Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues

Henning Krause <mail@henningkrause.eu> Tue, 02 March 2021 10:38 UTC

Return-Path: <mail@henningkrause.eu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E08C3A0C28 for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 02:38:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=henningkrause.eu header.b=6LowFQkL; dkim=pass (1024-bit key) header.d=henningkrause.eu header.b=wmKDOs+q; dkim=pass (1024-bit key) header.d=henningkrause.eu header.b=kV3JqR62
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMsh8syum40k for <dmarc@ietfa.amsl.com>; Tue, 2 Mar 2021 02:38:22 -0800 (PST)
Received: from de-s01-gw2.mail.cloud.nospamproxy.com (de-s01-gw2.mail.cloud.nospamproxy.com [193.37.132.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3BBE3A0C31 for <dmarc@ietf.org>; Tue, 2 Mar 2021 02:38:21 -0800 (PST)
DKIM-Signature: v=1; c=relaxed/relaxed; d=henningkrause.eu; s=dkim1e; t=1614681497; bh=IgUXjVHfjcgG4GsdtXl7J9o3RURLYV4isFd+Nw6egUs=; h= "Subject:Subject:From:From:Date:Date:ReplyTo:ReplyTo:Cc:Cc:Message-Id:Message-Id"; a=ed25519-sha256; b= 6LowFQkLeJZcSTMnCv239Ri2qF9w38F7ui1HW/6m/9blFBI2Wvkg5/Fl8GqmAignTbkDG3Sm9zM1c5tQF2eVCw==
DKIM-Signature: v=1; c=relaxed/relaxed; d=henningkrause.eu; s=dkim1r; t=1614681497; bh=IgUXjVHfjcgG4GsdtXl7J9o3RURLYV4isFd+Nw6egUs=; h= "Subject:Subject:From:From:Date:Date:ReplyTo:ReplyTo:Cc:Cc:Message-Id:Message-Id"; a=rsa-sha256; b= wmKDOs+qxjpxkz8HaqK4P34IkwRoZEzD9MZVPzxeUQlNz8bGNL0fYGFDZsgtlJcU5OUJjFeFkmIwyicpJavCdYW3LHSgASMVYtZATyrB5oD8OWEOSutMwuU+LG4BCbOq8XAg+znP4n/ErWzluHw3ZSs7L/m9sCxFvACqr7qU6n0=
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YKyhnj5LhWAeU1KJyP0bl0HxT36Ctv5ruMZLyOuseNH9D09R40jcgmtnmoAhdz7pRe3mHazK5EF6sjUsdkddo1m2ldRpgX2pW025j/e1xn6YEoXhx1ab+/RuzXTOXfhKM6n/3CJ3ntxj4XYcVaoWWitLiNu1kC7FSYd6bya5xffKVczF6UgfVo9dmkbfshmaJ2jx1fC2qWL+J6CBdNo0gOJPTgZRttXQ2jJIRk+HYGGlqdgvBQ+RSkwSQL6IrtHs/ft8z0Tc4wRqOyd9hxNf4fJ9j4o1cLNWbwagje7n6/5Q8NMw3VlyZ4mOnq567bkYxiOIO9YzdtOMeXQBrkvdvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IgUXjVHfjcgG4GsdtXl7J9o3RURLYV4isFd+Nw6egUs=; b=mtq8PZbimPdkDQXgsedA4Yf0jAhqLGV6Hafi2eNLVwqJVYGksnUoZHGQy1IHKjzUX47WoLzrR+eixUlWYSbWeVqhY/uKBc7mS7DTCXNKDqYT6Wz/nPe0RNjososBJ1OI0gNidbuUEfhppz3VEWKElArqLgHFAEwrHDhiGZ/Sf2pg98arGn5T1zW6U7tVCXP6BANId8PLYqMQXndMxCxSo+qqxE+P52aK6mV49WKsncWqPk/ZWLwgo0zS1bz4Z3bCjHBVHoRlabtqS+Ks5Q9FdSZpA7ycC2FQveeH4rIlxJTLP0XaQRj89pZ1xdkSY3XE11TH0DqhUYHmiFv92hnYdA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=henningkrause.eu; dmarc=pass action=none header.from=henningkrause.eu; dkim=pass header.d=henningkrause.eu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=henningkrause.eu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=IgUXjVHfjcgG4GsdtXl7J9o3RURLYV4isFd+Nw6egUs=; b=kV3JqR62SpWEjUPybBFx16mt2kLf6uBU2CW3T3j9F1xk3jVBBOeX56BuBvZnOUhVdQNbQlzhVNFHn6COSA08j2lLUmpkA/dU1ktEK/LyS4Uk5qsf3x3t6pGoe/FqMTFVzfgWP/DAPKQcCsAmWnTCYcZMRYGj1/aaOnMVlgP3pY8=
From: Henning Krause <mail@henningkrause.eu>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
Thread-Index: AQHXDzjP0cR464dfOUC50Lc7F7D0CapwWVWAgAAn+IA=
Date: Tue, 2 Mar 2021 10:38:15 +0000
Message-ID: <DB7PR08MB3498C21C6CF8631243BEF4D8BB999@DB7PR08MB3498.eurprd08.prod.outlook.com>
References: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl> <1bdd6695-2198-2bcf-f9e2-33d43f9c2bf1@cert.ee>
In-Reply-To: <1bdd6695-2198-2bcf-f9e2-33d43f9c2bf1@cert.ee>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=henningkrause.eu;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7af73d29-ab8a-4289-e5fb-08d8dd67493c
x-ms-traffictypediagnostic: DB8PR08MB5531:
x-ms-exchange-minimumurldomainage: github.com#4893
x-microsoft-antispam-prvs: <DB8PR08MB55310E4E348D1AC3813ED9E3BB999@DB8PR08MB5531.eurprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 4VL8slkUr/rG0dIIAgrZ5aaEhCz9O79SquWOFWuOMbl0/Lsw22iAcJhX4ORjxfavltJEosXAUpk5jqyCYSm6BKycHTz6fv7TisG79fVKwNfaMhZpXdgMEVMo7CGXx2AyA/fmacd0JlAJOLWG4/XY5rwzinUSGE3BDvwOb+FqeBgGAbwPr4LSfXgmGPuQJUioHDs23kVTr1xXiRf1M7dhdQJnWYjs2fR6PEZhf0qlNedi8SgARcNEf69Gh8bMLYEmVFvlpNtRI+1CBTxXE8HCFyG5FlLyN+nRDHUKo2jJAbVrQijyeTcdnjSUNwmNyyvajgyV4WYEOJjoG6VnFykDvi5CKoKlrpfH7jt9KzdKOC2brH+cTsyHy82nNBI/dTGnhxJ/dbJrywCvJ4FpX3nvXwDNbpSVIsyp9mMNEeI9L7LAg+Xc2RjLQfUR8KPtQALjDF9BVJ0GP731EGSRAwnthqrjosznd+3+v7t03BVj+uu/OPj6xl+51gnLjpKwrJMVej3gtZGue9/+dQZ5jfGLNqY5Cvti/hjnHoGl5QPYYVqK73DuHo6rq08lKStuW6rBjijIkrcREvJNBQKj+SkNN7tQeYgMH/O7HRh2hd7y+2w=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR08MB3498.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(39830400003)(346002)(136003)(396003)(316002)(7696005)(53546011)(8936002)(5660300002)(52536014)(66574015)(2906002)(83380400001)(478600001)(66446008)(86362001)(55016002)(66556008)(8676002)(6506007)(76116006)(64756008)(71200400001)(66476007)(33656002)(9686003)(6916009)(966005)(66946007)(186003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?dVhQVnBTM0VqSHVnOFdPREtTdlk4OU90OThCRkNJNjNvaURXckU1cGErWjlo?= =?utf-8?B?Z1orbkUweWg3NlpWWEFvRFpiZG5Vdll3MElNcWRoZng1YStIYmk0Z0p2TGxL?= =?utf-8?B?ZjFPWWR2MlFLWEpBQ3NNeE9CdjVsVjhreUwwZStFc1dGeHVxZmRTallCeTFB?= =?utf-8?B?UC9xKzgxK1FJaDNPcWNPNXczWmRtL0pJV0I1M1pERkVDcDZjczB2NXZ5WlZB?= =?utf-8?B?ZisvOGxHOUxCc0RQQVZDMUFDTDFmaHlUMU8zYkI4b01oTE5MMkxmMnVTZmpO?