Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification

"Murray S. Kucherawy" <> Fri, 07 May 2021 21:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8E1483A33AD for <>; Fri, 7 May 2021 14:25:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9Vh6CUIkSzwq for <>; Fri, 7 May 2021 14:25:03 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 822ED3A33A7 for <>; Fri, 7 May 2021 14:25:03 -0700 (PDT)
Received: by with SMTP id 33so3263023uaa.7 for <>; Fri, 07 May 2021 14:25:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=v9T+X4jJxKlvCupgbChU5706ybJspE1ZRd3v6j2TMPc=; b=fZFO5JUvbfx6+qKUpk7XtECiHKfNYUGw8bv1NJXLYJc5KY/U2NIbgp0UJhrRuL7ulv GEM6qD8460mmggV22S5MpBxoiMNMcd07ZB9oBQOaiu3xeBLuoNMUSioA0wj2Z7NsCra8 TzP5GIoYbwzIRzgyn4QCU729dWuGfYwCAvaI9DWrMfDUyXwmZna7r75kiCo7p60vM/sb FK6L0pPlo8VY1rXWU76uh3g4B1a++gaF1o2eOS+i/yOS8PV/QA/Fh3C1xLs8ox5v1oQB RyOAoLmCWY3hz41fEmh7KWc+xRpGWPCQXrNY4LmdYwrZda9GsbQe1jQwEf6B8ehvOJyI +mFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=v9T+X4jJxKlvCupgbChU5706ybJspE1ZRd3v6j2TMPc=; b=at8E5tPNQhp2VqoGQ4WDFW7noO1x9rZDwxghufjNxgaeUJqxCLtz9PVSqLi8gC2XSc TIRyuQ0dq7BfKW3ZDn2VorhU19PRhFB1m8PbTiz6SWIEpxCxyBN4OFSIE5g3yPNCVr6W DMI2Qpv+KTyKIyO+Uhd1CMy0PapsU8ePryXvy41HFHbikSTGxfwejHFuBw801T/DZH3H kQaOwf10FObGz+B2I8LYrI0fUxsUaZB3S1f0lUsvI1wakUsKxv+IseN0QsilYFNCtUEh FtcZPKf1DgB91vAxKNRA6zu9oPjRT6H/15SNY6QxnYLXBGv2lJqHNYkP5C5u3uWCI/BV QWew==
X-Gm-Message-State: AOAM531acJjfgut6AW3Mrp9fuE4flC9YpoSInWpgNEtWiyBaKI3cZuAs vPvvV0FCDIkalVfe2mFW/VIsCM0Ox08pnrLeZqY=
X-Google-Smtp-Source: ABdhPJyW8RwJ29HUYJi0mE/PmQ+UbVaAg6+OpWfI+CZ2XwFzktTD6BruJX1pNIbrmJ2o3dvjyvE7cbwp4Aazw57g6Yo=
X-Received: by 2002:ab0:2659:: with SMTP id q25mr11734067uao.47.1620422701452; Fri, 07 May 2021 14:25:01 -0700 (PDT)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: "Murray S. Kucherawy" <>
Date: Fri, 7 May 2021 14:24:50 -0700
Message-ID: <>
To: Douglas Foster <>
Content-Type: multipart/alternative; boundary="00000000000081908105c1c40fb9"
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 May 2021 21:25:06 -0000

On Fri, May 7, 2021 at 1:03 PM Douglas Foster <> wrote:

> *The existence / non-existence test:*
> Given an identifier which is presumed to be a DNS domain name, perfrom a
> DNS lookup based on that name.
> The query may:
> [...]
> - return results using data from a parent domain

Can you give an example?  Otherwise I don't know what distinction you're
trying to make.

Is there a query or collection of queries that can ensure that we only
> accept results from the identifier domain and not from the parent?

I don't understand.  In the "answer" portion of a DNS record, you either
get what you asked for (or something matching it like a wildcard), or you
don't.  Anything else you might get is "glue" data, which as I recall is
easy to identify and exclude.

> *Wildcard DNS:*
> Wildcard entries create intentional ambiguity.   How do we suggest that
> wildcard results should be factored into the evaluation?

You can't, as far as I know.  That's the nature of wildcard records.

*The mail-enabled test:*
> Once existence / non-existence is determined, is it desirable to test for
> "mail enabled"?

It may be, but it's historically an expensive test with false negatives, as
far as I recall from my time working on mailing list software.  Those sorts
of probes get you into block lists if you do them a lot.

If so, what role should parent-domain results play in answering this
> question?
> If "Mail Enabled" is relevant, why is the existence of an SPF policy
> irrelevant?

I don't understand the purpose of the latter question.