OK, here's my proposal; please let me know what you think:
— Abstract —
OLD
DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is a scalable mechanism by which a mail-originating
organization can express domain-level policies and preferences for
message validation, disposition, and reporting, that a mail-receiving
organization can use to improve mail handling. The design of DMARC
presumes that domain names represent either nodes in the tree below
which registrations occur, or nodes where registrations have
occurred; it does not permit a domain name to have both of these
properties simultaneously. Since its deployment in 2015, use of
DMARC has shown a clear need for the ability to express policy for
these domains as well.
Domains at which registrations can occur are referred to as Public
Suffix Domains (PSDs). This document describes an extension to DMARC
to enable DMARC functionality for PSDs.
This document also seeks to address implementations that consider a
domain on a public Suffix list to be ineligible for DMARC
enforcement.
NEW
DMARC (Domain-based Message Authentication, Reporting, and
Conformance) is a scalable mechanism by which a mail-originating
organization can express domain-level policies and preferences for
message validation, disposition, and reporting, that a mail-receiving
organization can use to improve mail handling.
DMARC uses a Public Suffix List (PSL) to determine what part of a
domain name is the Public Suffix Domain (PSD), below which
organizational domain names are created. DMARC allows organizational
domains to specify policies that apply to their subdomains, but it
does not give that flexibility to PSDs.
This document describes an extension to DMARC to fully enable DMARC
functionality for PSDs. This document also addresses implementations
that consider a domain on a public Suffix list to be ineligible for
DMARC enforcement.
— Section 1 —
OLD
DMARC as specified presumes that domain names present in a PSL are
not organizational domains and thus not subject to DMARC processing;
domains are either organizational domains, sub-domains of
organizational domains, or listed on a PSL. For domains listed in a
PSL, i.e., TLDs and domains that exist between TLDs and organization
level domains, policy can only be published for the exact domain. No
method is available for these domains to express policy or receive
feedback reporting for sub-domains. This missing method allows for
the abuse of non-existent organizational-level domains and prevents
identification of domain abuse in email.
NEW
DMARC as specified presumes that domain names present in a Public
Suffix List (PSL) — Public Suffix Domains (PSDs) — are not
organizational domains and are thus not subject to DMARC processing.
In DMARC, domains fall into one of three categories: organizational
domains, sub-domains of organizational domains, or PSDs. For PSDs,
policy can only be published for the exact domain: no mechanism is
available for PSDs to express policy or receive feedback reporting
for sub-domains. The lack of such a mechanism allows for the abuse
of non-existent organizational-level domains and hampers
identification of domain abuse in email.
— Section 1.1 —
OLD
As an example, imagine a country code TLD (ccTLD) which has public
subdomains for government and commercial use (".gov.example" and
".com.example"). A PSL whose maintainer is aware of this country's
domain structurewould include entries for both of these in the PSL,
indicating that they are PSDs below which registrations can occur.
Suppose further that there exists a domain "tax.gov.example",
registered within ".gov.example", that is responsible for taxation in
this imagined country.
NEW
As an example, imagine a Top-Level Domain (TLD), ".example", that has
public subdomains for government and commercial use (".gov.example"
and ".com.example"). A PSL whose maintainer is aware of this TLD’s
domain structure would include entries for both of these in the PSL,
indicating that they are PSDs below which organizational domains can
be registered. Suppose further that there exists a legitimate domain
called "tax.gov.example", registered within ".gov.example".
OLD
This DMARC record provides policy and a reporting destination for
mail sent from @gov.example. However, due to DMARC's current method
of discovering and applying policy at the organizational domain
level, the non-existent organizational domain of @t4x.gov.example
does not and cannot fall under a DMARC policy.
NEW
This DMARC record provides policy and a reporting destination for
mail sent from @gov.example. Similarly, "tax.gov.example" will have
a DMARC record that specifies policy for mail sent from addresses
@tax.gov.example. However, due to DMARC's current method of
discovering and applying policy at the organizational domain
level, the non-existent organizational domain of @t4x.gov.example
does not and cannot fall under a DMARC policy.
--
Barry
On Mon, Feb 22, 2021 at 9:33 AM Barry Leiba <[email protected]> wrote:
>
> >> > I'm at a loss to understand what's confusing. I'm not convinced that
> >> > "registrations" in the
> >> > context of domain names is unclear to a reader familiar with this space.
> >>
> >> I am absolutely convinced that it is. Think of people in M3AAWG, for
> >> whom this is very relevant. Many of them don't know much about
> >> registries, registrars, and such, and in general, the average reader
> >> won't understand the difference, from a "registration" standpoint,
> >> between facebook.com (which is registered) and "www.facebook.com"
> >> (which is not). To the average reader, "facebook.com" is registered
> >> under com, and "www.facebook.com" is registered under facebook. And
> >> the ones who don't think that will likely not understand why we can't
> >> just talk about second-level domains and be done with it.
> >
> > Actually that's a community that I would expect to know exactly what all
> > those terms mean and
> > how they are all related.
>
> There clearly are some in that community who do. But there are many
> there who don't. This stuff is more esoteric than those of us who are
> in the middle of it often realize.
>
> > I think the use of "registered" seems to be the source of some of this
> > confusion.
>
> Yes, exactly.
>
> > To work with the example you gave here, I agree that "facebook.com" is
> > registered (under "com"), but
> > disagree that "www.facebook.com" is registered at all;
>
> Right, of course it's not. I didn't say that it is: I said that
> people who don't fully understand this stuff *think* it is, and that's
> the part that the text isn't making clear.
>
> > To my mind, "register" involves a specific transaction, sometimes involving
> > money, with whoever gates
> > access to make those delegations.
>
> And that's what we need to explain better in the Introduction.
>
> > How's this?:
> >
> > DMARC (Domain-based Message Authentication, Reporting, and
> > Conformance) is a scalable mechanism by which a mail-originating
> > organization can express domain-level policies and preferences for
> > message validation, disposition, and reporting, that a mail-receiving
> > organization can use to improve mail handling.
> >
> > Within the Domain Name System (DNS) on the public Internet, which is
> > organized as a tree, some nodes of that tree are reserved for use by
> > registrars, who delegate sub-trees to other operators on request. DMARC
> > currently
> > permits expression of policy only for such sub-trees. There is a marked
> > desire to
> > be able to express policy for the reserved nodes as well. This document
> > describes an experimental extension to DMARC to add that capability.
> >
> > If we like that as a replacement Abstract, I'll carry on and propose a
> > revision to the Introduction.
>
> I don't think that really explains it properly either -- I think with
> the above text, it's less confusing, but also not correct, or at least
> not really indicative of what the document is proposing.
>
> I don't have time today, but give me a couple of days to work on the
> Abstract and the Introduction/Example, and I'll propose some specific
> text that we can try out.
>
> Barry
>
> _______________________________________________
> dmarc mailing list
> [email protected]
> https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
