IETF Logo Mail Archive

Re: [dmarc-ietf] Thoughts on choosing N

Scott Kitterman <sklist@kitterman.com> Tue, 16 April 2024 04:03 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 823F3C14F6B8 for <dmarc@ietfa.amsl.com>; Mon, 15 Apr 2024 21:03:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="iwsSgisr"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="DxOUXJ9x"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQegwz8aCOp8 for <dmarc@ietfa.amsl.com>; Mon, 15 Apr 2024 21:03:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48AE5C14F6A0 for <dmarc@ietf.org>; Mon, 15 Apr 2024 21:03:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id A2D81F80290; Tue, 16 Apr 2024 00:03:09 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1713240174; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=s1fj0nuVcryoJCRqcIcdwAMIMHK2d2Q/OMpEnp2dci4=; b=iwsSgisr9gy/893C/MBAT/EJEFYYwq7u7XiCfE8NR4WcIjOKYUPOVlBqYTsJgWbA4E5so eHQnRnec8olIZgmBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1713240174; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=s1fj0nuVcryoJCRqcIcdwAMIMHK2d2Q/OMpEnp2dci4=; b=DxOUXJ9xYA1wUOGUX/whmNSYPd+qc/zLuUPkSVpTx/US+QtxrHqkTR8MSOHxX7+igmIxd 7U5wxEMEOt/AZY8qz32rSnU2FdXoDtnWMcHtupmoqo9xOsCY5DbR0FHPt6fgqBKS49RX0Mt fccOh4KIN4XZoJTJwhoXxzEnk2pNqyVhrqsvMiwLyzT1r54zrPShvjAQGMXHihGzfF8cKFJ 7Hy1Fvy1+QEhMRsarqNp4HTv5NHoBIQK6lIv3fwmbWgPOwCuKEg3B5OFZ3tpS8qg3A3JwND abvibqsi+LQSvlwJ2KxH8fLXLjHFclk+qAkQ4kF9TGwC4GVaDn39FVNGKKbw==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id C8CE9F80080; Tue, 16 Apr 2024 00:02:54 -0400 (EDT)
Date: Tue, 16 Apr 2024 04:02:50 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <20240416023654.6639F8883D66@ary.qy>
References: <20240416023654.6639F8883D66@ary.qy>
Message-ID: <1B5E0A76-270B-486E-9EA2-F1B936092198@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/imVMzitCIfW6kegYHd2qhe5ibSY>
Subject: Re: [dmarc-ietf] Thoughts on choosing N
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 04:03:26 -0000


On April 16, 2024 2:36:53 AM UTC, John Levine <johnl@taugh.com> wrote:
>It appears that Scott Kitterman  <sklist@kitterman.com> said:
>>>I'm with Scott, pick a number, 5, 8, whatever, and be done with it.
>>>
>>Modulo we do need to explain why 8. Related, I think we also need to explain why the reporting address thing is important for DMARCbis since having an intermediate level record isn't
>>currently supported by DMARC.
>
>What do you mean by intermediate level record?  Whatever the tree walk finds is
>by definition the org domain.
>
>There are some PSL entries with one below another so it's not unprecedented.

That's true, although that pattern in the PSL doesn't seem very relevant to email.

In the case of a.b.c.example.com and example.com is in the PSL, the DMARC records in a.b.c.example.com (if present) and example.com (otherwise) are consulted.  The only way to get to b.c.example.com or c.example.com would be to add them to the PSL.  These are what I meant by intermediate records.

It's, of course, different for DMARCbis.  There we walk up the tree, so those get checked and as you say, the first one we find is the org domain.

The claim, as I understand it, is that for big orgs that go deeper than 5 levels (in fact up to 8), it is somehow critical to have different reporting addresses (which leads to a need for org domains 6, 7, and 8 levels deep).

I don't find cases where it looks like such things have been added to the PSL, so I'm skeptical that this is really critical.  It might be helpful and it might even be a good idea, but I fail to find the evidence I'd expect to find if it were actually critical for a domain operator to be able to do this.

I agree that we ought to just get this done, but without a rationale for 8 that holds water, I think we're better off deciding to stick to the number (5) that we have an articulable rationale for.

I'm sure it will take some time to get through the last call comments, so I imagine that we can wait a bit for more information before deciding without delaying the overall progress.

Scott K

v2.23.0 | Report a Bug | By Email