[dmarc-ietf] Using CNAME records to DMARC templates causes issues

jbouwh <dmarc-list@jbsoft.nl> Tue, 02 March 2021 07:49 UTC

Return-Path: <dmarc-list@jbsoft.nl>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 581B33A2801 for <dmarc@ietfa.amsl.com>; Mon, 1 Mar 2021 23:49:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jbsoft.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ixBAOgf49XFu for <dmarc@ietfa.amsl.com>; Mon, 1 Mar 2021 23:49:31 -0800 (PST)
Received: from alpha.jbsoft.nl (alpha.jbsoft.nl [83.137.149.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA9AA3A2808 for <dmarc@ietf.org>; Mon, 1 Mar 2021 23:49:31 -0800 (PST)
Received: from localhost (localhost.localdomain [127.0.0.1]) by alpha.jbsoft.nl (Postfix) with ESMTP id B9B5B27FE71A for <dmarc@ietf.org>; Tue, 2 Mar 2021 08:49:27 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at alpha.jbsoft.nl
Received: from alpha.jbsoft.nl ([83.137.149.52]) by localhost (alpha.jbsoft.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id oNRvieb69VPz for <dmarc@ietf.org>; Tue, 2 Mar 2021 08:49:27 +0100 (CET)
Received: from webmail.jbsoft.nl (alpha.jbsoft.nl [83.137.149.52]) (using TLSv1.2 with cipher DHE-RSA-CAMELLIA256-SHA256 (256/256 bits)) (No client certificate requested) by alpha.jbsoft.nl (Postfix) with ESMTPSA id 94BB627FE3F2 for <dmarc@ietf.org>; Tue, 2 Mar 2021 08:49:27 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 alpha.jbsoft.nl 94BB627FE3F2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jbsoft.nl; s=201607; t=1614671367; bh=fqyOFQpUubrsWlU1xFjn4jrZFQyDPbDRekEwsguPxWE=; h=Date:From:To:Subject:From; b=sI6RjXIBMndjzk/5vKhLVZ5/CWXI1SdkXTfdWaTlf4lGAO5+6X0YgJq87u5KgTtII Lhxg2g0iNxClUcx5qiBD5ZvyGunT4DXh73yrfhUvah2diUA76Zd7iaC/3UIDVodsvX zlwvJheA3P8ZL+NibmNL9MedZmTkYDBtcEBTR6bqQnP97fW8ymFpEy9ElUX6IXsJqJ 2/JL8UVeOqvsOGrFLSiQ9v+VncKIKN1QY3o8hkqrvlpn6VFzZ9Q0Km10t6r5u9J7Au GKp8gf+SXKVcxHgyPiMGh4eRDhDjl2jQipNH28y+A68aCqV8m7FkN7ZleR8goK+cmQ tCC/En8VK9a9Q==
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Tue, 02 Mar 2021 08:49:27 +0100
From: jbouwh <dmarc-list@jbsoft.nl>
To: dmarc@ietf.org
Message-ID: <edfb0a04df4620f8b9f6eaa659923d02@jbsoft.nl>
X-Sender: dmarc-list@jbsoft.nl
User-Agent: Roundcube Webmail/1.3.16
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Vp4xcc_i9Wo1_vlwnHKsIrJr4lM>
Subject: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2021 07:50:43 -0000

Hi all,
I am new to this list, and will give a short introduction to myself.
I work for the Dutch government as an IT architect. One of my goals is 
improving mail security.
As Dutch government we commit to comply to SPF, DKIM, DMARC, DANE and 
IPv6 standards.
With this we are challenged to keep the technical environment 
manageable.
Some of our government IT partners use CNAME records to refer to DMARC 
templates, and we are planning to use the same technique. Using 
templates makes it more easy to maintain DNS records.

For private purposes I am running my own mail server using opendmarc 
together with postfix, amavis, spamassasin, opendkim and 
postfix-policyd-spf.
During testing mail policies that where published using a CNAME, I 
noticed opendmarc is not handling the published policies, but is acting 
as if no policy was published. To address this issue I have submitted an 
issue to the opendmarc project.

https://github.com/trusteddomainproject/OpenDMARC/issues/103

My questions are:
-	Is it a common practice to use CNAME DNS record to reference DMARC 
templates?
-	Is it a known issue opendmarc does not process the published policies 
when they are published using a CNAME? If this is caused due to a 
software bug, this could be a serious security issue.

Regards,
Jan