Re: [dmarc-ietf] Nitpicky questions about DMARC record syntax

Grant Taylor <> Thu, 17 January 2019 16:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A772C130E83 for <>; Thu, 17 Jan 2019 08:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Qba-8L7T53kk for <>; Thu, 17 Jan 2019 08:10:39 -0800 (PST)
Received: from ( [IPv6:2600:3c00:e000:1e9::8849]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47977130E11 for <>; Thu, 17 Jan 2019 08:10:39 -0800 (PST)
Received: from Contact-TNet-Consulting-Abuse-for-assistance by (8.15.2/8.15.2/Debian-3) with ESMTPSA id x0HGAaii026446 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <>; Thu, 17 Jan 2019 10:10:38 -0600
ARC-Filter: OpenARC Filter v0.1.0 x0HGAaii026446
Authentication-Results:; arc=none
ARC-Seal: i=1; a=rsa-sha256;; s=2015; t=1547741438; cv=none; b=UF7Imq3yxkBpdr+SHjIBsfx3Z5O8sDfkKMsDjLMWTaSNrAZLfM52eQzvLj0/eLbAGmQpthdu+pDSLT19r+CW2Sy9QtXTeQdIyPHSZXljWTqm9wdL5OUJJK5SRmIww5lLFjENZ6eUxs+lQUK7vcUQBHYQhcYw/EFQk2oswRiJblE=
ARC-Message-Signature: i=1; a=rsa-sha256;; s=2015; t=1547741438; c=relaxed/simple; bh=M5KhTEQP8DTTxXsg3VoWicLV3Mnh8Y6kxIUBJJxgk5g=; h=DKIM-Signature:Subject:To:From:Message-ID:Date:User-Agent: MIME-Version:Content-Type; b=Mqa5UzT5Its7qjf02dG44opgOU8E3ib2zciCnY5wiZMBgXEaOKvDiSFVQTn+2e7p5jP1mS/6s5cJtbXiuUhZ1d4LKC1yvYPqWTKV/warUuzL0PHLrdhv2X/wbmSLVUYSoT2mh+C9odIZMQKGEShCwEL/P0Zb7uvFC6m0pBjNvZQ=
ARC-Authentication-Results: i=1;; none
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=2015; t=1547741438; bh=M5KhTEQP8DTTxXsg3VoWicLV3Mnh8Y6kxIUBJJxgk5g=; h=Subject:To:References:From:Message-ID:Date:User-Agent: MIME-Version:In-Reply-To:Content-Type:Cc:Content-Disposition: Content-Language:Content-Transfer-Encoding:Content-Type:Date:From: In-Reply-To:Message-ID:MIME-Version:References:Reply-To: Resent-Date:Resent-From:Resent-To:Resent-Cc:Sender:Subject:To: User-Agent; b=B/fpIYt6ABY0/aUt872+R//GgkPVWMFJO4OIGFfMBGPZ98Mf7MYJ/4lzAHQdcGlne bpqoWUmGCCbSf03Mm20M9dcRJlbDQxMDP5W9ZyBcClsg20ZB2YyvSmZM54D8xKAgv7 oyRXswK2R0mZuO0qE2HEfXppnhwj5gGSi+tDAVRw=
References: <20190116005804.A0A80200CACDA9@ary.qy> <> <alpine.OSX.2.21.1901161029520.36401@ary.qy> <> <alpine.OSX.2.21.1901161050550.36401@ary.qy> <> <alpine.OSX.2.21.1901161222030.38502@ary.qy> <>
From: Grant Taylor <>
Organization: TNet Consulting
Message-ID: <>
Date: Thu, 17 Jan 2019 09:10:36 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090504050704080902080409"
Archived-At: <>
Subject: Re: [dmarc-ietf] Nitpicky questions about DMARC record syntax
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 17 Jan 2019 16:10:42 -0000

On 01/16/2019 11:34 AM, Grant Taylor wrote:
> However I feel like rejecting things because of additional white space 
> (in front of v=...) or the wrong case is being a little bit pedantic.
> Rather, I think that if removing a spurious / leading space or folding 
> case causes the DMARC record to be valid, it behooves us to tolerate 
> such minor errors.
> I don't want to be so pedantic that people push back on adopting what I 
> (and I assume others) think is a good technology.
> Is doing so against the letter of the specification, absolutely.  Is it 
> within the spirit of the specification, I think so.

I've seen a number of intriguing, if not compelling, replies in this 
thread.  Some of which have changed my thoughts some.

I now concede accommodating a leading space is questionable.

However I still feel like /requiring/ exact case is contrary to the idea 
of "Be liberal in what you accept and conservative in what you send.".

I don't see any security implications in accepting the following:

dmarc-version = ("v" / "V") *WSP "=" *WSP ("D" / "d") ("M" / "m") ("A" / 
"a") ("R" / "r") ("C" / "c") "1"

I agree that this is contrary to the letter of the specification. 
However I think it is completely within the spirit.  Especially when 
dealing with DNS data which is inherently / invariable human entered.

I don't (yet) see any security implications of accepting improper case 
record data for the dmarc-version *IF* that is the /only/ TXT record at 
a given QName that is DMARC related.  -  If there are multiple DMARC 
records, especially if they are conflicting, strictly adhere to the 

I'm curious if anyone sees any security implications with the above 

This is me trying to learn and understand.  I'm not trying to argue one 
way or the other.

Grant. . . .
unix || die