Limitations of the Tree Walk method, listed roughly from highest to lowest importance
Private Registries The PSL has data on private registries, while the tree walk will only know about private registries if and when each registry or its clients publish DMARC policies. Exceptions The PSL is easily supplemented and corrected by adding or deleting line items during or after the list is loaded. The Tree Walk does not provide a straightforward exception process. One of the most intuitive exception structures for Tree Walk would be to create a domain list similar to the PSL, and modify the algorithm to check it. Once that framework is in place, populating the exception list with the PSL is a logical step. Loading the PSL as an exception list will fix the private registry problem, but will dismantle the idea of PSL elimination. Non-participant cost on evaluators The Tree Walk is particularly expensive when the domain does not participate in DMARC and the PSD does not publish a policy record, because the walk proceeds all the way up the tree to the TLD. Since we think only 5% of domains currently publish DMARC policies, this is a lot of work for no result. If the implemented Tree Walk process requires checking for both a policy record and an exception record at each step up the tree, the performance concerns are that much greater. The PSL requires at most two table lookups for the From address, and two table lookups for each domain being tested for alignment. This means that the RFC 7489 algorithm impacts all evaluators and all mail streams equally. By comparison, the Tree Walk has increasing cost as the length of the domain names increase. Based on my mail stream, RFC5322.From domains, which occur only once per message, tend to be short. In contrast, MaIlFrom and DKIM candidate domains, which have multiple entries per message, tend to be longer. The performance penalty for the Tree Walk will affect evaluators differently, depending on their mail stream. PSD protection The PSL provides a list of multi-segment PSDs that never send mail, and consequently evaluators can use the list to prevent impersonation of those names. The Tree Walk only protects multi-segment PSDs which publish a policy record. (Single-segment PSDs do not need external protection, since evaluators can implement a static rule that TLDs are PSDs, never send mail, and are never valid as a RFC5322.From domain.) DMARC results without a DMARC policy Notwithstanding the pushback I received over this issue, it is a significant point that evaluators can use the PSL and relaxed alignment to compute a DMARC PASS result for messages from domains that do not publish a DMARC policy. DMARC PASS allows whitelisting to be done without concerns about impersonation of the trusted source. Since whitelisting needs are not limited to DMARC-participating domains, the need for a DMARC result is not limited to domains that publish a policy record. Domains without Organizational Domain policies When an exact-match subdomain policy is available, the PSL can determine alignment without need for an organizational domain policy. The Tree Walk cannot determine relaxed alignment unless the organizational domain is present. This is probably a rare occurrence, but it is a consideration. Doug Foster
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
