An attempt to define the relaxed alignment process, assuming that sibling relationships must be allowed and PSD will be avoided when possible but not eliminated:
TERMS >From domain - the domain name in the RFC5322.From address. Authorizing domain - the domain name in the RFC5321.MailFrom address or DKIM signature. MatchPoint domain - the DNS substring which is common to both the From Domain and the Authorizing domain. Policy Domain - The domain name at which a policy record is found. Organizational Domain - the domain name immediately below the longest PSD of the From domain. If the policy has psd=y, the Organizational domain is one segment below the policy domain. If the policy has org=y, the Organizational domain is the Policy domain. If the policy has neither flag, the PSD must be used. CONSTRAINTS If the From domain does not have an Organizational domain, it is a PSD and the names are not aligned. The MatchPoint domain must be equal to or longer than the Organizational domain. If it is shorter, the names are not aligned. There must be no organization boundaries, indicated by psd=y or org=y, between the From domain and the MatchPoint domain. If a boundary is detected, the names are not aligned. This may require a tree walk. There must be no organization boundaries, indicated by psd=y or org=y, between the Authorizing domain and the MatchPoint domain. If a boundary is detected, the names are not aligned. This may require a tree walk. OPTIMIZING When evaluating multiple Authorizing domains, the From domain and the Policy domain do not change, but the MatchPoint domain will change, requiring the relationship between the From domain and each MatchPoint domain to be evaluated. A significant performance benefit is expected if the MatchPoint domains are computed and sorted so that the MatchPoint domains are processed from longest to shortest. Caching can be used to eliminate redundant tree walk steps. -- The policy search establishes that no organization boundaries exist between the From domain and the Policy domain. This can be used to avoid portions of the tree walk between From domain and each new MatchPoint domain. -- Tree walks for one Authorizing domain may be useful if cached and used when evaluating subsequent Authorizing domains. -- Additional optimizations seem possible when the From domain and the Authorizing domain have a parent-child relationship. However, the algorithm for eliminating redundant steps seems to get complex pretty quickly, so I have abandoned my initial efforts to define it. On Fri, Feb 11, 2022 at 11:58 AM Alessandro Vesely <[email protected]> wrote: > On Fri 11/Feb/2022 09:29:07 +0100 Douglas Foster wrote: > > Using the reverse tree walk for alignment can become disastrous if a PSD > > publishes a policy record without the PSD=Y flag. Worse yet, > organizations > > would be powerless to defend against its harm. To prent this harm, the > > alignment tree walk needs to proceed in the upward direction only. > > Additionally, we should implement an “org=y” term, so that organizations > can > > indicate that the tree walk should not continue upward. This allows an > > organization to protect itself against a misconfigured PSD policy. > > > I think it is already clear to the WG that the tree walk is screwed up. > The > I-D says: > The target of the search is a valid > DMARC record that contains a psd tag with a value of 'y'. Once such > a record has been found, the Organizational Domain is the target > domain that would be queried in the next step in this reverse tree > walk. > > The target can be non-existent. A PSD can publish a policy record without > psd=y, or it can publish no policy record at all (which is the usual case). > > > > An upward tree walk also allows us to handle “lease” relationships, > where the > > parent domain and the subdomain are independent entities. The parent > entity > > can indicate an alignment boundary below with the psd=y flag, and the > client > > entity can indicate an alignment boundary above with the org=y flag. > > > Agreed. Note that synchronization is not necessary; that is, one flag is > enough. In addition, the walk toward the root can stop on org=y. No need > to > verify parent's psd=y. We can trust independence claims. > > > Still, the tree walk is experimental, because it is possible to find no > flags. > > A solid spec should specify both methods, tree walk and PSL lookup, as > alternative or complementary to each other. When everything is done well, > the > methods agree. Otherwise, some DMARC records and/or some PSL entries need > a fix. > > It is not cute to abandon the PSL because it's weak. By launching a > parallel > method we can strengthen both DMARC and PSL. A win-win. > > > Best > Ale > -- > > > > > > >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
