[dmarc-ietf] Tree Walk Limitations vs PSL
Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 30 March 2022 22:18 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 7ED923A0D06
for <dmarc@ietfa.amsl.com>; Wed, 30 Mar 2022 15:18:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id n7PaNOJlol1L for <dmarc@ietfa.amsl.com>;
Wed, 30 Mar 2022 15:18:30 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com
[IPv6:2607:f8b0:4864:20::32d])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id BEF2D3A08CE
for <dmarc@ietf.org>; Wed, 30 Mar 2022 15:18:30 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id
o20-20020a9d7194000000b005cb20cf4f1bso15888107otj.7
for <dmarc@ietf.org>; Wed, 30 Mar 2022 15:18:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=mime-version:from:date:message-id:subject:to;
bh=mAa/qlDfKMbMoFzu64/hiLP3R9czRSxDYBOt70Su2d8=;
b=FQAkKYSH63dtXiE+WQBBa3rGxixibkpcBqM29XM+38X/ywbyVmpHLSt7SI5/DexoFB
iwd8YdZRiuO3ItAQltx+uPSTwz1+JuNEWdigHsxWV2irFKzwKYvH9OKeGWMDt70hIaHU
nJTNb5NHrSoM0yo0kZo27N2wGoUEGT8cTdTjTVe2nrONpNQNl6BBRdYyW12Aap7nAVCe
2ZqTBX5AYxRVqZwHl78q0YQEcNZluzMWcZw2ba0pISmGO3J3IlKuGVFYha4jd76/g+C8
JnxnyqIAvZpbga0/QUgp2NTeOJUVod8GC1yzefCKjO5p17s8hMJIwskOGKcIFDkormHh
UQjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
bh=mAa/qlDfKMbMoFzu64/hiLP3R9czRSxDYBOt70Su2d8=;
b=X/BIbhitPUGa7hDjYlMMNhyu+cgA7zK2islsTQOWMkeuSJXNNV9IHMEqooM+EJIT9T
/QK0qpSUCKS/EoHSQ8swmEIaOsbKf5h8M5Us3jf6w1mTHobxpMhUjjXEAamT0g0QZW35
+icKHWzgfXYqmQLoRuuA7V1kyfd7FjbnsPSZu1abScUrYqhEvBzKrFIxu7tBydLbJnna
0LzhkfCvwcra1x5Tsz6WbyFHqpMekqrlQGbB+fyrRKP2KSqPPUWL+s7Zf7CHgj1m/uhN
6cJ5RSODA3tuX7giDbR486bQJLesEi9ZR89/ohQy8D3ugseYUUvo49J2W68mjptclWUn
CmGQ==
X-Gm-Message-State: AOAM531zfKsOP9WhacvfVEb3QxlDL5/dXssGrYqdjRk44CJJCrgsVd+T
jCY/2WlHYAbIWKOrv9wV+hXfYavR7BhG1w8GFmSAjHKRXaw=
X-Google-Smtp-Source: ABdhPJytxfrL/YEOE0ukUEznbcSOzZG8DG7AAPAzZ2G3HKcSDov6w9n2jeU8KOmh2E27S4PZfX9x/VmPgp7OBdYOAJc=
X-Received: by 2002:a05:6830:b81:b0:5cd:ddb7:c2bf with SMTP id
a1-20020a0568300b8100b005cdddb7c2bfmr4226763otv.82.1648678709600; Wed, 30 Mar
2022 15:18:29 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 30 Mar 2022 18:18:19 -0400
Message-ID: <CAH48Zfyp9q3NcGaSqucJqT=oTnEq_Z3s3BVnHDFyN8-1VCED+A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d5a2b705db76ec70"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/bAZppw-lWtShewWwWBq4CYS6TTk>
Subject: [dmarc-ietf] Tree Walk Limitations vs PSL
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting,
and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>,
<mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>,
<mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Mar 2022 22:18:36 -0000
Limitations of the Tree Walk method, listed roughly from highest to lowest importance Private Registries The PSL has data on private registries, while the tree walk will only know about private registries if and when each registry or its clients publish DMARC policies. Exceptions The PSL is easily supplemented and corrected by adding or deleting line items during or after the list is loaded. The Tree Walk does not provide a straightforward exception process. One of the most intuitive exception structures for Tree Walk would be to create a domain list similar to the PSL, and modify the algorithm to check it. Once that framework is in place, populating the exception list with the PSL is a logical step. Loading the PSL as an exception list will fix the private registry problem, but will dismantle the idea of PSL elimination. Non-participant cost on evaluators The Tree Walk is particularly expensive when the domain does not participate in DMARC and the PSD does not publish a policy record, because the walk proceeds all the way up the tree to the TLD. Since we think only 5% of domains currently publish DMARC policies, this is a lot of work for no result. If the implemented Tree Walk process requires checking for both a policy record and an exception record at each step up the tree, the performance concerns are that much greater. The PSL requires at most two table lookups for the From address, and two table lookups for each domain being tested for alignment. This means that the RFC 7489 algorithm impacts all evaluators and all mail streams equally. By comparison, the Tree Walk has increasing cost as the length of the domain names increase. Based on my mail stream, RFC5322.From domains, which occur only once per message, tend to be short. In contrast, MaIlFrom and DKIM candidate domains, which have multiple entries per message, tend to be longer. The performance penalty for the Tree Walk will affect evaluators differently, depending on their mail stream. PSD protection The PSL provides a list of multi-segment PSDs that never send mail, and consequently evaluators can use the list to prevent impersonation of those names. The Tree Walk only protects multi-segment PSDs which publish a policy record. (Single-segment PSDs do not need external protection, since evaluators can implement a static rule that TLDs are PSDs, never send mail, and are never valid as a RFC5322.From domain.) DMARC results without a DMARC policy Notwithstanding the pushback I received over this issue, it is a significant point that evaluators can use the PSL and relaxed alignment to compute a DMARC PASS result for messages from domains that do not publish a DMARC policy. DMARC PASS allows whitelisting to be done without concerns about impersonation of the trusted source. Since whitelisting needs are not limited to DMARC-participating domains, the need for a DMARC result is not limited to domains that publish a policy record. Domains without Organizational Domain policies When an exact-match subdomain policy is available, the PSL can determine alignment without need for an organizational domain policy. The Tree Walk cannot determine relaxed alignment unless the organizational domain is present. This is probably a rare occurrence, but it is a consideration. Doug Foster
- [dmarc-ietf] Tree Walk Limitations vs PSL Douglas Foster