IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 06 April 2021 11:54 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 896183A1E1D for <dmarc@ietfa.amsl.com>; Tue, 6 Apr 2021 04:54:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X5Occeq7yGFg for <dmarc@ietfa.amsl.com>; Tue, 6 Apr 2021 04:54:14 -0700 (PDT)
Received: from mail-ua1-x92c.google.com (mail-ua1-x92c.google.com [IPv6:2607:f8b0:4864:20::92c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD22B3A1DFD for <dmarc@ietf.org>; Tue, 6 Apr 2021 04:54:14 -0700 (PDT)
Received: by mail-ua1-x92c.google.com with SMTP id r8so4523500ual.9 for <dmarc@ietf.org>; Tue, 06 Apr 2021 04:54:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9mf4a4bHwaXEZETHWFMPPSC9YfqVjlK6aLRHNE6eWQE=; b=JFkTKg3Sxuz/yPPwiUyQFrKjj5mj1KxK0IxoZwhrKhQfdxQ2nNIzEAwh+cogPYhnnA 23j6Wapz2in/jnLXGYjBUrEUnCgZEQtGvop6PNCDzAYWpub200AEeP0QuafcNYEGxc6N NGVwVQAl/JYTokdyHX0L33QnQzIe6vem6Wxah3d2x6yrIy4H1YJ/aNYbKZHfU3Y7Qh5g qJfGzVfBpim3fqLqjKM+uIHQpMnJ6OQkpkg9++Y6tXISBAJXWBzUeHdnoIaOaXijYtZK 1ObJEv7Wqq079Ykki2a1RV0Eqt/NJwK8EaFanB4whuOSl0+wuH4SKOpCsB0dTwDy3FVh E3AQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9mf4a4bHwaXEZETHWFMPPSC9YfqVjlK6aLRHNE6eWQE=; b=EnfpQiluM72831LOnT2tMFHaPio6gY1ZKmSttJiT5u+fOkeU8GZejsFzKPrly9+ua9 Otwxmdbht2N2x+koNwo+c+wg42o4ULoT8tsSGRwR7XOEk+BWYDbuCMEVAkcG+zgYxqwn luKUP2ckIdifvlZamXbQg3B5eQ37kdqNzlVW37TtFdfA3pUjH8n/NINJ+2Ixa+LA4C1F 05trKM2Xtb/wI2Gw2IMV01zfq8B5n/wO+N+aNbchNiHJ1Ik72pAyYfWCPpLLhFa5sMhU uL4opkyKwqP3EIWw+1l+fwXhoqwtVVHrJKNR34Yr+TTHx0QceLnCsHW+v/OylSThTzdU SZlA==
X-Gm-Message-State: AOAM530dZUQLOBsjhTwF+dNE2rjm8xyVePHhuUFdopy7+dCxYgCqiBfe rx/ZKhNXhoDwQD4geibmo2vnmxBhFv00tVjQm9E=
X-Google-Smtp-Source: ABdhPJyGr0Hg7m5KQJQV2wAFF5ylWlnT+bqSWOtCm6GDLmLYIyQhZXSlwnqSuCcGGOAFIgam85QX7Ey4+Wd7zmaffEw=
X-Received: by 2002:ab0:45ae:: with SMTP id u43mr41971uau.109.1617710052794; Tue, 06 Apr 2021 04:54:12 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com> <CAL0qLwa-ZkwxF=-9T42_d-pPrmVpMTZ0gMyq+4i1zXrZGPK1fQ@mail.gmail.com>
In-Reply-To: <CAL0qLwa-ZkwxF=-9T42_d-pPrmVpMTZ0gMyq+4i1zXrZGPK1fQ@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 06 Apr 2021 07:54:09 -0400
Message-ID: <CAH48Zfx6mdmwiBtD0nRKMsuxwPkh7Wm7aX_qdUEt=4+OM6DG2g@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000be47205bf4c79fd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/CHjvEusaJBy1CVuuqcR5RGbSxEw>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Apr 2021 11:54:21 -0000

No typo.   I was looking to do better than SPF NONE, and NXDOMAIN was the
first thing that came to mind.

If the SPF Policy lookup returns NXDOMAIN, then we are at a full stop with
all the information needed to make a decision.   (The sender is violating
ICANN name registration policies).   Ignoring NXDOMAIN and continuing to
look for MX/A/AAAA is a waste of information and a waste of resources.

