> * Summary: > > This draft is on the right track but has open issues, described > in the review. > > * Major issues: > > The privacy concerns described in section 4 are written as if there is > no certainty that the mechanisms described in the document properly > mitigate them. So the document appears to be incomplete. OTOH, since > this is an Experimental RFC, such mitigation isn't necessary if there > is commitment to do so later. In that case, the section should > explicitly state that these are open issues and that there is an > intention of revising the document to mitigate them. > > The text suggests that a mail receiver(?) that does DMARC processing > has knowledge of all PSDs. This seems a priori unlikely and even > impossible to implement. So this ought to be either explained at the > appropriate place or resolved technically. > > * Minor issues: > > The document has the (common) editorial problem that it is written by > people who are deeply familiar with the subject, and it's difficult to > read if one doesn't share that familiarity. This is particularly > significant because DMARC is an e-mail facility that (ideally) will > affect all e-mail that is sent, so the target audience really should > be anyone who has a basic understanding of e-mail. Three particular > elements of this are: > > - It would be very helpful if the Introduction could state, in a few > sentences, the purpose and operation of DMARC, thus informing the > reader of the framework whose deficiencies this document attempts to > address. In particular, one shouldn't have to read the DMARC RFCs > to be able to read this document and understand its general import. > > - The "experiment" appendixes are unclear about what the experiments > actually are: what questions they are to answer, what actions will > be taken, how the results will be evaluated. Starting each appendix > with an overview paragraph would be helpful. > > - Forward references should be minimized so that a reader can > understand the document in one pass. > > As a derivative of the first of these elements, the terminology used > for the properties of domain names is not clearly defined. In > particular, where does a registration "occur"? The only term for > which I think the general audience possesses an unambiguous definition > is "the registered domain name", e.g. ietf.org. Now I *think* its PSD > is ".org", but it might be "ietf.org", and I don't know whether the > registration of ietf.org "occurs" at ietf.org or .org. Further points > I didn't understand are pointed out in the review of the > Abstract and Introduction. > > * Nits/editorial comments: > > Abstract > > I'm having quite a bit of difficulty figuring out exactly what the > Abstract means. I'm sure that the working group clearly understands > what is meant, but the writing is just loose enough that I can't fix > the meaning. To raise the immediate questions: > > DMARC (Domain-based Message Authentication, Reporting, and > Conformance) is a scalable mechanism by which a mail-originating > organization can express domain-level policies and preferences for > message validation, disposition, and reporting, that a mail-receiving > organization can use to improve mail handling. > > This sentence is quite good, as it introduces what DMARC is all about. > > The design of DMARC > presumes that domain names represent either nodes in the tree below > which registrations occur, or nodes where registrations have > occurred; it does not permit a domain name to have both of these > properties simultaneously. > > You want to make clear here that "registration" means "domain name > ownership registration" (which is what section 2.2 says). Otherwise > it leaves open that there is some sort of DMARC registration that you > might intend, until the reader gets to section 2.2. > > There's an ambiguity regarding "where" a registration happens. E.g., > does the registration of "ietf.org" "occur at" "ietf.org" or "occur > at" "org"? It's possible that this could be simplified/disambiguated > by not using this term, but instead phrasing this in terms of domain > names that "are registered", and the allowed relationships between > them. > > And it appears certain that there are DNS nodes where registrations > are only done *above* that node, e.g. "datatracker.ietf.org", which > this sentence (if taken literally) says is not permitted by DMARC. Is > the property you want to declare "one node where registrations are > done cannot exist below another node where registrations are done"? > > Or perhaps domain names like "datatracker.ietf.org" are of no interest > to DMARC because DMARC is never applied to messages for which that is > the relevant address? > > Since its deployment in 2015, use of > DMARC has shown a clear need for the ability to express policy for > these domains as well. > > This sentence doesn't make it clear what "these domains" refers to. > > Domains at which registrations can occur are referred to as Public > Suffix Domains (PSDs). This document describes an extension to DMARC > to enable DMARC functionality for PSDs. > > It would probably be clearer to use "domain name ownership > registrations" again here. > > This sentence suggests that the registration of "ietf.org" "occurs at" > "org" and so "org" is a PSD. > > This document also seeks to address implementations that consider a > domain on a public Suffix list to be ineligible for DMARC > enforcement. > > This suggests that implementations believe that they know of all PSDs, > so they can "consider them ineligible for DMARC enforcement". But > it's hard to imagine that that they can know that they