IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 07 April 2021 12:04 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04AD43A4348 for <dmarc@ietfa.amsl.com>; Wed, 7 Apr 2021 05:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrtlDzDrj1C3 for <dmarc@ietfa.amsl.com>; Wed, 7 Apr 2021 05:04:33 -0700 (PDT)
Received: from mail-vs1-xe2e.google.com (mail-vs1-xe2e.google.com [IPv6:2607:f8b0:4864:20::e2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F8D53A4344 for <dmarc@ietf.org>; Wed, 7 Apr 2021 05:04:32 -0700 (PDT)
Received: by mail-vs1-xe2e.google.com with SMTP id q4so4187715vsm.0 for <dmarc@ietf.org>; Wed, 07 Apr 2021 05:04:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=zx7/XzIfOn0FuqudZwXN21bTomYI8EqWIQW23AHZTQk=; b=rJ0Bqw2uMtSoIYPotC/aoy1BGmNu5KO8VfBeBPab0dAc0rTbry4/834u7f/U48+VvX sbP3sSETgVYnXfOZUG92uk3axUuXClOkX+qMSpFDz3yY+zGG5Jdt5wmPrBfzZSh0ydPm tN5t5mIW5WmQ7BHsM95bjXkNGdVOQF5UDg2qQ/1pq/C/SfRDRPmdt4N7QHGbrqX9mOEn w9+Ke/GtWMY7YaOUYo0xR+NCUvk7r843xfS8wpbq0uAPYSkf7T1MOakw7utUzYUCC3O4 OThsyn28zKDV2yRTiXqM0qYYpJvmizRStpl3PRypmrHe6HfxewXTKoS3YCJroh4PMRrx 3/vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=zx7/XzIfOn0FuqudZwXN21bTomYI8EqWIQW23AHZTQk=; b=F9/zb7Y4vwuPNqZ8fkDKS5iZmdl89ym+BdiSePSr3PpbwysrwdSr+Jgkp+LhRs1Hgn uuNEmjekafeNckNzyzsVp3u8Jx9otYJvdWdSoVjGyP9bitNySd8PLpFtdCL8SOVpuk6o nNnEUw8f2YhxPMX4KKxBnzHn5I7WLz9evCiDrt4ClCExYqRBHJTP0Ikwuv3P/goLj4kZ zd6j2l7JU192jN84SVg7gn8M4+gxj3gVGx/XT3btGu2eOKjDTYK/Wkpd2cO5ewV1pWCj QMP9e/Fh07jpY+68xaOKEkCMZj4v6Kj3TW8ZnxHleFl/iOgK4OCt01ZFVWURP/peConl 2k4g==
X-Gm-Message-State: AOAM530X7y66U9+4mheyqgNDTYpLx9diNBcIFz0dTjMgg6ZLUN/4CX1r 3mICHH4xrYYLBEcs99GXVrp815XmQFiVzfGEBwNauF0w
X-Google-Smtp-Source: ABdhPJy9kKG0VCbuYsf21cnVO2s1NW2yaD0ooL9Cclqs2OiB9nS5u555XjyOA8VrMIc5av655ahcxFfcaTTWfzzhPag=
X-Received: by 2002:a05:6102:238f:: with SMTP id v15mr1493163vsr.45.1617797070821; Wed, 07 Apr 2021 05:04:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com> <CAL0qLwa-ZkwxF=-9T42_d-pPrmVpMTZ0gMyq+4i1zXrZGPK1fQ@mail.gmail.com> <CAH48Zfx6mdmwiBtD0nRKMsuxwPkh7Wm7aX_qdUEt=4+OM6DG2g@mail.gmail.com> <CAL0qLwYmu20PB-HRjLNtnuykoJDerQ2NryEc5SdBD759Muoc7Q@mail.gmail.com>
In-Reply-To: <CAL0qLwYmu20PB-HRjLNtnuykoJDerQ2NryEc5SdBD759Muoc7Q@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 07 Apr 2021 07:04:20 -0500
Message-ID: <CAH48Zfy6Qrp7etxvC6oieQORy8nfNdDF7Kju5hwDZOG2tEarPg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b99af105bf60bbd6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EtVDGoTCTmiqqDZ75PzyaFtL7Rw>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Apr 2021 12:04:38 -0000

I am hearing that we have a defacto standard to check return-path using
MX/A/AAAA.  It is implemented with sufficient breadth,that (unlike SPF)
senders should consider it mandatory.    Additionally, and more importantly
for this group, it is presumed to be equally applicable for validation of
the RFC5322.From, even though that address is unrelated to the
SMTP return-path.  But because the test is not explicitly documented, some
products (my vendors) do not implement it at all, leaving a protection
gap.

As best I can tell, return-path-check does not have a unique name,
specified result status codes, or a specific SMTP reject result code.    At
the simplest level, possible results are PASS, FAIL, TEMPERROR and
PERMERROR.   A more complex result set would probably be desirable for A-R,
to indicate which entity produced the pass, which address class was used
for the match, whether the match also resolved to the Source IP, and the
Source IP itself.    Other specification details include clarifying whether
the MX/A/AAA address result must match the Source IP address class
(presumably yes), and whether the result list should test for and reject
addresses that are in the Private, Multicast, or Reserved lists (probably
optional)

If DMARC is to be dependent on return-path-check and inter-dependent with
ARC, then I do not see how we can avoid producing a formal specification
for the test and integrating it into A-R, as a co-requisite to the DMARC
specification.

Doug Foster

On Tue, Apr 6, 2021 at 12:58 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Tue, Apr 6, 2021 at 4:54 AM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> If the SPF Policy lookup returns NXDOMAIN, then we are at a full stop
>> with all the information needed to make a decision.   (The sender is
>> violating ICANN name registration policies).   Ignoring NXDOMAIN and
>> continuing to look for MX/A/AAAA is a waste of information and a waste of
>> resources.
>>
>
> I agree.
>
> But clearly, the norm in this group is to check MX/A/AAA because it seems
>> likely to be a more powerful filter.   I wonder if that is actually true.
>>
>
> In the context of the code doing the SPF evaluation, I don't think it is.
> If TXT returns NXDOMAIN for a name, so will any other type.  That's the
> definition of NXDOMAIN; there are no data of any type for this name.  See
> also RFC 8020.  Fortunately, a properly functioning local nameserver will
> cache the answer and just repeat it when subsequent MX, A, or AAAA queries
> get issued, so the waste is relatively cheap.
>
> I imagine some DNS APIs are ambiguous (i.e., lazy) about reporting "That
> name does not exist (rcode=NXDOMAIN)" differently from "That name exists,
> but there's no record of the type you requested (rcode=NOERROR,
> ancount=0)", which can result in some wasted time, but I expect the end
> result would be the same.
>
> 1)  A/AAAA is a pretty weak test, since many domains have A/AAAA records
>> on the domain name for web purposes.
>>
>
> Independently of SPF, it's not a weak test since the standards allow
> exactly this kind of setup for a domain that wants to receive mail.  Again,
> Section 5.1 of RFC 5321.
>
> I do respond to SPF NONE by applying a best-guess SPF policy which
>> includes MX and A, and sometimes produces SPF PASS.   But I no longer do
>> that for non-existent domains.
>>
>
> "Best guess SPF" is discouraged.  See
> http://www.open-spf.org/FAQ/Best_guess_record/.
>
> -MSK
>

v2.23.0 | Report a Bug | By Email