But clearly, the norm in this group is to check MX/A/AAA because it seems
likely to be a more powerful filter.   I wonder if that is actually true.
1)  A/AAAA is a pretty weak test, since many domains have A/AAAA records on
the domain name for web purposes.
2) Existing domain names that are being used for attacks are likely to have
an MX record, if for no other reason than updating a LetsEncrypt
certificate.
 Will someone collect data on frequency that a domain fails MX/A/AAA when
the domain exists?

Additionally, the connection between mail sending (SPF) and mail receiving
(MX/A/AAAA) seems tenuous to me.   Well-run domains do not send automatic
messages to unauthorized return paths, for fear of backscatter.   Many
domains seem to discard incoming automatic messages, either for fear of
attack or because the reply is too hard to integrate into automated systems.

I do respond to SPF NONE by applying a best-guess SPF policy which includes
MX and A, and sometimes produces SPF PASS.   But I no longer do that for
non-existent domains.

I can imagine collecting MX and A existence data while evaluating the
default SPF policy, but I worry about the complexity of doing so, and doubt
the benefit.   Doing it as a separate step is easy enough, but adds
unwanted overhead.

Overall, we have these result partitions for domains with SPF NONE:
1) Domain does not exist, NXDOMAIN
2) Domain exists but MX/A/AAAA do not exist
3) Domain exists and MX/A/AAAA exist but do not validate the source IP
4) Domain exists and source IP can be validated with MX/A/AAAA, producing
an inferred SPF PASS.

I want to be convinced that result #2 is a non-trivial volume of messages.
  If #2 is a trivial volume, then there is no loss from combining it with
#3, which makes the extra MX/A/AAAA test unnecessary

Convince me.

Doug.


On Mon, Apr 5, 2021, 9:07 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Mon, Apr 5, 2021 at 2:02 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> As a result of earlier discussions, I have been investigating NXDOMAIN as
>> an email filtering criteria.
>>
>> One question from those discussions was the best way to detect NXDOMAIN.
>> I realized that I needed a query which specifically returns NXDOMAIN as a
>> result, not simply the absence of a particular result.   Additionally, a
>> lookup on A/AAAA with results could represent either a domain name with no
>> host segment, or a host segment and a parent domain..   Consequently, the
>> best test seems to query for type=TXT, match=domainname.
>>
>> I have applied this rule to incoming RFC5322.MailFrom addresses and found
>> the test to be useful.  For my mail stream, 20% of the messages with
>> SPF=NONE have this result because of NXDOMAIN.  The percentages were
>> roughly equal whether evaluating unique domain names or unique messages.
>>
>> While both SPF=NONE and SPF=NXDOMAIN are indicators that the message is
>> probably unwanted, NXDOMAIN has a higher probability of being unwanted.
>>
>> I have not yet begun evaluating NXDOMAIN on the RFC5322.From address, but
>> hope to get that done in the weeks ahead.
>>
>> Is anyone else collecting data on NXDOMAIN, and able to share experience?
>>
>
> Due to terminology pedantry, I'm having trouble understanding this.
> Someone please check my math here:
>
> If I ask for MX records for example.com, NXDOMAIN comes back as the
> response's error code not if there's no MX record for that name, but rather
> if there are no records of any kind for that name.  On the other hand, if
> there's no MX but there is an A or AAAA, I'm going to get a success error
> code (NOERROR), but with an answer count of 0.
>
> So I don't know what "detect NXDOMAIN" means: Your DNS reply either has
> that error code, or it doesn't.
>
> If instead you're trying to determine whether a name can receive mail, at
> least according to DNS data, it seems to me you query one record type (MX)
> and see if you get >0 answers, 0 answers, or NXDOMAIN.  If you got
> NXDOMAIN, you're done; there's no way to route this message.  If you got 0
> answers, you should query A and/or AAAA and send there.  If you got >0
> answers, now you have to resolve the names you got to addresses; assuming
> at least one of those resolves, you have someplace to send the message.
> This is what RFC 5321 says to do.
>
> I don't think querying TXT would tell you anything more.
>
> What am I missing?
>
> -MSK
>

v2.23.0 | Report a Bug | By Email