know of all > PSDs. > > An additional point, and I'm not sure how valuable this is, would be > to clarify "I'm holding an e-mail message in my hands. What do I do > next?", that is, What address in the message is the domain whose DMARC > information is applied to the message? And what indeed does DMARC > processing do to a message? For most of the sentences of the > Abstract, this is not important, but it leaves the effect of the last > sentence unclear, as "DMARC is not enforced on messages whose *sender* > is in a PSD" is quite a bit different from "DMARC is not enforced on > messages whose *recipient* is in a PSD". (Section 3.3 suggests that > the address in the From header of the message is the one that is used > for DMARC processing.) > > It's unclear what exactly is the contents of a "public suffix list". > Naively, it appears that it is the list of domain names under which > names can be registered, but the text uses the term in the plural, so > there must be some additional structure. > > Also, it seems there are some significant privacy matters addressed by > this document, and it's probably worth adding a sentence to notify the > reader of that. > > 1. Introduction > ---- > A number of the questions about the Abstract apply to the Introduction > as well. But generally, since e-mail is a subject that every reader > has a basic knowledge of, it would be useful to write the introduction > so that one did not have to have a knowledge of the DMARC architecture > to understand the introduction. > > "gov.example" publishes the following DMARC record: > > "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.service.gov.example" > > at > > _dmarc.gov.example. > > Even better would be this aid to people who don't already know DMARC > implementation: > > "gov.example" publishes the following DMARC DNS record: > > _dmarc.gov.example. TXT \ > "v=DMARC1; p=reject; rua=mailto:dmarc@dmarc.service.gov.example" > Updated to be a more complete DNS record. > -- > > the non-existent organizational domain of @tax.gov.example > > I suspect you mean "t4x.gov.example" here. Correct. Updated. > > This document provides a simple extension to DMARC [RFC7489] to > allow [...] > > This sentence lists 4 important items, each of which is fairly long, > which together are the summary of the whole document, so it might be > useful to break this into a bullet-list. > Opinions on Reformatted ? This document provides a simple extension to DMARC [RFC7489] to allow operators of Public Suffix Domains (PSDs) to: o Express policy at the level of the PSD that covers all organizational domains that do not explicitly publish DMARC records o Extends the DMARC policy query functionality to detect and process such a policy o Describes receiver feedback for such policies o Provides controls to mitigate potential privacy considerations associated with this extension > 2. Terminology and Definitions > > In many cases the public portion of the DNS tree is [...] > > What does "the public portion" mean? I'm guessing it means "the names > not available for private registration", but you should be unambiguous > here. I believe Scott cleaned the wording up here. > They are not available for private > registration. In many cases the public portion of the DNS tree is > more than one level deep. > > It seems like these two sentences are redundant and the flow of the > paragraph would be better if they were removed. ... Actually once they > are removed, it reveals that the next two sentences largely duplicate > the first two sentences of the paragraph. Agreed. We've removed these sentences. -------- > 2.3. Longest PSD > > The longest PSD is the Organizational Domain with one label removed. > > 2.4. Organizational Domain > > The term Organizational Domains is defined in DMARC [RFC7489] > Section 3.2. > > 2.4 should be moved ahead of 2.3 to avoid a forward-reference. But it > would be really helpful if the definition of Organizational Domain was > either summarized here or completely copied from RFC7489. In > particular, if Organizational Domain is not the same as registered > domain name, that should be flagged. > Switched sections 2.4 and 2.3. As for "Organizational Domain", the first sentence of the 7489 definition is "The domain that was registered with a domain name registrar." with additional sentences on determining this. > 2.5. Public Suffix Operator (PSO) > > A Public Suffix Operator manages operations within its PSD. > > Better to explicitly define the possession relationship explicitly: > > A Public Suffix Operator is an organization which manages > operations within a PSD, particularly the DNS records published for > names at and under that domain name. This works > 2.6. PSO Controlled Domain Names > > PSO Controlled Domain Names are names in the DNS that are managed by > a PSO and are not available for use as Organizational Domains. > Depending on PSD policy, these will have one (e.g., ".com") or more > (e.g., ".co.uk") name components. > > The second sentence is odd; is it useful? Is it just to say "PSO > Controlled Domain Names may have one or more components."