Re: [dmarc-ietf] NXDOMAIN
Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 09 April 2021 13:49 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B6343A21D6 for <dmarc@ietfa.amsl.com>; Fri, 9 Apr 2021 06:49:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gMs4k_BTSObd for <dmarc@ietfa.amsl.com>; Fri, 9 Apr 2021 06:49:23 -0700 (PDT)
Received: from mail-ua1-x92f.google.com (mail-ua1-x92f.google.com [IPv6:2607:f8b0:4864:20::92f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB5343A21D4 for <dmarc@ietf.org>; Fri, 9 Apr 2021 06:49:22 -0700 (PDT)
Received: by mail-ua1-x92f.google.com with SMTP id r20so1841557uam.6 for <dmarc@ietf.org>; Fri, 09 Apr 2021 06:49:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=UyeoonFpwrOyDDq7p8k/Nu8FEXCNVwa0NDTLCtnAoww=; b=ltvjgpYjKeYjQwQwvVeP2/unJvDMvx+8ypDFQJdqNf1M8t0L3fkT2cJ5Xm+v6UL6cH 7k34dHx+Ux6L5kK9po34/AewsV87dCn4+Nc6HMwqTzJWwPRFVJg2mPgi+8oVAs1C+uKq AIyXMDGudePDj4eZ/0HboVUMoiS6vROEWIdAJv1tzCIzj0mWMmMcOW40s7NfTh6qpVae LC6rYagXfkn42ecZ0D5k3x4Ayb/6/yaHQIttBg6feDm89VYByKknC1AVQQuYUH+ZtrNM sIknNfpeqWvfsNIsbqf8rzBRsqhlNcW3ZIOmLa5qNS3uWYv++3huJ4ZR3v45nSA2yLxl eh1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=UyeoonFpwrOyDDq7p8k/Nu8FEXCNVwa0NDTLCtnAoww=; b=RWf6gwAY+aqQtnk/NO7VjLwr6P3E0641pAkeWDyzCgU4K9sbzrC2yWKUhsQvH3zwb4 qSdEerqu8AK2d3wBE2VZk2GNM/a6D7aeLixb+xHsjWGSSRmqYq6FAamztV53OEhi/HOR ANbOYCacsdwQVrR9YkY/3eah+zvZ60yeZQe0tujX2t55neNIt5qmWnijNaNOVl8NaSHm xO+AzOSfIlNT4tdiI2FR7Bu13zwaiDEPDDiKCzLBXdHxfy9ietD5NQqGgxepeh8ODGML CySiXNBz/TW8S9HybEgBKrhpKoQA5dgJJcr6AF+baH/+mebNZIrz7XwoLjfM2n25VR3m bZtw==
X-Gm-Message-State: AOAM533tRUc8Z6WZarmfR0J/ubdWw+VWgxEKm+Cfu8Vn5lQWOYz4Wn1t p3vhdAp23WvXShAH/oQkajvaQ+SlvkNvsykR17rFdn2I
X-Google-Smtp-Source: ABdhPJxPiNMUsS6eEe9j32tFr7v4au8859e18dvA6mZFpIXCnnihYeLmiOHVMnEMdlzJUluGw3Huky+pym1zgnkTAHQ=
X-Received: by 2002:a9f:2c90:: with SMTP id w16mr10868970uaj.88.1617976160573; Fri, 09 Apr 2021 06:49:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwYr+w1hjV3Wez6xd96OmmXjYU3D=-4+2qfCxkQ5TVA+Ww@mail.gmail.com> <20210408182948.5E4AF7282ACE@ary.qy> <CAH48ZfxM5DgDds1-wHiXMSfSAoT3+rSL_L4wbADtLz=JQ9QU=w@mail.gmail.com> <CAHej_8kNa89c_wvo71Vd7as1SrF5xv0a78J0PVE5wyi-Ybizrg@mail.gmail.com>
In-Reply-To: <CAHej_8kNa89c_wvo71Vd7as1SrF5xv0a78J0PVE5wyi-Ybizrg@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 09 Apr 2021 09:49:08 -0400
Message-ID: <CAH48Zfzf1zAB0avOaVzbjm4=otkA2JjQrNekKA8mr1-CsmMgiQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004e5c9a05bf8a6e27"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HxxZwGuEoke9pQTZ2632S2EyR4U>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 13:49:28 -0000
I am happy to have the concept optimized. Your comments make sense to me. I just believe strongly that these documents teach implementers best practices and that this particular document is the time and place to begin teaching best practices around non-existent domains. It is swell that postfix is widely used and responds appropriately to non-existent domains But clearly we have a lot of implementers who need coaching. DF On Fri, Apr 9, 2021, 9:09 AM Todd Herr <todd.herr= 40valimail.com@dmarc.ietf.org> wrote: > On Thu, Apr 8, 2021 at 4:51 PM Douglas Foster < > dougfoster.emailstandards@gmail.com> wrote: > >> DNS Examples that Murray requested, which should also addresses John's >> question about relevance to DMARC: >> >> nslookup >> > set type=txt >> >> >> > _dmarc.junk.thisisjunk.com >> *** <server> can't find _dmarc.junk.thisisjunk.com: Non-existent domain >> >> Domain has no DMARC policy. >> Is this because it chose not to deploy one, or because it does not >> exist? That answer requires a second query. >> >> > junk.credcontrol.com >> *** <server> can't find junk.credcontrol.com: Non-existent domain >> >> The TXT query demonstrates that this is a non-existent domain, and >> therefore not under the full administrative control of any parent domain. >> The message is DMARC NOT_VERIFIED even if domain alignment occurs with a >> DKIM signature or SPF PASS. Since there is no domain-level policy record, >> disposition depends on local policy related to non-existent domains and >> this particular domain name. The organizational policy record may be >> useful if its requested action is more stringent than the local policy >> default action for non-existent domains. >> >> > junk.thisisjunk.com >> *** <server> can't find junk.thisisjunk.com: Non-existent domain >> >> Domain has no DMARC policy. >> Is this because it chose not to deploy one, or because it does not >> exist? That answer requires a second query. >> >> >thisisjunk.com >> primary name server = ns1.dreamhost.com >> responsible mail addr = hostmaster.dreamhost.com >> serial = 2018071003 >> refresh = 19193 (5 hours 19 mins 53 secs) >> retry = 1800 (30 mins) >> expire = 1814400 (21 days) >> default TTL = 14400 (4 hours) >> >> The TXT query demonstrates that the domain exists. This is true whether >> the result returns data or NODATA, and in this case the result is NODATA. >> The message can be DMARC-verified using domain alignment to a DKIM >> Signature or SPF PASS. >> >> Doug Foster >> >> >> I think you may have a cut and paste error here: > > > junk.thisisjunk.com > > *** <server> can't