RFC 7489 §3.1 requires eTLD+1 (organizational domain) for relaxed alignment. The current 2-label heuristic is wrong for any domain under a multi-part public suffix like .co.uk, .com.au, .gov.uk etc.
Security impact: victim.co.uk and attacker.co.uk both resolve to org domain co.uk under the heuristic, so any two .co.uk senders would incorrectly align in relaxed mode.
Fix: use the psl crate (Mozilla PSL bundled at compile time).
RFC 7489 §3.1 requires eTLD+1 (organizational domain) for relaxed alignment. The current 2-label heuristic is wrong for any domain under a multi-part public suffix like
.co.uk,.com.au,.gov.uketc.Security impact:
victim.co.ukandattacker.co.ukboth resolve to org domainco.ukunder the heuristic, so any two.co.uksenders would incorrectly align in relaxed mode.Fix: use the
pslcrate (Mozilla PSL bundled at compile time).