Currently, the Publicssuffix.org list protects the PSL names. Although I don't believe it is covered anywhere in the DMARC v1 document, any DMARC implementer will have to notice that a PSL name must produce DMARC FAIL, because it cannot be authenticated itself, and it cannot be authenticated by alignment with any other domain name.
If we could publish a rule which limits alignment to only work from an authenticated domain name downward to a child subdomain, we would have a secure design, because we would not need to worry about leaving the authenticated organization. But as long as upward alignment is necessitated by current practice, we need to be concerned about leaving the authenticated organization in the upward direction into the PSL. A specific example: MailFrom is "[email protected]" and From is "trustme@com". Any acceptable replacement for the PSL must ensure that this identifier configuration is rejected. When moving up the domain tree, the only way to avoid transiting from an authenticated organization into the PSL, is to know what names are in the PSL. The alternatives seem to be (a) an externally obtained list, no matter how imperfect, or (b) DNS entries, no matter how imperfect. The list seems the best option in the near term, but the DNS option might prove valuable over time. Doug
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
