A look at my data was helpful. Organizational alignment means that N labels match exactly. Relaxed alignment means that at least one of the names is longer than N. Those rules are easy to check on my historical data.
I have examples of mismatched domains with 4 matching labels. I also have examples of exact-match domains with 5 matching labels. Strict alignment does not matter for N, because it will produce PASS on any detected policy. So my data suggests a maximum possible N of 4. My message volume is almost exclusively 2LD domains, so a 4-label match represents a partitioned organization at Org+2. This has parallels in the known private registry structure, where Private Registry clients are mostly at Registered Org +1 and sometimes at Registered Org + 2. If we choose N=6, we provide Org+2 partitioning to organizations with 4-label domains. Based on this, I don't see any reason to go higher, and limiting partitions to Org+2 seems easy to defend conceptually. (As an aside, my longest From address was 10 labels, from a spammer, and it aligned with a 3-label Mail From address. My longest Mail From addresses were from *.bnc.salesforce.com, but I stopped counting at 9 because the salesforce Mail From addresses do not align with the From address at all.) Doug Foster On Tue, Apr 16, 2024 at 12:03 AM Scott Kitterman <skl...@kitterman.com> wrote: > > > On April 16, 2024 2:36:53 AM UTC, John Levine <jo...@taugh.com> wrote: > >It appears that Scott Kitterman <skl...@kitterman.com> said: > >>>I'm with Scott, pick a number, 5, 8, whatever, and be done with it. > >>> > >>Modulo we do need to explain why 8. Related, I think we also need to > explain why the reporting address thing is important for DMARCbis since > having an intermediate level record isn't > >>currently supported by DMARC. > > > >What do you mean by intermediate level record? Whatever the tree walk > finds is > >by definition the org domain. > > > >There are some PSL entries with one below another so it's not > unprecedented. > > That's true, although that pattern in the PSL doesn't seem very relevant > to email. > > In the case of a.b.c.example.com and example.com is in the PSL, the DMARC > records in a.b.c.example.com (if present) and example.com (otherwise) are > consulted. The only way to get to b.c.example.com or c.example.com would > be to add them to the PSL. These are what I meant by intermediate records. > > It's, of course, different for DMARCbis. There we walk up the tree, so > those get checked and as you say, the first one we find is the org domain. > > The claim, as I understand it, is that for big orgs that go deeper than 5 > levels (in fact up to 8), it is somehow critical to have different > reporting addresses (which leads to a need for org domains 6, 7, and 8 > levels deep). > > I don't find cases where it looks like such things have been added to the > PSL, so I'm skeptical that this is really critical. It might be helpful > and it might even be a good idea, but I fail to find the evidence I'd > expect to find if it were actually critical for a domain operator to be > able to do this. > > I agree that we ought to just get this done, but without a rationale for 8 > that holds water, I think we're better off deciding to stick to the number > (5) that we have an articulable rationale for. > > I'm sure it will take some time to get through the last call comments, so > I imagine that we can wait a bit for more information before deciding > without delaying the overall progress. > > Scott K > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc