Re: [dmarc-ietf] Thoughts on choosing N

[Douglas Foster <dougfoster.emailstandards@gmail.com>]

Our original choice of N was based on the PSL.    The PSL could not detect
organizational boundaries could not boundaries below level 5, because it
had no entries longer than 5 labels, and we determined that the 5-label
entries were not used for mail.    Therefore, any increase in N is new
capability.   That new capability is probably desirable, but need not be
limitless.  Using an N of 8 introduces a lot of new capability.

As the number of labels increases, the probability of abuse increases --
either malicious use of non-existent subdomains, or malicious creation of
meaningless subdomains.   This provides strong incentive to limit N to a
small number.

I don't have any objection to 8.

There are two defenses available to evaluators who fear malicious use of
maximum N:
- Test for From domain existence first.   If the domain does not exist, do
a top-down search for the first domain that does exist.   Mail From and
DKIM domains do not need to be tested separately for existence, as they
cannot verify unless the domain exists.

- Use result caching so that domains with a high number of labels are not
researched multiple times.

DF








On Sun, Apr 14, 2024 at 7:23 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Sun, Apr 7, 2024 at 10:33 AM Scott Kitterman <sklist@kitterman.com>
> wrote:
>
>> >Seth says there are people who need N=8 but for business reasons he
>> can't tell us who they are.  I'm not thrilled about that but I see little
>> downside to bumping the number up to 8.
>>
>> I expect that's where we end up, but I think we need something more than
>> one of the chairs said there are secret reasons.
>>
>
> I agree, "Why 8?" is a very reasonable question for any reviewer to ask.
>
> -MSK, p11g
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>