When I proposed the tree walk, I saw three self-evident conditions that
any tree walk has to meet:
1. The result of the tree walk is the same as the current scheme in
nearly every case.
2. The tree walk uses only the results of the DNS queries, not any
external reference maintained by third parties. If we're going to use a
third party, we might as well stay with the PSD.
3. The tree walk has to work with existing DMARC records, since we know
that it takes a very long time for systems to change their software. One
exception to this is that we can ask PSD records to change, since there
are less than a dozen PSDs deliberately publishing DMARC records, they
know it's currently an experiment, and Scott knows them all.
So:
On Sun, 13 Feb 2022, Alessandro Vesely wrote:
Yes, I think we can rely on PSD domains not publishing DKIM or SPF stuff.
Why not check and see? I have.
The harder case when the domains are siblings, or maybe a great aunt. ...
I'd avoid walking up from both, because there are likely multiple
identifiers, typically SPF and DKIM. Walking up from each becomes
burdensome.
I don't see how this follows. In any DMARC check, there is one SPF
identifier and some number of DKIM signatures, rarely more than two. In
most cases one name is an ancestor of the other, so sibling alignment is
rare. That means we have to make it work (see rule 1) but it doesn't have
to be very fast.
This leaves pretty much only a. However, why not continue the
walk upward? The topmost domain having a DMARC record is the Organizational
Domain.
I don't see how this helps. In practice I think it is rare to do relaxed
alignment and have a DMARC record between the original domain and the org
domain.
In a few cases, the domain thus found can happen to be a PSD. If there is
psd=y, the plan in Section 4.6. works fine. Until that flag is not reliable,
we need to apply specific knowledge. To this end, note that the list of
domains at psddmarc.org is much much shorter and more easily maintainable
than the PSL.
No. That fails rule 2.
although I do not think an org=y flag would be useful, since it would break
existing org domain records that don't have the flag.
Finding org=y saves one or more extra lookups.
No. That fails rule 3.
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
