(At least, not if you ever intend to use it for email. It might break the domain for email, maybe forever.)
The Public Suffix List is a manually maintained list of domains that’s mostly used to help web browsers prevent data stored by one web site being seen or modified by another. As most websites use cookies to secure user logins that’s critically important.
Loosely, the Public Suffix List allows a browser to know that login.blighty.com1 and images.blighty.com are operated by the same owner, and should potentially have access to cookies set by the other. And, conversely, that login.example.com and login.example.org shouldn’t have access to each others cookies.
As well as traditional “top level domains” like .com or .ac.uk the public suffix list also accepts submissions from domain owners who want browsers to enforce this sort of segregation between their subdomains. A common example is a service where customer maintained web content is available at customer specific subdomains, perhaps for personal blogs where “https://steves-blog.example.com/” is a more saleable service than “https://example.com/~steves-blog”.
If you’re offering this sort of service you should think about registering the domain you host your customer content under with the public suffix list. It adds significant security between your users.
But
But. If you add your domain you might make it unusable for use in email. Perhaps forever.
How so? DMARC uses the public suffix list as part of its algorithm to decide whether two hostnames (such as the one in the From: headers and the d= in the DKIM signature) are aligned. If they’re not aligned, DMARC will fail.
And if you add example.com to the public suffix list, example.com will not be considered aligned with anything. And immediate subdomains, such as a.example.com and b.example.com won’t be considered aligned with each other.
That means there’s no way to get SPF alignment if you have “From: <hello@example.com>” as your from address. Normally you’d use a subdomain (e.g. bounces.example.com) in your return path, allowing your ESP to handle bounces and still get DMARC alignment. But that won’t work now. Oops.
DKIM is only going to be considered aligned if the d= domain is identical to the domain in the From: header, so use of d= subdomains to identify different mail streams is right out. And, depending on how the recipients’ DMARC checker is implemented, even mail with identical From and d= domains might not be treated as aligned.
As DMARC moves towards a required part of email this gets worse.
Forever?
You can remove a domain from the public suffix list – but it’s not a list that’s queried in real time. Rather it’s downloaded once by a software developer, compiled into an efficiently searchable data structure. That’s then compiled in to a piece of software and sent to users.
Maybe the developer will update the copy of the PSL they use for each release. Maybe they won’t. They’re probably using an upstream library rather than implementing it themselves, and due to dependency management even if the upstream library is updated the application using it may still use the older version of it. Perhaps for years, perhaps forever.
And even if the application is updated, that doesn’t mean it’ll be updated on ISPs machines immediately.
This isn’t theoretical. I’m seeing DMARC failures at Gmail that I can’t explain any other way for a domain that was removed from the public suffix list nearly a year ago.
This seems bad
It does. Piggybacking email authentication onto a browser cookie security infrastructure may not have been the best idea.
There is work being done to move DMARC away from using the PSL, rather using records added to DNS. It’s not clear when, or if, it’ll be universally supported but it’s likely to be used by large mailbox providers, at least, eventually.
The nice folks at the public suffix list use git to track changes to the list, so if you ever need to check whether a domain has ever been on the public suffix list you can do this to see all the changes:
$ git clone https://github.com/publicsuffix/list.git
$ cd list
$ git log --follow -p -- public_suffix_list.dat | lessCode language: PHP (php)- I use blighty.com as an example domain a lot, as it’s a domain I own and it’s a bit more interesting than using example.com everywhere. Maybe I should let friends volunteer their domains for tuckerization? ↩︎
RSS - Posts