Re: [dmarc-ietf] PSD DMARC: draft-ietf-dmarc-psd post-WGLC Status

Scott Kitterman <sklist@kitterman.com> Sun, 29 September 2019 21:14 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAAF312008F for <dmarc@ietfa.amsl.com>; Sun, 29 Sep 2019 14:14:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=Bi71KgcO; dkim=pass (2048-bit key) header.d=kitterman.com header.b=IivyMJb8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jYoak6Ri29Ni for <dmarc@ietfa.amsl.com>; Sun, 29 Sep 2019 14:14:54 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 505FE120013 for <dmarc@ietf.org>; Sun, 29 Sep 2019 14:14:54 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 43F58F805C3 for <dmarc@ietf.org>; Sun, 29 Sep 2019 17:14:22 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1569791662; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=/74ms0XbQreyD9CBM2Av8NNROm+pMlIARueq3VUXxk8=; b=Bi71KgcOSFTcljdkRXPQZJE3D81zyAhWdqQSfhhxbgrNY2hpOj2RAOq7 FEl8G63PhRPW6mNvjq1JrAZiXC+mCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1569791662; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=/74ms0XbQreyD9CBM2Av8NNROm+pMlIARueq3VUXxk8=; b=IivyMJb8yU24+2+TKaVvq8DokOZjm0aMlsvG4NrDiW0vP3agE3hhU/p6 LTta9zuFZ/0g4iNqP5YjlKXTDNqswx5y51C6ddApQBaxsAo/S0/hEm8bUj Y4RTf1nfn/wsch1zSPEYEGC9fzDd2Xwov6i7/hnwG6okRasBCr2eeom2Cr Xooh5kkJAWI7/j1vQ3NwNgrvnnbB7cZUlMlfKGgiHlbJRz9Y7fiRnImJWz 9ozeBJ2MYQSjmbn89FjwZzT/YCjUMvWaspQn0iWhwgXKi/5/S9PwIsrlKF h5MJvi1hTufo1dt6AqRSSvKMjpDR6gr4FCfIfvKXpzbn49uLOHHYhg==
Received: from l5580.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 037A9F801A6 for <dmarc@ietf.org>; Sun, 29 Sep 2019 17:14:21 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Date: Sun, 29 Sep 2019 17:14:21 -0400
Message-ID: <1841606.cQK2ovSRYz@l5580>
In-Reply-To: <L0TZkYX7v684oxaWVJXJfQiYRTiGNddxEX7NR99qAACsR17fi216vUcfYmdPosn5PjkxGt8W9qGOcz3oMl-mlmZd2TeWwt0wDbWuEQM1R20=@protonmail.com>
References: <2080369.Hr1xgu6sVx@l5580> <L0TZkYX7v684oxaWVJXJfQiYRTiGNddxEX7NR99qAACsR17fi216vUcfYmdPosn5PjkxGt8W9qGOcz3oMl-mlmZd2TeWwt0wDbWuEQM1R20=@protonmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NbmRtsKOE3toT0zEdP7J6uKB-xA>
Subject: Re: [dmarc-ietf] PSD DMARC: draft-ietf-dmarc-psd post-WGLC Status
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Sep 2019 21:14:56 -0000

On Sunday, September 29, 2019 8:05:07 AM EDT Jane Moneypenny wrote:
> Regarding:
> 2.6. Non-existent Domains
> For DMARC purposes, a non-existent domain is a domain for which there is an
> NXDOMAIN or NODATA response for A, AAAA, and MX records.
> 
> Comments:
> - sometimes a domain used for mailing purposes does not have a MX record - I
> am not sure if 'and' is appropriate word here, - question: what if there is
> a CNAME record?,

Yes.  The way it's written, if any of A, AAAA, or MX give some answer other 
than NXDOMAIN or NODATA, then the domain exists.  As previously discussed 
during WGLC, CNAMES would be followed prior to such a determination, so the 
existence check would, correctly, be for the target of the CNAME, no issue.

> - email receivers could/should perform reverse DNS lookup, however they do
> not - as a result, an email from (both: Envelope and Mail from), is
> accepted by the MTAs, - today, an email ‘from’ (Envelope and Mail) NXDOMAIN
> is accepted by vast majority of MTAs, and SPF check result is “spf=neutral”
> (in general), same with non-existent sub-domains (even if there is DMARC in
> place a message from non-existent sub-domain could be successfully
> delivered).
> 
> There is a solution for non-existent subdomains: Wildcard SPF. Wildcard SPF
> covers sub-domains (if there is no other RR for such sub-domain), and (in
> general) it works with DMARC. For example:
> *.example.com IN TXT v=spf1 -all
> together with
> example.com IN TXT v=DMARC1; p=reject;
> Covers each and every NX-sub-domain, and it works pretty well.
> 
> Currently proposed solution, even with the 'np' tag, may not work. It could
> be rather fatally flawed.
> 
> That being said, we should consider (for PSDs) a solution similar to a
> Wildcard SPF, if we want PSD-DMARC work as it should.
> 
> And, because a Wildcard SPF is a TXT - not A, AAAA, MX - record, and it does
> not mess with the definition (2.6. Non-Existent Domains).

We have also discussed making broader recommendations on email processing 
behavior and concluded they were out of scope.  Wild cards aren't so simple.  
The DMARC record for example.com isn't published at example.com.  It's 
published at _dmarc.example.com and you can't wild card _dmcarc.*.example.com.

Scott K