From 3bd7ffe576c251e53084c932c3de08c1e61ddec6 Mon Sep 17 00:00:00 2001
From: WhiteAnthrax <1537426+WhiteAnthrax@users.noreply.github.com>
Date: Wed, 30 Oct 2024 18:07:28 +0900
Subject: [PATCH] Fix DMARC strict alignment check according to RFC 7489

---
 libopendmarc/opendmarc_policy.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/libopendmarc/opendmarc_policy.c b/libopendmarc/opendmarc_policy.c
index 32053db..a860e94 100644
--- a/libopendmarc/opendmarc_policy.c
+++ b/libopendmarc/opendmarc_policy.c
@@ -307,6 +307,16 @@ opendmarc_policy_check_alignment(u_char *subdomain, u_char *tld, int mode)
 	if (strcasecmp(rev_tld, rev_sub) == 0)
 		return 0;
 
+	/*
+	 * For strict mode, only exact matches are allowed
+	 * as per RFC 7489 Section 3.1.1 and 3.1.2
+	 */
+	if (mode == DMARC_RECORD_A_STRICT)
+		return -1;
+
+	/*
+	 * For relaxed mode, check if domain or subdomain matches
+	 */
 	ret = strncasecmp(rev_tld, rev_sub, strlen(rev_tld));
 	if (ret == 0 && mode == DMARC_RECORD_A_RELAXED)
 			return 0;
@@ -324,12 +334,7 @@ opendmarc_policy_check_alignment(u_char *subdomain, u_char *tld, int mode)
 	if (*ep != '.')
 		(void) strlcat((char *)rev_tld, ".", sizeof rev_tld);
 
-	/*
-	 * Perfect match is aligned irrespective of relaxed or strict.
-	 */
-	if (strcasecmp(rev_tld, rev_sub) == 0)
-		return 0;
-
+	/* Check organizational domain match for relaxed mode */
 	ret = strncasecmp(rev_tld, rev_sub, strlen(rev_tld));
 	if (ret == 0 && mode == DMARC_RECORD_A_RELAXED)
 			return 0;