Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

[Ian Levy <ian.levy@ncsc.gov.uk>]

> Mail.ru reports seem to be missing from non-existing domains.  

Yep, that's our experience. We get plenty of DMARC reports from mail.ru in the course of normal business; just not in the non-existent domain case. Interesting that your experience was different, though. 

> It is possible that some cases of non-existent domain are treated as a short-cut

That's certainly my assumption.

I think the point is that the current behaviour is inconsistent (even more inconsistent than 'real DMARC'), hence the need for this experiment. I mentioned the report yesterday. It's now published and linked off here : https://www.ncsc.gov.uk/blog-post/active-cyber-defence--acd---the-second-year

There's a whole section on our experience and work on DMARC that may be interesting to the group, including some of the effects of the specific problem we're talking about here. 

Ta.

I.

--
Dr Ian Levy
Technical Director
National Cyber Security Centre
ian@ncsc.gov.uk

Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk

(I work stupid hours and weird times – that doesn’t mean you have to. If this arrives outside your normal working hours, don’t feel compelled to respond immediately!)

-----Original Message-----
From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Alessandro Vesely
Sent: 16 July 2019 15:53
To: dmarc@ietf.org
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

On Mon 15/Jul/2019 09:08:04 +0200 Ian Levy wrote:

> Sorry for not contributing more to this thread - please don't take it as any indication of lack of interest. For UK NCSC specifically, I think we'd prefer NXDOMAIN rather than NODATA, given it's more constrained and this is an experiment. My view would be that if we've published a name under gov.uk, even with no valid (in the eyes of the receiver) associated records, then *someone* is responsible for it and we can go find and educate them. They may even believe they have a valid reason for doing so that may outweigh any email authentication concerns. But there's a conversation to be had. If there's no published name, then there's no-one responsible, so it should default to the top-level policy.


I agree that np should default to p.  The original wording for sp is also simpler than''If absent, the policy specified by the "sp" (if present) and then the "p" tag, if not, MUST be applied for non-existent subdomains.''  (BTW, mind that "sp" instead of "np" in the new tag's definition.)


> [...]
> Here's the volume of reports received on our normal DMARC processing chain in January 2019 (noting Microsoft are one of the bigger providers in the UK and *still* don't generate any reports):
>
> Reporter      Total Reports
> google.com    61,363,605
> Yahoo! Inc.   18,876,201
> Mail.Ru       699,554
> sercoglobal.com 227,587
> AMAZON-SES    178,262


That is at odds with the order reported by dmarcian:

NetEase (163.com, 126.com, yeah.net)
Google *
Yahoo!
Microsoft
AOL
cisco Systems
DHL
Comcast *
Tencent (qq.com)
Mail.ru
.... https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdmarc.org%2Fstats%2Fdmarc-reporting%2F&amp;data=02%7C01%7Cian.levy%40ncsc.gov.uk%7Cb422dd587d5543c6142908d709fd6300%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636988856820114383&amp;sdata=8ikFqwHQDkEaOQVJslti2vYNp8jYWU4C7omM7SJAAuY%3D&amp;reserved=0
(That used to be on dmarcian, but couldn't find it any more)


> And here's the volume for the same month for the synthetic DMARC reports :
> Reporter              Total Reports
> google.com            23,745
> Yahoo! Inc.           1,060
> emailsrvr.com                 64
> dev.johnlewis.co.uk   37
> bridgend.gov.uk       30
>
> Just from that, it's pretty clear that the synthesized DMARC records are not universally processed, which gives weight to completing this work and starting to try things out. Given the level of inconsistency we see in receiver behaviour, I think it'd be easier to start with NXDOMAIN and see what that actually achieves.
>
> I may well be missing something subtle, so please correct me if I've got this wrong.


Hmm...  Mail.ru reports seem to be missing from non-existing domains.  My experience differs slightly.  Yesterday I sent a few messages to mail.ru.  Five of them from a nonext domain (IP 5.170.8.66), all of which were rejected, two of which were reported in the aggregate report attached.  However risible these numbers may sound when compared to yours, it is clear that not all messages are reported.

It is possible that some cases of non-existent domain are treated as a short-cut, skipping message registration and DMARC verification altogether, even if the reject always came after DATA...  Just mumbling.  Considering that most DMARC packages work as mail filters, I'd expect messages filtered out before will never make their way to aggregate reports.  Is that a DMARC violation?


Best
Ale
--












This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©