This wizard helps prepare the DMARC and ATPS zone records for authorizing 1st and 3rd party DKIM signers. It also allows you test it against various signer domains. Read Description Below
|AUTHOR-DOMAIN||The domain part of the email message From: header field|
|SIGNER-DOMAIN||The domain in the DKIM-Signature d= tag is the responsible signer of the message.|
|1st Party Signature||This is when the AUTHOR-DOMAIN and SIGNER-DOMAIN are the same.|
|3rd Party Signature||This is when the AUTHOR-DOMAIN and SIGNER-DOMAIN are NOT the same.|
DMARC is a policy layer for DKIM. It is an optional protocol to help protect domain signers against unauthorized signing (spoofing and phishing).
The following IETF documents provide the details:
New extensions to DMARC offers a way to authorized third party signatures. The ATPS proposal adds an optional tag to the DMARC record called "atps=y". If set, then additional TXT records per signer can be checked for authorization. The ASL proposal combines a simple lite weight method to define a small list of authorized signers in a DMARC record tag called "asl=".
Example DMARC records: #1 _dmarc.example.com = v=dmarc1; p=reject" #2 _dmarc.example.com = v=dmarc1; p=reject; asl=gmail.com;" #3 _dmarc.example.com = v=dmarc1; p=reject; atps=y asl=gmail.com;"
In example #1, there is no third party authorization preparation. Only example.com can sign its own mail.
In example #2, example.com is declaring only itself and gmail.com can sign mail on its behalf.
In example #3, example.com is declaring only itself and gmail.com can sign mail on its behalf. However, with atps=y set, other third party signers may be authorized using DNS TXT "_atps" subdomain records using a special hashing method to prepare the sub-domain record:
The SIGNER-DOMAIN is obtain from the DKIM-Signature d= tag value.
This wizard helps prepare the ZONE record for all the ASL/ATPS options. It also allows you test it against various signer domains. The two proposed changes to ATPS:
[_] Add ATPS record value with domain name [_] Support ATPS Sub Domains Lookups
The first one is designed to help with manual editing of zone files to help associate the signer domain ATPS hashes.
The second option allows you to create a single ATPS record for the originating domain sub-domains using a wildcard hashing of the author-domain, i.e. *.example.com.
The ASL draft is still under construction. The following are the steps the DMARC ASL/ATPS verifier will perform:
1) Obtain the AUTHOR-DOMAIN and perform TXT query the DMARC record to obtain the value.: _dmarc.AUTHOR-DOMAIN 2) If no DMARC record is found (NXDOMAIN), return DMARC=NONE 3) Obtain the SIGNER-DOMAIN and compare with the AUTHOR-DOMAIN If the two domains are the same, return DMARC=PASS, otherwise continue with third party authorization checking. 4) If an asl= tag is present, check the SIGNER-DOMAIN within the asl= list of domains. If SIGNER-DOMAIN is found in the asl= list, return DMARC=PASS 5) If an atps=y tag is present, perform the steps as outlined in [ATPS] 6) return DMARC=FAIL