Re: [dmarc-ietf] Rolling out the experiment

Alessandro Vesely <> Wed, 03 April 2019 09:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F3F41200B9 for <>; Wed, 3 Apr 2019 02:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1152-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6domxxhQV1GR for <>; Wed, 3 Apr 2019 02:32:47 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0CCE61200B2 for <>; Wed, 3 Apr 2019 02:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; t=1554283965; bh=j1q83oLZgazZN27kYaD005UnTkb4J5SIzC1gyK/7Y58=; l=1855; h=To:References:From:Date:In-Reply-To; b=AxIgzovxo6naWwO3RlgIIEdTB3kdLlsSyTtciL4Q4EyVGWNZaS54iG/kn/ejSIPdA hB9F8EJXoX5fnGIB9Y5ZfFeSOerX4BVESYMITnpbpxqffKDSVBFMC+GyHkjICC0uQh z1m/Z+6sa2v3wOdZTAUBMGxYS1UXw3idp3uVK7ZKJK64Uytpe7OOYOqurbICx
Authentication-Results:; auth=pass (details omitted)
Received: from [] (pcale.tana []) (AUTH: CRAM-MD5 uXDGrn@SYT0/k) by with ESMTPA; Wed, 03 Apr 2019 11:32:45 +0200 id 00000000005DC00B.000000005CA47DBD.0000795C
To: Ian Levy <>, "" <>, "" <>
References: <> <LO2P123MB228545562601B6B06D230B8CC9550@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
From: Alessandro Vesely <>
Openpgp: id=0A5B4BB141A53F7F55FC8CBCB6ACF44490D17C00
Message-ID: <>
Date: Wed, 3 Apr 2019 11:32:44 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1
MIME-Version: 1.0
In-Reply-To: <LO2P123MB228545562601B6B06D230B8CC9550@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <>
Subject: Re: [dmarc-ietf] Rolling out the experiment
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Apr 2019 09:32:49 -0000

On Mon 01/Apr/2019 09:03:34 +0200 Ian Levy wrote:

>   * SPF and ASDP polices can still be published for non-existent domains
> Sure, but I can’t predict what non-existent subdomains criminals are going to
> use next. Should I publish a set of TXT records for uniquely?
> Given we’ve no way of predicting that, we’re responding to any query for TXT
> records  for any undelegated subdomain with an SPF and DMARC record.
> Regardless of how we intend to detect non-existent subdomains (for some value
> of non-existent), we’ll need to stop responding with those default records on
> to do something approaching real world testing of PSD-DMARC.

This argument is utterly confusing to me.  When I read Scott's draft, I
understood he was talking about _existing_ domains.  Indeed, that sounded
somewhat strange, since the higher level domain's owner should have a say on
the policies that subdomains have to follow, but IANAL.

DMARC had reject-on-nxdomain, but then reduced it to appendix A.4.  ADSP
(historic) left it to undefined.  Yet, it's the only (deprecated) auth-method
having a "nxdomain" code.  If we are seeking a spec that enables parent domains
to specify reject-on-nxdomain for their subdomains, it doesn't seem to be
necessarily related to DMARC.  (I mean DMARC as a spec, not the dmarc WG.)

    ale@pcale:~/tmp$ dig +short txt
    "v=spf1 ?all"

I agree that's an evil kludge.  (Why ?all?)  Dave just posted a draft about DNS
perimeter, which might possibly evolve so as to allow only the _dmarc label to
return the above record (can it?), while perhaps returns the
spf1 stuff.  It is still overly complicated w.r.t. such a simple task as