Feature: Smarter Domain Protection Inheritance #6082
Description
Problem Statement - The current Tracker implementation needs to be updated to recognize email security implementations that rely on hierarchical protection through parent domains and wildcards. Specifically, it should acknowledge that:
- Parent domain DMARC policies with sp=reject protect all subdomains without requiring explicit DMARC records at each level
- CNAME subdomains cannot have their own email security records due to DNS technical limitations
- Wildcard DNS records can efficiently provide SPF and MX protection for multiple subdomains
Current Impact - Organizations implementing email security controls face challenges demonstrating compliance because Tracker expects individual records at each subdomain level. This creates several issues:
- False non-compliance flags for CNAME subdomains that are actually protected by parent policies
- Unnecessary administrative overhead from documenting individual subdomain protections
- Confusion about whether explicit DMARC records are needed for each subdomain
- Potential misunderstanding of protection status when wildcard records are used
Real-World Example - Consider the subdomain sbs-spe.feddevontario.canada.ca which uses a CNAME record for service delivery. While this subdomain is protected from email spoofing through its parent domain's DMARC policy (using the sp tag), Tracker still reports it as non-compliant because it cannot have its own direct MX, SPF, and DMARC records.
Proposed Solution - Enhance Tracker to recognize and validate hierarchical email security protection through these components:
- DMARC Inheritance Recognition:
- Validate parent domain DMARC records
- Check for sp=reject tag at organizational domain level
- Consider subdomains compliant for DMARC when protected by parent policy
- Document the inheritance chain for audit purposes
- CNAME Handling:
- Detect CNAME records at subdomain level
- Verify protection through parent domain DMARC policy
- Remove expectations for direct email security records on CNAME subdomains
- Show inheritance of protection in reporting
- Wildcard Protection Validation:
- Detect and validate wildcard SPF and MX records
- Map wildcard coverage to specific subdomains
- Verify proper null MX configurations for non-mail domains
- Document wildcard protection scope
- Compliance Status Updates:
- Create a new compliance status category "Protected by Parent DMARC"
- Update compliance evaluation logic to mark CNAME subdomains as compliant when:
- The subdomain has a valid CNAME record
- The parent domain has a DMARC record with sp=reject
- The parent domain has appropriate MX and SPF records