find junk.thisisjunk.com: Non-existent domain > > Domain has no DMARC policy. > Is this because it chose not to deploy one, or because it does not exist? > That answer requires a second query. > > > The above isn't a query for a DMARC policy record. > > To your larger point though and your claim of a second query being > required to determine if a domain exists if there is no published DMARC > policy, I think you've got the order of the queries exactly backward. > > My expectation for any policy rules that are based on a domain's existing > and/or a domain having published an MX or A/AAAA record is that such > queries will be done *before* any attempt to suss out a DMARC policy record > and perform DMARC validation checks, not after. > > For example: > > 1. Client connects to my server. At this point I know the source IP of > the client, and so I can apply any policy rules I may have in place for the > source IP, such as rejecting the connection due to the IP's being blocked, > refusing the connection if the IP has no corresponding PTR record, refusing > the connection if the PTR record matches a pattern of names from which I > don't want to accept mail (such as the naming pattern being generic or > indicating that it's dynamic space), perhaps throttling the connection > based on a lack of FCrDNS for the IP or other rules based on local > reputation data known about the IP. > 2. If the connection is still open, the client issues a MAIL FROM > command. At this point I now have a domain (RFC5321.From) and I can run > checks to make sure the domain exists in the DNS and publishes either an MX > or A/AAAA record and do any DNSBL lookups for the domain. I can also, if I > wish, do the SPF check here and reject if there's a failure and the record > ends in "-all". > 3. If the connection is still open, the client issues one or more RCPT > TO commands. I can answer "250 ok" or "550 5.1.1 user unknown" as > appropriate. > 4. If the client has exhausted its RCPT TO commands and has gotten > "250 ok" in response to at least one of them, then it will issue a DATA > command, and I can respond "ok" if I still potentially want to accept a > message from this connection. > 5. Client transmits the message, ends with "." > 6. Before I reply with "ok", I will definitely do step 1 below, and > might do either or both of steps 2 and 3: > 1. Test for existence of the RFC5322.From domain in DNS and do any > DNSBL lookups on the domain. > 2. Run the message through an anti-spam filtering engine, if I'm > the type to reject mail based on its content. If instead I'd just route it > to the spam folder if the engine says it's spam, I may do this step at a > layer closer to my message delivery/storage layer. > 3. Do DMARC validation checks, if I'm the type to honor a domain's > published policy and reject mail that fails DMARC checks if that's what the > policy asks me to do. If instead I'm the type to apply a quarantine > disposition to anything with p=reject or p=quarantine, I might accept the > message so that the connection can be closed and I can do DMARC processing > at a layer closer to my message delivery/storage layer. > > Now, I could be wrong here, but I've always viewed DNS queries as > computationally cheaper than content scanning and DKIM hash validation > (note that I'm going to do DKIM hash validation regardless of the existence > of a DMARC policy record, but it's all a matter of where in my > infrastructure I do the validation). DNS queries that allow me to make an > immediate yes/no decision on message acceptance (IP or domain on block > list, domain exists and has an MX or A/AAAA record) get done before DNS > queries that might cause me to do more work. A DNS query for a DMARC record > can result in additional work for me if the DMARC policy record exists, not > just going through the validation steps but also recording the results in > the data store that supports my reporting engine, so I'm going to do that > one last, not first. > > But that's just me. > > -- > > *Todd Herr* | Sr. Technical Program Manager > *e:* todd.herr@valimail.com > *m:* 703.220.4153 > > This email and all data transmitted with it contains confidential and/or > proprietary information intended solely for the use of individual(s) > authorized to receive it. If you are not an intended and authorized > recipient you are hereby notified of any use, disclosure, copying or > distribution of the information included in this transmission is prohibited > and may be unlawful. Please immediately notify the sender by replying to > this email and then delete it from your system. > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- Re: [dmarc-ietf] NXDOMAIN John Levine
- [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Tim Wicinski
- Re: [dmarc-ietf] NXDOMAIN Grant Taylor
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Grant Taylor
- Re: [dmarc-ietf] NXDOMAIN Laura Atkins
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Kurt Andersen (b)
- Re: [dmarc-ietf] NXDOMAIN John Levine
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN John Levine
- Re: [dmarc-ietf] NXDOMAIN Jan Bouwhuis (DMARC)
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster