Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification

Douglas Foster <> Wed, 26 May 2021 02:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E74503A18B6 for <>; Tue, 25 May 2021 19:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KQVwP1Aouhll for <>; Tue, 25 May 2021 19:04:56 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3F66C3A18B5 for <>; Tue, 25 May 2021 19:04:56 -0700 (PDT)
Received: by with SMTP id j75so31222oih.10 for <>; Tue, 25 May 2021 19:04:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=lCQBasfyG2MTJzP3T64gHWy6XnpKy9DeVlRg9xQrTNA=; b=qS/9m+/n8yd2gWly0Dqo/qUKN7rsBv8wtBpV4hZ8H8ZMsQSHV91/Dy/PJR3b67+FUR SADYcQUK+7BDu+w33kaB8obHjtKjw+ZgzUTsJCKJ3Wo43xZnld/mXjEZ17T4YPbwzmM7 7CMwcnh8xUVJ0u881UnsKXw0neiyQoV1DC1DBwe412Hf5zodeKHCyh3RsTEvmrSo9GZs EDoaacs6cnHsGlvKD/+tKQsFUaH3gEozVoQEn2e7amiEsrMMW/7/c2Iqbpnc1sJ2ptaP UJs3u+12SFwcB/Xh6ivw3Z99QobqKjjwGVK8JxAaIEfP/fesXf57srAG3w8cx2O3YSdP 4/Gw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=lCQBasfyG2MTJzP3T64gHWy6XnpKy9DeVlRg9xQrTNA=; b=SiK4kjO9D1r1m+RlCJOyEzLKuPwVmVrAJ/lAG6rbns/rT4KzfSBz6ZpirOwVrvVIfa 50GQM560tnK90WQ/FUetdo0q2DjwjfyEoYSX8C6H8eUG0iQL0OGHQi4MK7qHTIr/rjTH j5ztEkgPurPgD5UaX3DD7ArF8LgvyPGPNRXegXWeZmPckylJ04eKoaWZRZWooPcM9FPj E/e+tAmHigBY0T+J/BymlWQlZvCG5YPwAsgW9eJLLuN4aNv6/nPQHYsGu+4Y/F7eRa/j Kqy1ILIZHEde7myFslVS7Wsrpdg4w0QlWU1wseiabXZ4aIar1ESIbxpKOICXA99EVqD0 MgDg==
X-Gm-Message-State: AOAM532qv0HJUH4oP83en3jZMZBKnapSDOc4hJjzAQ38C+1C4aQpSYOn Bq7A55zq/Tru4tcsvFaLB4vDgtRgWR3GqfQ/CpleyEoaxC4=
X-Google-Smtp-Source: ABdhPJxLCvockpjCyXgLzw9uTX8V3N2CZkmYkBBtLcn6nfslgyU1+hTbQy9GUr313Milke18dFXt3zMnvMdrg8lz95U=
X-Received: by 2002:aca:754e:: with SMTP id q75mr345882oic.73.1621994694675; Tue, 25 May 2021 19:04:54 -0700 (PDT)
MIME-Version: 1.0
References: <> <20210507014508.78064719D42@ary.qy> <> <> <> <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Tue, 25 May 2021 22:04:43 -0400
Message-ID: <>
Content-Type: multipart/alternative; boundary="0000000000009a91cd05c332118b"
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 May 2021 02:05:01 -0000

My expectations of what is feasible have collapsed greatly.  My numbers
were unique domains.

I was hoping that the boundary between existent and non-existent would
align along a natural boundary, and as a result would require little or no
effort for domain owners to ensure that their legitimate mail was in the
"existent" category.   If so, the NP=reject policy could be deployed
early.  Instead, it seems that ensuring "existence" becomes just another
burden on the DMARC implementation process, and N{=reject will be the final
step in the deploymnent process.

Because we do not have a natural boundary, we need to create a signalling
system to define the SP/NP boundary.  The signal must be purposefully
implemented by the domain owner, so any signalling system could be chosen.
MX/A/AAAA has an obvious advantage, because pre-existing compliance rates
are high.   But when MX/A/AAA records do not exist, they do not exist
because an ESP-based mail source does not need them.   Any invented
MX/A/AAA record will need an IP address, but the choice of IP address
becomes arbitrary and possibly problematic.   MX, A, AAAA, and SPF are all
used to communicate meaning into the SMTP context, so we may have
unexpected consequences from adding one of those records where they are not

Consequently, I think the search list should be MX/A/AAA/TXT.   The
TXT record content seems unimportant, and it could be as simple as
TXT="This Domain Exists".    The domain owner simply needs a way to provide
an "existent" signal without affecting other functions.  TXT seems like the
appropriate way to do this.

Doug Foster

On Tue, May 25, 2021 at 3:39 PM Murray S. Kucherawy <>

> On Sun, May 23, 2021 at 12:25 PM Douglas Foster <
>> wrote:
>> [...]
>> 145 of 169 (86%) of non-verified domains had MX or A records,
>> Of the 24 without MX or A records, 23 were spam and 1 was legitimate
>> For 20 of the 24 , SPF on the From address returned NXDomain and were
>> obvious spam without checking NS
>> All of the remaining 4 domains had NS records
> I believe this means that for 2.4% of the non-verified domains, or 0.65%
> of the total domains, the proposed NS check yielded useful signal beyond
> the standard checking of MX/A/AAAA.
> One surprise for me:
>> NS lookup on returns NXDomain, but NS lookup on
>> returns NS data.
>> I thought that the existence of a subdomain would be sufficient for a
>> domain to return NS data.
> Right, it isn't.
> Summary:
>> - MX/A produced 11 false positives
> Is that 11 false positive messages, or 11 false positive unique domains?
> If the former, we're talking about around 0.3%.  If the latter, we're
> talking about 1.8%.
> So based on the data you collected, what conclusion are you proposing?
> -MSK