? > Yes, a PSO Controlled Domain Name may have one more name components. How about: "PSO Controlled Domain Names may have one (e.g., ".com") or more (e.g., ".co.uk") name components, depending on PSD policy." > 3.1. General Updates > > References to "Domain Owners" also apply to PSOs. > > This change really ought to be localized to a specific textual change > somewhere in RFC 7489, in the say way that the other changes are > specific amendments to the DMARC algorithm. "Domain Owner" is defined in Section 3 of 7489, but Public Suffix Operators and Public Suffix Domains aren't defined there. Could we say "Domain Owners also can refer to Public Suffix Operators as defined in [dmarc-psd]"? > > 3.2. Section 6.3 General Record Format > > These section titles are difficult to read. At first I thought there > was some typographical problem. But you could clarify this as "3.2. > Updates to Section 6.3. General Record Format". Similarly for the > other subsections of section 3. > Done. > 3.3. Section 6.5. Domain Owner Actions > > The mechanism for doing so is one of the > experimental elements of this document. > > I think that what this means is that the whole document is an > experimental "mechanism for doing so". If so, I think it could be > better phrased > > This document is an experimental mechanism for doing so. This is better wording for this, updated. > -- > > 3.4. Section 6.6.1. Extract Author Domain > > [...] when the domain name extracted by the receiver (from the > RFC5322.From) is on the public suffix list used by the receiver. > > This touches the question above about what a public suffix list is, > and how there can be more than one of them. But without that > knowledge, it's hard to see which PSL is "used" by the receiver of the > message. > > Also, it's not clear to me how *this* document creates a capability > which applies to domains that are on the PSL. E.g., if an "np" is > defined for ".org", it applies to (that is, affects processing of > e-mail from) any "X.org" that doesn't have its own DMARC records. But > I don't see how an "np" tag for ".org" affects processing of messages > from "example@org". > > 3.5. Section 6.6.3. Policy Discovery > > (discussed in the experiment description > (Appendix A)) > > Given that this text is nominally an update to the text of RFC 7489, > you want to disambiguate the binding of "Appendix A": > > (discussed in the experiment description > ([this document] Appendix A)) > Since these sections are written to update 7489, I agree on referencing "([this document] Appendix A)" in this case. But reading over the text, there are two references to section 2.3 in this document we'll need to update as well. Additionally, updating "Appendix A" in section 3.3 > 3.6. Section 7. DMARC Feedback > > See Section 4 of this document for discussion of Privacy > Considerations. > > Similarly to section 3.5, but also clarifying the scope of "privacy > considerations": > > See Section 4 of [this document] for discussion of Privacy > Considerations for PSD DMARC. Agreed, and updated > 4. Privacy Considerations > > The Privacy Considerations of [RFC7489] apply to this document. > > This could be clarified as > > Additionally, the Privacy Considerations of [RFC7489] apply to the > mechanisms described by this document. Agreed, and updated > -- > > Providing feedback reporting to PSOs can, in some cases, create > leakage of information outside of an organization to the PSO. > > "outside" probably isn't the word you want to use here, as it is > easier to read "outside" as giving the original location of > "information" than to read "outside" as giving the direction of > "leakage". Perhaps > > Providing feedback reporting to PSOs can, in some cases, create > leakage of information out of an organization to the PSO of its > domain name. What do you think of this: "Providing feedback reporting to PSOs can, in some cases, create information to leak out of an organization to the PSO. " ---- > -- > > To minimize this potential concern, > PSD DMARC feedback is best limited to Aggregate Reports. [...] > > [...] any Feedback Reporting related to multi- > organizational PSDs ought to be limited to non-existent domains > except in cases where the reporter knows that PSO requires use of > DMARC. > > I can't see where in the document that these principles are turned > into MUST statements that ensure the privacy issues are solved. > How about these two statements: Old: "To minimize this potential concern, PSD DMARC feedback is best limited to Aggregate Reports. " New: "To minimize this potential concern, PSD DMARC feedback SHOULD be limited to Aggregate Reports." and Old: DMARC for Organizational Domains in multi-organization PSDs that do not particpate in DMARC, any Feedback Reporting related to multi- organizational PSDs ought to be limited to non-existent domains New: DMARC for Organizational Domains in multi-organization PSDs that do not particpate in DMARC, any Feedback Reporting related to multi- organizational PSDs MUST be limited to non-existent domains > The experiment is to evaluate different possible approaches. > > Calling this an "experiment" suggests that these is an intended series > of actions whose result will answer the listed questions. But there > doesn't seem to be any such actions listed. The description makes it > sound like what is intended is continuing discussions in the working > group, but that wouldn't be an "experiment". > > A.2. Non-Existent Subdomain Policy > > Similar questions arise for this section. The second paragraph > suggests that the experiment is to see whether the "np" tag is > successful. > > There are also > suggestions that it would be more generally useful for DMARC. > > What does "it" refer to? (Does it mean "this ability"?) > > Appendix B. DMARC PSD Registry Examples > > In this appendix, it appears that the contents of the experiment are > clear in the authors' minds, but there is no summary at the top that > states what the experimental facilities are and the "big picture" into > which they fit. > > Appendix C. Implementations > > C.1. Authheaders Module > > What e-mail MTA is Authheaders an extension for? > > [END]