[dmarc-ietf] Tree Jump method - verifying the organizational domain
Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 29 March 2022 10:58 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id CB5F03A184D
for <dmarc@ietfa.amsl.com>; Tue, 29 Mar 2022 03:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Mcn0rtEi188b for <dmarc@ietfa.amsl.com>;
Tue, 29 Mar 2022 03:58:21 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com
[IPv6:2607:f8b0:4864:20::32f])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 66DAF3A184B
for <dmarc@ietf.org>; Tue, 29 Mar 2022 03:58:21 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id
i23-20020a9d6117000000b005cb58c354e6so12507570otj.10
for <dmarc@ietf.org>; Tue, 29 Mar 2022 03:58:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=xIhjB8nU1oFjZMlC1PN4mifuL2o3EU2Y7c4iLjHoZb0=;
b=N7oMAKYKkfEPdNugODvNvdZqDBrUfwXaYOeRjIccG105LueevTqJmXVhKY7v2BSEHZ
myOWDwalMFj1F4OJpoUjdAP2gU+ng6kBReZdDq7y0pKHfvVqqITIveFP84ndxmsyo671
9OL6ZMJo5FcURb7TFUlePtpY7wRvzL2z7kU1vl2WKmec0GpeXvqjW1BpCiJiDXoCbGaG
QHsqjNSJkbVLXr0ER4FvnqUDxfNXHE6sCxxeHG2oGteT9Guv9inb571GRr2QEdbWqq/m
KjQUrJzH11Y2gyetAHHsa3B6uwvU3OgpknH+TqPJL6HSRt4xMsTvuOvq9Xi3A4vxMqtf
MdvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=xIhjB8nU1oFjZMlC1PN4mifuL2o3EU2Y7c4iLjHoZb0=;
b=h307+wcwPZSYFXkmEi9Gu8114CH/WXsjdX6VetjIID+jfFj03zjdmHSeY6N2rZVzEM
/pT24QqtETx2eWaSjIveB89WwRQ6DAZDxbWQTEfrOQg5OoDV6keEBpKlM/H5QpZN74iz
JKtyxEkQA4vXKxula5wZspar6M1UKsFcMWMSvTN8Vvfj8DN4BiYtJnOrdbg7TevIv96+
gXaqh0RfceXgxd5+UKftpaoOlCgvUMdcxu+LQvBVRk0TDYY5WxXqXTVpByrMLXtJRspB
EfynMR2kwciNHEc4ipqwMmxLVwOfN6K1JWTN6Pm0bTzhSRbctMhzNa8NsctCfW3nlPg8
to3A==
X-Gm-Message-State: AOAM531OfInt95972zoI0+9g4/+Jzy+eF/dktFLnA/doBUnkEDpLEkcD
WvzKm1TBtv801erl8K4JfxaUl7jt21o3T0LMiFe70CJBvbM=
X-Google-Smtp-Source: ABdhPJxo3yNLUO8ncQtjfCPb+HVZTBg8NLisiz7spGtpaRREcXkC0AaDpJSAqRUWVpXPUy+8dO8PHIKC5VZq7MIcyi8=
X-Received: by 2002:a9d:5d0e:0:b0:5af:5a2d:9b43 with SMTP id
b14-20020a9d5d0e000000b005af5a2d9b43mr812651oti.268.1648551500180; Tue, 29
Mar 2022 03:58:20 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 29 Mar 2022 06:58:10 -0400
Message-ID: <CAH48Zfx9Rz3W8gU2rtXJqp3JNYmvFv5HBnmFQ+7o2iPFVMgTPw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008fef5a05db594e80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TuEJe023jqH2PjEluSLdUP3mJXg>
Subject: [dmarc-ietf] Tree Jump method - verifying the organizational domain
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting,
and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>,
<mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>,
<mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 10:58:25 -0000
When using the RFC 7489 and the PSL to jump to an organizational domain, no verification is possible, but the assumption is that the PSL is free of malice, so verification is not essential. However, when using an “orgname=FQDN” token to jump up the DNS tree, malice is possible, so verification is mandatory, not merely desirable. The target domain must be validated as an organizational domain, and the intervening path must be validated as free of organization boundaries. The initial verification requires the presence an “orgname” token that points to the current domain, and the absence of any token that indicates that the domain is a PSD or a private registration point. To rule out an intermediary boundary, I propose the “orgbelow” token, to indicate whether organization boundaries may exist below the organization domain. My first thought was “orgbelow=number”, where a positive integer says that there MAY be an organization boundary starting at N segments below the organization domain, and a zero means that there are no boundaries below the organization domain. For example, if the policy has “orgbelow=3”, and the tree jump moved up only 2 levels, then the From domain is linked to the Organization domain without a tree walk. But this is probably too complicated for reliable usage, so “orgbelow=(true,false)” may be the better choice. Normal organizations will use “orgbelow=false”, while organizations that include private registries will use “orgbelow=true” When “orgbelow=true”, the organization domain must be verified with the PSL or a tree walk, preferably both. Error Handling A search which uses the PSL, because no DMARCbis tokens are present, then the entire process is based on RFC 7489 and the PSL. However, when a search passed on DMARCbis tokens must complete using DMARCbis tokens. This means that the target organizational domain must have a DMARC policy, and it must contain a self-referencing “orgname” token and an “orgbelow” token. If these tokens are not present, the result is PERMERRROR, and is best treated as equivalent to FAIL.
- [dmarc-ietf] Tree Jump method - verifying the org… Douglas Foster