate/eslint-plugin-svelte-3.x-lockfile

renovate/node-22.x-lockfile

renovate/eslint-compat-1.x-lockfile

renovate/sveltejs-kit-2.x-lockfile

renovate/svelte-5.x-lockfile

v1.2.0

v1.1.1

v1.1.0

v1.0.0

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

happyDomain/happyDeliver#98

No description provided.