= =?utf-8?B?ajZEam1STzRpaDZnbVg2a0ljaEd0eisxK3ZRcjREcTZ2STJqOHBNSnpEQmF2?= =?utf-8?B?MjZkYzNQRUZiYm1YK0dIZnE4SldtR2Q1OEJLVVg2a00wNXl1MkpDMVYvcXBL?= =?utf-8?B?RXBESTNEYVVDUFVnNGJhbEtzNVpYcXgyVVh5bStJVFF6L2hvbmkyWEZKV2du?= =?utf-8?B?clJvSVo0cGx0WFlmbEM4V0JZY04yU2VVNFkyTVQ0dUdaeFNZOEV0eTJyRnM5?= =?utf-8?B?NTZGalBHQWZGTDBWSG1EeXhjM3VIaHd4dWFzTC9DVUYxUGpLT1Q2dHBvNUtt?= =?utf-8?B?Y2Q2dFpJVjBqYUJNRm9tREdMWXVGT2o5Q0w5MG9HL1ZRUTcydW9HVnVybkU2?= =?utf-8?B?ektyWWtiTFIzOTdKZWNZUXhxeklwczhlL1dKQmdhTWo5SUUvQldFUEZCK0xD?= =?utf-8?B?RjJIRjJYdTExdURibTVXeDg2QVRmQVR6VFUyclN5cHhTV1BxNHNtclcxNHFQ?= =?utf-8?B?bXdVTGZ6Ykw4Mm9Kd1lEQ0RxUHRlUWt4MUQ1L0VWWFQweFdFSy92TWRldUtT?= =?utf-8?B?ZVluR1VqWmozN1Y4Mkd4R2x5RlI2Mi8xSTJpY3FsOXZ6clJLY3FvaTJDcm1Q?= =?utf-8?B?U2ZVb2pNSHJ5bFJuZmNkdVFGK2VUZUtHSUpFeGJISlRGNkNobXZnNmRFNkxL?= =?utf-8?B?K3JHRSsxTzV1NzNnK2xCcVB2TkgweGRnOUtMZzlpM29mQ3ZBdDl4aUNwOGZt?= =?utf-8?B?VEJjOGhJUnMyUUMvVGFwOURmejMxWm9SRU05RlpuK2pwdXBFSmdlUktDT1J5?= =?utf-8?B?cnE5bGVuek4xeVF1cnNBU3JpYjZzdENZNTJQMkE3MisrMm4zdVE0bXpDVmdh?= =?utf-8?B?MmEwb3Z1d1FnREwxZGdqNE0veEppSldQOW9Jc2QrQ0FrSnVnRDdZUU51Y2tl?= =?utf-8?B?Tkd6STQwZlc2bzJHeDhsZm41NmYwRW9vUjh0cUVqL1Q4T1R4NUJxTkZETWpC?= =?utf-8?B?WlprTWk5SENnN0hKMFNXS1owY2puQjM3aDF3bkNCSlkybWFWRjUrOXBlRUNH?= =?utf-8?B?eUFZd3poKzlKTmVDY3dBaGxiSm9CNXFIUmV4QnB2aFcvTU81Z0dHbnZUUWZz?= =?utf-8?B?a05EaE4zZjBrN2J2Sm92V1ArcmRlZWV1Y1R2NWkreVkyaHIyUFoxelJMZzgz?= =?utf-8?B?MUZuVjErd3NsKzFFcHBjRHdLZmZ2ZHp1OHR3K1V4VmxqbVU5WFgvcTY5N1Jv?= =?utf-8?B?ZU1VbHpZY2swSG1seGRmaHVCMEJGOUVkNkltaVFsSDJpRzZZVDNFS3V2ZElX?= =?utf-8?B?WmR5a0xYNHRzRllPOHNROFhqR0lra3pJMXFzMGE2dVZEUnlVQ0VRTHpMSzl0?= =?utf-8?B?MEFzU1hMWkFmajV4em9BbnYxUHBDaExkZ0VDUE1GSnpWYjNuSk10QzVyTThN?= =?utf-8?B?RGd0YVVJUWh6T09QUHA2eTBjK24vSzFIOTBReFZiKzc3M1pyQ2FlK2lFVVdq?= =?utf-8?B?ZEhuUU5MaUFHWFpEbzMxUWkyM21BNS9vV0dvbjZPaW45MDJpSm1laHQ4REt3?= =?utf-8?Q?qFH5DhfjmrdGeZrbcsGc26xGIJuwExVGMO04w=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: henningkrause.eu
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DB7PR08MB3498.eurprd08.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7af73d29-ab8a-4289-e5fb-08d8dd67493c
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2021 10:38:15.2313 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2041dc2d-8eaa-4f51-96a8-b4923f969cba
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ca5/YFcAvSxvENvvWkbj5GgB7Z8QIMmhXHFnO42XrJd/Ej0jMAyiAJSJ8650hF+BctDy7uktI+heRZ9PcQynFA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR08MB5531
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mD717CXHBY-dxL50Hyf6UTuuRLM>
Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 10:38:24 -0000

Hi,

