Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart last call review of draft-ietf-dmarc-psd-08

Douglas Foster <> Tue, 19 January 2021 22:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A63D03A1824 for <>; Tue, 19 Jan 2021 14:11:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AKuB-g5aLbHs for <>; Tue, 19 Jan 2021 14:11:16 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0F0A63A0C74 for <>; Tue, 19 Jan 2021 14:11:15 -0800 (PST)
Received: by with SMTP id o186so4192468vso.1 for <>; Tue, 19 Jan 2021 14:11:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=aZj2oyv8qyfy60d0rKZS3eTd3SnoD7QJ93oW+yohMAM=; b=RxB9foDbDiJq5vKBC0Wpbt1JjtK+Rhw0RKbZUt7ycJiMQGObNoiF0Q7fYIODL08aru +kA0AKFRgjRypEDb4fi9M97xZOtc4lt+sj9h72QtoJfb4HCFXlI40vxttgZxzwws0rgJ V8XWl9WP30nM/OZfysQS1jjAyyuAsibPndaxzcPe7baFngY7amX2m0/c2xX6yCsBsssp OVNE6BbknZaz9ZLxzWRtE0pbRI5kdIddNjtWCWQaODb0Kjth/JL7qYbNOPymMpSd+KiA BCqQBi6sSw19UdX1ox/vAq8S54b6jsy3MbLAL8Jep3Jq/ZBKYJedPHe2qdxCSYQLFnqM WzJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=aZj2oyv8qyfy60d0rKZS3eTd3SnoD7QJ93oW+yohMAM=; b=uTuzLnfP2nAMBzGMEEroCR8Tz2aWcV7l8V5SpxMpMe8CJPxczubJ+acuWWbu3n8Ifh krKUzutH6jtbJkyaTWaGz8lnSf+ToAiehqlN2iIJdK+ETjdxDeIMZDpWieNBXEoqFYfJ hKNQk6LF1+rc+XSzaOcJrChILaQRr0yCtrUBzx6lzi2T1zzFwHkZAaXx47uDOVcw31pT yo29oaguejg+57xaluNgx6CyLYPch9owejRFTsBs/psNaOvpn8PEp1IatCL9cFx4vrDJ KyrLSYcU6ft33qKGXc+uzMeTQw+g6uFsxyFMAyPT3w87g6e3pFlxy/47KWA0EjCmzk2u HYxQ==
X-Gm-Message-State: AOAM532FhCQWPsKvUa3kCZK4H5wMI2/RXRWKYygDCWTCBTP5yG1l3dcR vnpPyvvVMaTuRnRfbQJ2asVuTPF1xntQrxE/r4c3gkqER0Y=
X-Google-Smtp-Source: ABdhPJz2lZ/bePxjzpcfgVejw4Ba4YAChFfhuliZ2PW5MFSHHTVFsc8JptGFT/8TQVIq3dEsrITXMMY6kGgrGNJbQbE=
X-Received: by 2002:a67:c29e:: with SMTP id k30mr782440vsj.45.1611094274751; Tue, 19 Jan 2021 14:11:14 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Tue, 19 Jan 2021 17:11:04 -0500
Message-ID: <>
Content-Type: multipart/alternative; boundary="000000000000f240c505b9481d0b"
Archived-At: <>
Subject: Re: [dmarc-ietf] [Gen-art] [Last-Call] Genart last call review of draft-ietf-dmarc-psd-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Jan 2021 22:11:18 -0000

No Murray, I was speaking to the PSD document.

PSD's entire purpose is to detect abuse of non-existent organizational
domains, so the definition of non-existent is crucial to its success.    I
believe the current language will produce false positives, albeit probably
a small number.    The current language is also more resource-intensive
than mine, although that is not my concern.

I believe this is also a general problem that full DMARC should address.
 If a domain exists but does not have a policy, we interpret this to mean
that the domain owner has not chosen to publish a policy, which is his
right.    If a domain does not exist, then there is no domain owner to
publish a policy and no reason to believe that the use of the domain is
legitimate.   In fact, use of an unregistered domain is a violation of IETF
policy and the entire name registration infrastructure.    Consequently, I
believe that SPF and DMARC SHOULD differentiate between "policy not
specified" and NXDOMAIN.   But to put this topic into play for DMARC, I
need to create a ticket, right?

I also want PSD to use a correct definition of non-existent because it will
establish a precedent for any generalization done as part of the full DMARC

Doug Foster

On Tue, Jan 19, 2021 at 9:23 AM Murray S. Kucherawy <>

> On Tue, Jan 19, 2021 at 4:34 AM Douglas Foster <
>> wrote:
>> I raised objections to the definition of "non-existent", which never
>> received an adequate response before the discussion went silent.
>> DMARC checks the From  header address, which may exist only as an
>> identifier used for mass mailings.   These mailings are often sent by an
>> ESP using an unrelated SMTP address.    As such, the From address need not
>> be associated with any A, AAAA, or MX record.    I assert that the only
>> viable definition of non-existent is "not registered", as evidenced by
>> absence of an NS record.
> This is a discussion of DMARC, not of PSD, right?  DMARC defines this test
> in an Appendix, and then makes it non-mandatory.  PSD says to apply that
> test for domains that request it.
> Hooking this test up to registration requires introducing RDAP or
> something similar.  Is that what we're talking about here?
> I don't believe the proposed definition of "non-existent" is reliably true
>> even in the special case of interest for this document, impersonation fraud
>> occurring at the top of an organizational structure.  Example.PSD may
>> legitimately use mail.Example.PSD for email and www.example.psd for web.
>>  If the proposed condition MUST always be true, I have not seen that fact
>> demonstrated.   Since the document raises a general concern about
>> fraudulent use of non-existent domains, the definition used should be one
>> that can be generalized.,
> This sounds like something that should be solved in DMARC, not PSD, but
> naturally consensus wins here, so have at it.
> -MSK