The starting point for a non-PSL, high-performance algorithm is to migrate the PSL into the DNS by adding a token for "orgname=FQDN".
If the FQDN equals the current domain, the policy is an organizational domain policy. (orgname=me could be a shorthand for this.) If the FQDN is a parent domain, the policy is a single-subdomain policy. If the FQDN is neither of these, then it is malformed and ignored. If this process detects an exact-match check detects an organizational policy, then the search is complete, No verification is needed. If this process detects a single-subdomain policy, then the orgname=FQDN token indicates the organizational domain. If the orgname token is missing (or invalid), then the PSL is used to determine the organizational domain. Although an upward attack on one's registrar seems self-destructive and therefore unlikely, it is desirable to provide some integrity checks to verify that an asserted organizational domain is the correct one, both because it declares itself as an organizational domain and because there is no organizational boundary between the asserted organizational domain and the From address domain. There are two ways to do this, which I will send later, as a separate topic. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
