IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

Laura Atkins <laura@wordtothewise.com> Tue, 06 April 2021 08:41 UTC

Return-Path: <laura@wordtothewise.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8A8F3A16EE for <dmarc@ietfa.amsl.com>; Tue, 6 Apr 2021 01:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nlq-Poxh1T4L for <dmarc@ietfa.amsl.com>; Tue, 6 Apr 2021 01:41:03 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [104.225.223.158]) by ietfa.amsl.com (Postfix) with ESMTP id 62BC73A16F3 for <dmarc@ietf.org>; Tue, 6 Apr 2021 01:41:03 -0700 (PDT)
Received: from [192.168.0.227] (unknown [37.228.231.27]) by mail.wordtothewise.com (Postfix) with ESMTPSA id DDD589F149 for <dmarc@ietf.org>; Tue, 6 Apr 2021 01:41:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1617698462; bh=Y4BFSRzXROtsIBcQSC+vvHONiYZOUC8513FJFm4YRKQ=; h=From:Subject:Date:References:To:In-Reply-To:From; b=Z12Ep1a/D0/mKx4f4Gry4fi1kJrEywloex1/hqPzPzCSI2cq4Vr/NwVFD+TpzgknK QLlr8gZW1p9IYhsTwtwURFoYUkSL1h6MuF+rj+JnSCqByStilJEIHEs/F6RVY20LMu lVx2VwMuqpG3RiHu3y30nqNpq+pAs3o0kyCmCWHI=
From: Laura Atkins <laura@wordtothewise.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3287C9D6-BFEC-476A-9B6D-4263ACBD0BF3"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Tue, 06 Apr 2021 09:40:59 +0100
References: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com> <CAHej_8=bMPC3qahKoNZFUncH6wAJgNtcRtFmpteXYmxursV9mg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
In-Reply-To: <CAHej_8=bMPC3qahKoNZFUncH6wAJgNtcRtFmpteXYmxursV9mg@mail.gmail.com>
Message-Id: <D288DDF0-9CDB-46D1-A320-C14A613352BB@wordtothewise.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/AvYJ3TXy6VjeljwwMiyoJLwNbJQ>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 08:41:08 -0000


> On 5 Apr 2021, at 22:46, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> 
> On Mon, Apr 5, 2021 at 5:02 PM Douglas Foster <dougfoster.emailstandards@gmail.com <mailto:dougfoster.emailstandards@gmail.com>> wrote:
> As a result of earlier discussions, I have been investigating NXDOMAIN as an email filtering criteria.
> 
> One question from those discussions was the best way to detect NXDOMAIN.  I realized that I needed a query which specifically returns NXDOMAIN as a result, not simply the absence of a particular result.   Additionally, a lookup on A/AAAA with results could represent either a domain name with no host segment, or a host segment and a parent domain..   Consequently, the best test seems to query for type=TXT, match=domainname.
> 
> I have applied this rule to incoming RFC5322.MailFrom addresses and found the test to be useful.  For my mail stream, 20% of the messages with SPF=NONE have this result because of NXDOMAIN.  The percentages were roughly equal whether evaluating unique domain names or unique messages.  
> 
> While both SPF=NONE and SPF=NXDOMAIN are indicators that the message is probably unwanted, NXDOMAIN has a higher probability of being unwanted.
> 
> I have not yet begun evaluating NXDOMAIN on the RFC5322.From address, but hope to get that done in the weeks ahead.   
> 
> Is anyone else collecting data on NXDOMAIN, and able to share experience?
> 
> 
> I can share experience...
> 
> Several jobs ago, when I was in position to set anti-spam policy for a mid-sized US-based cable ISP, if the RFC5321.From or RFC5322.From domain lacked both an MX record and an A/AAAA record, that was enough for me to reject the mail on the grounds that I was unwilling to accept anything to which the recipient could not reply. I don't recall any complaints from my side of the transaction.
> 
> I'm not sure I'd make the same decision based on the lack of an SPF record, especially for the RFC5322.From domain, since SPF is keyed to the RFC5321.From domain (or the EHLO name), and so I have no expectations that an SPF record will exist for the RFC5322.From domain.

There is a huge amount of dis- and mis-information about SPF for the 5322.from domain. Many, and I mean an embarrassingly high number of ‘many’, ESPs actually suggest that their customers publish include: _spf.espdomain.example in their 5322.from domain TXT record. This eventually causes operational issues due to more than 10 DNS lookups. 

Some of this was done because the ESP folks don't understand the SPF spec. But some of this was done because a large ISP decided to check SPF records on the 5322.from domain and delivery would suffer if there was no SPF. 

Misapplying SPF to the 5322.from is a bad idea and only compounds mistakes of the past. 

> Even a lack of SPF for the RFC5321.From domain doesn't, for me, automatically rule out a message. I'd be more inclined to reject mail where the SPF record ended in "+all" than I would where there was no SPF record, because "+all" lands differently for me than does "no SPF record published". Both say that the domain owner doesn't care about SPF, but "+all" strikes me as overt disregard for SPF, while a lack of a record might just signal less hostility. 

I agree with the sentiment here. Lack of any SPF record, particularly for small and non-bulk mail, simply means someone stood up a mailserver (or started using a service) without fully setting it up. That could be a mistake, or intentional, or malicious and experience tells us all of those are possible. Contrast that with a +all record, where experience tells us that is usually malicious. I actually found a +all in the wild in the past few weeks. It was in the process of investigating a client’s customer due to suspected spam. The +all was yet more confirmation that the customer was a spammer (as if the swedish hashbusting text and CAN SPAM violations weren’t enough). 

laura 

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
laura@wordtothewise.com
(650) 437-0741		

Email Delivery Blog: https://wordtothewise.com/blog

v2.23.0 | Report a Bug | By Email