Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd

Dave Crocker <> Thu, 05 September 2019 20:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C45151207FF for <>; Thu, 5 Sep 2019 13:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JFYajjBh4QYn for <>; Thu, 5 Sep 2019 13:22:33 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ED775120271 for <>; Thu, 5 Sep 2019 13:22:32 -0700 (PDT)
Received: by with SMTP id 100so3587259otn.2 for <>; Thu, 05 Sep 2019 13:22:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:from:to:cc:references:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=fa/qTiPBv7AJRvhVbDKScWjOMzsLzobmyq7GLbdLxJw=; b=R/4aUMle0QsJ7lLBzoBCCxx4MSD/Lpy6P5PNWztV7fITxgzBf0Rj+pQa8Y4I0PwgWm rScMrSjrSmsOIK8Ovk27oYQAAWE+G1vyKEMVVlRi5YwYGZy4BsLb6hYGKtQmxBY05O4c YgUNVs4pTG2V75vGsoEfV2g84rSxXeP7F1iRax/wU7f2CJCLKiUjYTAjbjHmTQHHtFBT V2PMbF9Ydq4+epxp5/HtPbUmGQRf0LJyDWtZJ9w4HjrjTkkmvAxZ2A24XdrZiw3cTeQF M0OGWek/N97iz7u7vDh7cN526e26qkLlkQVIX7cjudmj+KcNogurPmDUaRYNggWO7wjO XT3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:from:to:cc:references:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=fa/qTiPBv7AJRvhVbDKScWjOMzsLzobmyq7GLbdLxJw=; b=C14ZU1+jpYCIUP3F3OIrcy7FcsniTWVLMkozPJDInM7nTLx/Q4DgPNOvI+ogLRRjfk tU0oOcykXdmzTXLRnAaUu1DhxaEmSMYGgjNRaVmtpTUgAmTnE3LOKtEwgRwFiPaB/A0Z StqM4+nl2W4/IWIAcqkMITdqL/JwUscN9scH8dJ6TMtCSXNPIxZdsQHwaeFJZ6OFOM+B DPLBDP6w/w+2a6ARNuGzSpaCc9pQh0OCL/EViVEp5w1eaIbAqzG9HAKCyFrd6LY0nWfv bj4ArkuOZerEa8e/DznM6xHaCL2JSIaqVuPZCQIQfynu+kAdGOSvN8neix3C9p8fp3gO 9JgA==
X-Gm-Message-State: APjAAAUQfbYfgr9LwwQWlWihsUc+SMdmJa9Iszsa8HLboRtzVYRt+iin zuHVRBsc/KGm0tck5ShgTvlW7BbY
X-Google-Smtp-Source: APXvYqxGcgUUUff1nFtGbAj8t5r7GYG3g79p2PSA3IpgVQsN9wiBKg5DNBBCq06JrtJUlHQ3QzZmWw==
X-Received: by 2002:a9d:5e11:: with SMTP id d17mr4434603oti.135.1567714951804; Thu, 05 Sep 2019 13:22:31 -0700 (PDT)
Received: from ?IPv6:2600:1700:a3a0:4c80:d981:1a68:7c5f:511c? ([2600:1700:a3a0:4c80:d981:1a68:7c5f:511c]) by with ESMTPSA id e22sm1067676otl.33.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Sep 2019 13:22:30 -0700 (PDT)
From: Dave Crocker <>
To: "Murray S. Kucherawy" <>
References: <> <> <>
Message-ID: <>
Date: Thu, 5 Sep 2019 13:22:27 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Comment on draft-ietf-dmarc-psd
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Sep 2019 20:22:35 -0000

On 9/4/2019 6:28 AM, Dave Crocker wrote:
> ence my current view that:
> 1. The change to DMARC should be limited to permitting the query for the 
> organization domain to be anywhere in the DNS tree, including a TLD. 
> Within DMARC this would not look like 'extra' mechanism.
> 2. The mechanism that processes that query should be cast strictly as a 
> PSL enhancement, independent of DMARC.

Trying to refine things further:

    DMARC does not care about the PSL.

    What DMARC cares about is the Organizational Domain (OD), as a 
fallback when no DMARC record is found at the desired domain name.

    That is, PSL is literally outside the scope of DMARC.

    At the least, therefore, the DMARC specification should define a 
distinct interface to the outside functionality that tells DMARC where 
the OD is, which will return what suffix of the full domain name is the 
OD --  eg, getOrgDomain(full-domain) -> org-domain-suffix

    The PSL-related side of that interface should be a separate 
specification, so that changes to its behavior -- such as has been 
happening with the introduction of ODs that are TLDs or are otherwise 
'above' where DMARC has been guessing the OD to be -- are isolated from 

    The current problems are that DMARC has embedded too much detail 
about the PSL world, yet DMARC has no involvement in that world. The 
current proposal embeds assumptions of PSL knowledge further, rather 
than separating PSL knowledge out.

Dave Crocker
Brandenburg InternetWorking