IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs

Todd Herr <todd.herr@valimail.com> Thu, 14 March 2024 20:49 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3313EC14F748 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:49:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cD3eWGAGIWp for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:49:35 -0700 (PDT)
Received: from mail-yw1-x1135.google.com (mail-yw1-x1135.google.com [IPv6:2607:f8b0:4864:20::1135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2281C14F6FD for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:49:35 -0700 (PDT)
Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-60a0579a968so14909517b3.3 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:49:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1710449375; x=1711054175; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=UfUVUy8CXVjQyGJ7zfgXcZNawiIAPYR8qIwoV757NxI=; b=NDUzHpJWh4PVKuSO2xJPzRB7QlDWSYbZQH8xtRY2vnPbANunr8nT+NPWr+aXPc/MfV dgi+5NVCz8Jpqy2HykhbpNbR1MikdC1dhy7kfebzN+CKN4V0RF6v887HDGPkNOWdBLbX b2viSyjssOxwa+1DnNFu2B87h2mgZJGF0ZgqE6kk3vlEZC93qDog8r1paU5B0ONlIzJV vKXAbcVhpoU+eYQDc4bQUEpvqxxAJEbk7kYDQ1ONSaDAvlbP4JR20zAn7XBsklr4olij K2WXYh2737Cx8JeZuGxnQiGMCdQ1Fa7PZkRWnGVitRHJyXF+EjrJbCsGTS08qLN2UrGI 6OZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710449375; x=1711054175; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=UfUVUy8CXVjQyGJ7zfgXcZNawiIAPYR8qIwoV757NxI=; b=UYncxSVqc/eynyBAyCMJiJvm6n1ObwGYZbktpYdv7fduQCIncbaVtGuRH9g7IlcXJR wimHv1tqH0yE8WOblCnLNfB7CeyHyFSqjfqDMsOZjsEBqRfyh5xdEvYSHnQlblsyz/dq UjMbA1SNefWSM5xmxezbT+Z1gi76dlVBpki1r5i/0jRhj9aGiEHAiUNDmWvtapoY15Db grJGE6fy5/tSwyQoUW5yEqnMRbc9E6GLfhTTGUF4xdKH0glE/9jwv1qb/cFS2o/VgKX5 5KYuxA4kfj6DmKflQQxoit6cUZ8npl9BHxM0zyWfGav6U38vGnmTkzWWbVXAN1fyiMPg V0zg==
X-Gm-Message-State: AOJu0Yw9zc1JxtkEVI9Q9M+MrMJQRJ3ut5ZfG4FI8ed54fqMRP+4LWHi 7owJpbsKn2x77DyyirqoLCyCd0TVNElez5gdKqMrH8UcsU4tSuUbJC9LOCTsxJ93KlLDPnY5u2J hw1mLYZT7z1dCA+GbRaHReLlAWzMxQm2NGKq8XyH1EpxOaqfz
X-Google-Smtp-Source: AGHT+IEyxYPWp9lsIZM+zNOwXUI1qycYFuw63+kw6BcWIjnAokzH4EzDTGQrTSYG+4ItqcogoPDQIcBN9s2/we+rmmQ=
X-Received: by 2002:a25:8144:0:b0:dce:1871:3d30 with SMTP id j4-20020a258144000000b00dce18713d30mr333214ybm.21.1710449374778; Thu, 14 Mar 2024 13:49:34 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8kip_p+n56=Y5WuVG2M_+HXHj51fyY3k6dx-itJRZkCpQ@mail.gmail.com> <B18FD596-D342-4569-8A23-3E01B137DDDA@kitterman.com> <CAHej_8=+fHDstBHCzS54cr5dmGo=XfyXy0wzaS6gY6WokpF_Lg@mail.gmail.com> <791cdf24-011d-4cd1-83cd-79d438f3020d@tekmarc.com>
In-Reply-To: <791cdf24-011d-4cd1-83cd-79d438f3020d@tekmarc.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 14 Mar 2024 16:49:18 -0400
Message-ID: <CAHej_8my0_2y5NqsqawiH3x1S5Xn14eGXGYDNfHmPOWu585TKw@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="00000000000063f3910613a50752"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/R9yxnvh0Ir3VqM9dY8ohdN0WngA>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 136 - DMARC Records Can Be CNAMEs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:49:40 -0000

On Thu, Mar 14, 2024 at 4:43 PM Mark Alley <mark.alley=
40tekmarc.com@dmarc.ietf.org> wrote:

> On 3/14/2024 3:38 PM, Todd Herr wrote:
>
> On Thu, Mar 14, 2024 at 4:34 PM Scott Kitterman <sklist@kitterman.com>
> wrote:
>
>>
>> I think this is correct.  I think it's obviously enough correct that I'm
>> surprised anyone was confused.
>>
>> Do we know what the theory was that led people to think otherwise?
>>
>> Seems to me we don't really need this, but maybe there's a reason.
>>
>>
> The reasons given were:
>
>    1. https://www.rfc-editor.org/rfc/rfc5863#section-4.1
>    2. https://datatracker.ietf.org/doc/html/rfc6376#section-7.5
>    3. Neither RFC 7489 nor DMARCbis contain the phrase "CNAME", so if
>    it's not explicitly mentioned...
>
> Granted, the first two citations are in regards to DKIM records, not DMARC
> records, but those were the reasons given.
>
> Couldn't hurt to clarify explicitly, I'm for it. Domain owners have been
> using CNAMEs with DMARC TXT RRs pretty much since its inception.
>
I agree that clarifying it can't hurt, obviously, but I was quite surprised
to hear that CNAMEs were being published for DMARC records, as I'd never
seen one. On the other hand, I've seen *lots* of DKIM public keys published
as CNAMEs, which I'm sure just wrecks the person citing DKIM RFCs as a
reason that DMARC records can't be CNAMEs.

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.herr@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email