true, the RFC states nothing about CNAMEs. It would be great to have that feature, though. Not only would this make the handling with many domains easier, but it would also allow a domain owner to outsource the management of DMARC to a hosting provider.

Kind regards,
Henning

> -----Original Message-----
> From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Tõnu Tammer
> Sent: Dienstag, 2. März 2021 09:13
> To: dmarc@ietf.org
> Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes
> issues
> 
> Hi Jan,
> 
> We have noticed similar issue with CNAME that is used by some of the
> vendors. However, we have not fully concluded if this is the issue of
> software as RFC stipulates that TXT records should be used.
> 
> https://henningkrause-
> eu.cloud.nospamproxy.com/link?id=BAgAAABHZ9Ttc2FwX4YAAAAQ0QbPZM
> d8IglxIBHZeYT_CtxhFEYvYRHhRnnk6DY35fNGAvZWHzvf-sQp2-
> Z4HsyMK2rPPj5C0aQElSQEnqgX7oG0mxxCzUmIl5aK0Vo0LYfCwxfRpzRhbvTx
> R7Aq4olfez2_wwONaujm-aezcoVcUIgZKHsmTlj2iKcfJO0qgBhJ63lLIA2
> 
> KR,
> 
> Tonu
> CERT-EE
> 
> On 02.03.2021 09:49, jbouwh wrote:
> > Hi all,
> > I am new to this list, and will give a short introduction to myself.
> > I work for the Dutch government as an IT architect. One of my goals is
> > improving mail security.
> > As Dutch government we commit to comply to SPF, DKIM, DMARC, DANE
> and
> > IPv6 standards.
> > With this we are challenged to keep the technical environment
> manageable.
> > Some of our government IT partners use CNAME records to refer to
> DMARC
> > templates, and we are planning to use the same technique. Using
> > templates makes it more easy to maintain DNS records.
> >
> > For private purposes I am running my own mail server using opendmarc
> > together with postfix, amavis, spamassasin, opendkim and
> > postfix-policyd-spf.
> > During testing mail policies that where published using a CNAME, I
> > noticed opendmarc is not handling the published policies, but is
> > acting as if no policy was published. To address this issue I have
> > submitted an issue to the opendmarc project.
> >
> > https://github.com/trusteddomainproject/OpenDMARC/issues/103
> >
> > My questions are:
> > -    Is it a common practice to use CNAME DNS record to reference
> > DMARC templates?
> > -    Is it a known issue opendmarc does not process the published
> > policies when they are published using a CNAME? If this is caused due
> > to a software bug, this could be a serious security issue.
> >
> > Regards,
> > Jan
> >
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://www.ietf.org/mailman/listinfo/dmarc
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc