[dmarc-ietf] Using CNAME records to DMARC templates causes issues
jbouwh <dmarc-list@jbsoft.nl> Tue, 02 March 2021 07:49 UTC
Return-Path: <dmarc-list@jbsoft.nl>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581B33A2801 for <dmarc@ietfa.amsl.com>; Mon, 1 Mar 2021 23:49:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jbsoft.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixBAOgf49XFu for <dmarc@ietfa.amsl.com>; Mon, 1 Mar 2021 23:49:31 -0800 (PST)
Received: from alpha.jbsoft.nl (alpha.jbsoft.nl [83.137.149.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA9AA3A2808 for <dmarc@ietf.org>; Mon, 1 Mar 2021 23:49:31 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by alpha.jbsoft.nl (Postfix) with ESMTP id B9B5B27FE71A for <dmarc@ietf.org>; Tue, 2 Mar 2021 08:49:27 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at alpha.jbsoft.nl
Received: from alpha.jbsoft.nl ([83.137.149.52]) by localhost (alpha.jbsoft.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oNRvieb69VPz for <dmarc@ietf.org>; Tue, 2 Mar 2021 08:49:27 +0100 (CET)
Received: from webmail.jbsoft.nl (alpha.jbsoft.nl [83.137.149.52]) (using TLSv1.2 with cipher DHE-RSA-CAMELLIA256-SHA256 (256/256 bits)) (No client certificate requested) by alpha.jbsoft.nl (Postfix) with ESMTPSA id 94BB627FE3F2 for <dmarc@ietf.org>; Tue, 2 Mar 2021 08:49:27 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 alpha.jbsoft.nl 94BB627FE3F2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jbsoft.nl; s=201607; t=1614671367; bh=fqyOFQpUubrsWlU1xFjn4jrZFQyDPbDRekEwsguPxWE=; h=Date:From:To:Subject:From; b=sI6RjXIBMndjzk/5vKhLVZ5/CWXI1SdkXTfdWaTlf4lGAO5+6X0YgJq87u5KgTtII Lhxg2g0iNxClUcx5qiBD5ZvyGunT4DXh73yrfhUvah2diUA76Zd7iaC/3UIDVodsvX zlwvJheA3P8ZL+NibmNL9MedZmTkYDBtcEBTR6bqQnP97fW8ymFpEy9ElUX6IXsJqJ 2/JL8UVeOqvsOGrFLSiQ9v+VncKIKN1QY3o8hkqrvlpn6VFzZ9Q0Km10t6r5u9J7Au GKp8gf+SXKVcxHgyPiMGh4eRDhDjl2jQipNH28y+A68aCqV8m7FkN7ZleR8goK+cmQ tCC/En8VK9a9Q==
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Tue, 02 Mar 2021 08:49:27 +0100
From: jbouwh <dmarc-list@jbsoft.nl>
To: dmarc@ietf.org
Message-ID: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl>
X-Sender: dmarc-list@jbsoft.nl
User-Agent: Roundcube Webmail/1.3.16
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Vp4xcc_i9Wo1_vlwnHKsIrJr4lM>
Subject: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 07:50:43 -0000
Hi all, I am new to this list, and will give a short introduction to myself. I work for the Dutch government as an IT architect. One of my goals is improving mail security. As Dutch government we commit to comply to SPF, DKIM, DMARC, DANE and IPv6 standards. With this we are challenged to keep the technical environment manageable. Some of our government IT partners use CNAME records to refer to DMARC templates, and we are planning to use the same technique. Using templates makes it more easy to maintain DNS records. For private purposes I am running my own mail server using opendmarc together with postfix, amavis, spamassasin, opendkim and postfix-policyd-spf. During testing mail policies that where published using a CNAME, I noticed opendmarc is not handling the published policies, but is acting as if no policy was published. To address this issue I have submitted an issue to the opendmarc project. https://github.com/trusteddomainproject/OpenDMARC/issues/103 My questions are: - Is it a common practice to use CNAME DNS record to reference DMARC templates? - Is it a known issue opendmarc does not process the published policies when they are published using a CNAME? If this is caused due to a software bug, this could be a serious security issue. Regards, Jan
- [dmarc-ietf] Using CNAME records to DMARC templat… jbouwh
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tõnu Tammer
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Henning Krause
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tim Wicinski
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Douglas Foster
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… jbouwh
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tõnu Tammer
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Seth Blank
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Murray S. Kucherawy
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… Tim Wicinski
- Re: [dmarc-ietf] Using CNAME records to DMARC tem… John Levine