Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP

"Chudow, Eric B CIV NSA DSAW (USA)" <> Thu, 19 November 2020 22:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 642333A12FF; Thu, 19 Nov 2020 14:30:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id HGr2rsk_mXTe; Thu, 19 Nov 2020 14:30:50 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 448623A12FB; Thu, 19 Nov 2020 14:30:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;;; q=dns/txt; s=EEMSG2018v1a; t=1605825050; x=1637361050; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=C+4icvjLwA1AjFI7nK7tPwBGLx6ZmueWqkJR+C0w3ug=; b=MBK9pElIt4ybkgjShY+d4BxF7K46LgJFgMy1oFt1CmcWeLL9Cr4OpV1B J4324TFkNM2588CUvhgZyOeDmKbZD1Qu2bXWehOtJ/MXiJVPTiNCjVASy YoSjrdFI2cueVhmrnaobUp1PEf8aaGswR0hhQ9OqaRtSx3QJ86DdgdhYm 8QDUyOh7p/+D58CfazHD4b1faVzDmxth9sBuSDYMSAmJjauanmZHisUFU K+kx8MyZ80kFw+HT1t4Lu4tpVmC5MVzIO2XdJeGRHAqeusPg9zLF3e55U YM3QedIGLHvlWYA8qBhEb80HvsfhQKvDcZtzH0AaGQWPVNYdFnXLGebG3 Q==;
X-EEMSG-check-017: 148802809|
X-IronPort-AV: E=Sophos;i="5.78,354,1599523200"; d="scan'208";a="148802809"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Nov 2020 22:30:42 +0000
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 19 Nov 2020 22:30:18 +0000
Received: from ([]) by ([]) with mapi id 14.03.0487.000; Thu, 19 Nov 2020 22:30:18 +0000
From: "Chudow, Eric B CIV NSA DSAW (USA)" <>
To: 'Doug Foster' <>, 'IETF DMARC WG' <>
CC: "''" <>
Thread-Topic: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP
Thread-Index: AQHWvPCMpiMZLl3tlkunzDAVmodKO6nQB+MA
Date: Thu, 19 Nov 2020 22:30:17 +0000
Message-ID: <>
References: <003f01d6bcf0$69055b60$3b101220$>
In-Reply-To: <003f01d6bcf0$69055b60$3b101220$>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Nov 2020 22:30:52 -0000

Section 2.7. defines a non-existent domain as "a domain for which there is an NXDOMAIN or NODATA response for A, AAAA, and MX records.  This is a broader definition than that in NXDOMAIN [RFC8020]." This should be sufficient for determining that the domain is not intended to be used and therefore could have a more stringent policy applied.  

The idea of looking for a "mail-enabled domain" based on if an "MX record exists or SPF policy exists" is interesting. Although there may be domains that send email but not receive email and so may not have an MX record. Also, even if there is no SPF record, the domain may still send email, but then it might be held to a more stringent DMARC policy that would further penalize it for not having an SPF record. 

Also, for the revision of the document I like the way that the three parts of the experiment are now laid out more clearly.  My only comment is that the title of Appendix A is overly specific to just one of the experiments and so should be broader.


Eric Chudow
DoD Cybersecurity Mitigations

From: Doug Foster <> 
Sent: Tuesday, November 17, 2020 9:46 AM
Subject: Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP

I did not see a definition of a “non-existent domain” (the np policy).   A definition is needed.

To my thinking, the obvious rule should be to query for a NS record for the domain.  If the record exists, then the domain owner could create a DMARC record for that domain, or could create a default entry for the domain at the organizational level.  If no record exists, it is because the domain owner chose to not create one.

However, the DMARC Bis document conflicts strongly with this.  In section A.4, it suggest several ways to do a test of this type, then repudiates all of them.  NS lookup is not one of the mentioned options.

There is a possible second-level policy test for a “mail-enabled domain”.  I would define that test as “MX record exists or SPF policy exists”.    That could be an additional option to NP, but should not be a replacement for it.

PSD for DMARC clearly intends for the NP policy to be a general solution to a general problem.    If there are still objections to it becoming a general solution, this should be addressed soon.

Doug Foster

From: dmarc [] On Behalf Of Tim Wicinski
Sent: Friday, November 13, 2020 1:42 PM
Subject: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd


During the IESG reviews of draft-ietf-dmarc-psd, there were several issues raised with some of the document.   Most of them are editorial but the one big item was the description of the Experiment.   The chairs sat down and broke out the experiment section into three separate experiments, and included language on how to capture the data to confirm how the experiment worked.  

It's enough of a change that we wanted to do a second working group last call to make sure the working group agrees with our changes. The diff of the current version with the previous version is here:

This starts a *one* week second working group last call for  draft-ietf-dmarc-psd
Please review the changes and offer up comments to the working group.

This working group last call 20 November 2020