PSL (Public Suffix List)

What is the PSL (Public Suffix List)?

The Public Suffix List (PSL) is a community-maintained catalog of domain suffixes under which internet users can directly register subdomains. It defines boundaries between registrable domains and higher-level domains managed by registries. In practice, the PSL helps systems determine the organizational domain of an email address or website; for example, recognizing that “example.co.uk” is registrable, while “co.uk” is a public suffix.

The PSL is managed as an open project, originally initiated by Mozilla, and is used by browsers, email security tools, and authentication frameworks to identify domain ownership boundaries. For DMARC, the PSL plays a crucial role in evaluating alignment and determining what constitutes an “organizational domain.”

How the Public Suffix List Works

The PSL contains thousands of entries defining top-level and second-level domains where public registration is allowed. Each entry describes where the boundary lies between a public registry (such as “.com” or “.co.uk”) and an individual registrant’s domain. This distinction allows software to differentiate between different owners and apply consistent security rules.

Example:

• example.com → organizational domain: example.com
• mail.example.co.uk → organizational domain: example.co.uk
• sub.domain.github.io → organizational domain: github.io (since GitHub controls the suffix)

By referencing the PSL, systems can accurately group domains under their true administrative owner. This is essential for evaluating sender identity, enforcing cookie policies in browsers, and preventing cross-domain spoofing in email authentication.

Why the PSL Matters for Email Authentication

In DMARC, SPF, and DKIM, the PSL determines how domains are compared for alignment. For example, mail.example.co.uk and news.example.co.uk are considered part of the same organizational domain because they share the same registrable base—example.co.uk. This prevents attackers from abusing shared public suffixes to impersonate unrelated domains that happen to use the same higher-level structure.

Without the PSL, a system might incorrectly treat example.com and example.co.uk as related or fail to recognize that subdomains under appspot.com belong to separate users. The PSL enables correct and consistent domain boundary enforcement, which is critical for accurate DMARC evaluation and domain-based reputation.

Use Cases Beyond DMARC

The PSL serves several additional functions across the internet ecosystem:

• Web browsers: Determine cookie isolation and prevent cross-site tracking between unrelated registrants.
• Certificate authorities: Validate domain control and prevent issuance of certificates for entire registries.
• Security tools: Identify true domain ownership when analyzing phishing or spoofing activity.
• Analytics platforms: Consolidate metrics at the correct organizational level (for example, counting “example.co.uk” as one entity).

Because the list evolves as new domain structures are introduced, maintaining an up-to-date version of the PSL is essential for all systems that rely on domain boundary logic.

Public Suffix List and DMARCeye

DMARCeye uses the Public Suffix List to accurately group and analyze authentication results across all domains and subdomains owned by an organization. When generating reports, the platform references the PSL to determine the organizational domain responsible for each message source, ensuring correct alignment and policy evaluation.

By leveraging PSL data, DMARCeye helps users identify unauthorized senders that spoof domains under shared suffixes, such as “.edu.au” or “.gov.uk.” The platform also ensures that aggregate and forensic reports accurately reflect legitimate ownership structures, giving organizations precise insight into how their domains and subdomains are used across the global mail ecosystem.

Sign up for a free trial of DMARCeye today and secure your email domain.

To learn more about DMARC and DMARC-related terms, explore the DMARCeye Glossary.