Re: [dmarc-ietf] Thoughts on choosing N (choose 6)

A look at my data was helpful.

Organizational alignment means that N labels match exactly.   Relaxed
alignment means that at least one of the names is longer than N.
 Those rules are easy to check on my historical data.

I have examples of mismatched domains with 4 matching labels.   I also have
examples of exact-match domains with 5 matching labels.  Strict alignment
does not matter for N, because it will produce PASS on any detected
policy.  So my data suggests a maximum possible N of 4.

My message volume is almost exclusively 2LD domains, so a 4-label match
represents a  partitioned organization at Org+2.   This has parallels in
the known private registry structure, where Private Registry clients are
mostly at Registered Org +1 and sometimes at Registered Org + 2.

If we choose N=6, we provide Org+2 partitioning to organizations with
4-label domains.  Based on this, I don't see any reason to go higher, and
limiting partitions to Org+2 seems easy to defend conceptually.

(As an aside, my longest From address was 10 labels, from a spammer, and it
aligned with a 3-label Mail From address.    My longest Mail From
addresses were from *.bnc.salesforce.com, but I stopped counting at 9
because the salesforce Mail From addresses do not align with the From
address at all.)

Doug Foster

On Tue, Apr 16, 2024 at 12:03 AM Scott Kitterman <sklist@kitterman.com>
wrote:

>
>
> On April 16, 2024 2:36:53 AM UTC, John Levine <johnl@taugh.com> wrote:
> >It appears that Scott Kitterman  <sklist@kitterman.com> said:
> >>>I'm with Scott, pick a number, 5, 8, whatever, and be done with it.
> >>>
> >>Modulo we do need to explain why 8. Related, I think we also need to
> explain why the reporting address thing is important for DMARCbis since
> having an intermediate level record isn't
> >>currently supported by DMARC.
> >
> >What do you mean by intermediate level record?  Whatever the tree walk
> finds is
> >by definition the org domain.
> >
> >There are some PSL entries with one below another so it's not
> unprecedented.
>
> That's true, although that pattern in the PSL doesn't seem very relevant
> to email.
>
> In the case of a.b.c.example.com and example.com is in the PSL, the DMARC
> records in a.b.c.example.com (if present) and example.com (otherwise) are
> consulted.  The only way to get to b.c.example.com or c.example.com would
> be to add them to the PSL.  These are what I meant by intermediate records.
>
> It's, of course, different for DMARCbis.  There we walk up the tree, so
> those get checked and as you say, the first one we find is the org domain.
>
> The claim, as I understand it, is that for big orgs that go deeper than 5
> levels (in fact up to 8), it is somehow critical to have different
> reporting addresses (which leads to a need for org domains 6, 7, and 8
> levels deep).
>
> I don't find cases where it looks like such things have been added to the
> PSL, so I'm skeptical that this is really critical.  It might be helpful
> and it might even be a good idea, but I fail to find the evidence I'd
> expect to find if it were actually critical for a domain operator to be
> able to do this.
>
> I agree that we ought to just get this done, but without a rationale for 8
> that holds water, I think we're better off deciding to stick to the number
> (5) that we have an articulable rationale for.
>
> I'm sure it will take some time to get through the last call comments, so
> I imagine that we can wait a bit for more information before deciding
> without delaying the overall progress.
>
> Scott K
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>