John's idea is workable for policy lookup, but the PSL is also used for alignment and to protect the PSL names.
Alignment starts by finding the longest shared DNS path between two addresses. The resulting string must be longer than any PSL entry, to verify that the names are in the same organization. Additionally, any email domain-part which exactly matches a PSL entry is fake (unless the PSL is wrong) and should be blocked. An alternative would require every organization to create a DNS token that says "ToipOfOrganization" at organization boundaires, but getting worldwide participation is unlikely. The best result would be for IANA to maintain the PSL. It seems obvious that this should be part of their job. But I assume that has been tried without success. On Tue, Oct 26, 2021 at 10:09 PM John Levine <jo...@taugh.com> wrote: > It appears that Scott Kitterman <skl...@kitterman.com> said: > >For a 'normal' domain/sub-domain like eml.example.com where the domain > has a DMARC policy, every single implementation approach gives the > >same answer, so it doesn't matter. The challenge is getting all the > other cases right. > > > >Until we understand what we want, overall, selecting a specific design to > achieve that goal is premature. Both of those approaches will > >give a wrong answer (at least as I'd define it) for less usual cases. > > Yup. I think I was the first person to propose a tree-walk, so here is > roughly what I was thinking: > > The problem with organizational domain is that it is ill-defined. It > waves its hands and says to use something > like the PSL, and in practice everyone uses the PSL. But the PSL is a > moving target, with entries added and deleted > on a regular basis, so this month's organization domain may not be the > same as last month's. The advantage of the > tree walk is that the DMARC result now depends entirely on what is in the > DNS, not on a volunteer maintained list > whose volunteers keep reminding us that it's only intended to manage http > cookies. > > Todd's stats confirm my intuition that the DNS is pretty flat, and the > amount of mail that comes from addreses > with more than, say, four labels is miniscule. So if you do a four level > tree walk, you will find all of the > DMARC records for all of the real mail. > > The question remains what to do about the fake mail with 12 label > domains. My perhaps radical suggestion is to > say that if the author domain does not exist, i.e., you look it up and get > NXDOMAIN, then DMARC does not apply and > you do whatever you do to mail with fake addresses. Or perhaps you only > say that if it's NXDOMAIN and has more than > four labels. That way if you really want to use 12 label addresses, you > have to add a _dmarc record every four > levels. Nobody will do that, but nobody sends mail like that other than > to be perverse, so it doesn't matter. > > R's, > John > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
