IETF Logo Mail Archive

Re: [dmarc-ietf] NXDOMAIN

Tim Wicinski <tjw.ietf@gmail.com> Mon, 05 April 2021 21:47 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7EC13A291B for <dmarc@ietfa.amsl.com>; Mon, 5 Apr 2021 14:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqPANJW1S4qy for <dmarc@ietfa.amsl.com>; Mon, 5 Apr 2021 14:46:57 -0700 (PDT)
Received: from mail-ot1-x32f.google.com (mail-ot1-x32f.google.com [IPv6:2607:f8b0:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 967F23A294D for <dmarc@ietf.org>; Mon, 5 Apr 2021 14:46:57 -0700 (PDT)
Received: by mail-ot1-x32f.google.com with SMTP id k14-20020a9d7dce0000b02901b866632f29so12734663otn.1 for <dmarc@ietf.org>; Mon, 05 Apr 2021 14:46:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NbalqFztUEGXV1Tl/5aCvI9n78wBzshlCugAmWU4yOM=; b=lnEbpORfirhP6Xbi+0qbDjz8l7WxUzSZw9OZw/pYxnUo6MHMPajWLbr+YFR4r2fEM+ xyF7r45W/6tHpofkIy8IuCDv9aVhp1Bz//78qXrImqUmgummVouhgSR1Nguv2I8SOTLW 0pmNRN7SaACpbvZQ8S24Xv6NxAgZS5B3KZUawyaDmHd3FLsYCKtX/y43h+M2GcrH5fCw 0aQKzpSeBEiVg5TA6HZTuKIxrKQ8S0Os+RJYhQA0ZozY5UrOeviy9yxxDWm9Ril++UGs LrPhjLl9ecaiEbRa8DqxeiGsxA0LM1fzcjVBskn0aPATYCC41LO0tO01RSWTMzrGPWEN kQCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NbalqFztUEGXV1Tl/5aCvI9n78wBzshlCugAmWU4yOM=; b=VeZOYNIEklsbQ8/HXEzhyAUnBMcrJmbAGVdemTFmPCNOh9DdjA2j0BKIDGo5UO1tPr iJ/yD2INJ6BjOksuG6I4Ig3/2XaQnSx4/+OUbR2K6NFr7B/5ESM1itIpRgIDotCrQunu ZS/fe/f3jZ90iOob1B/GHOIT/BMsom8gnJ5n16bjYjq2DG+OYRw2isgMvjIb2oX++8kO oPSSNmzeIlJXpUh43f0yU1xL25GE5xIqvN550o/Atm4Gps1XAiXFQqvILKmtN0dThaHK 83AL8HR4jheG6hJ2rX/cn1iowYaz18FJg+zKMLfodBuj6k8pwh3e1qu3UFkAnl/EhcGO 2XWg==
X-Gm-Message-State: AOAM532J7Ue8s5tDeWqc5akwKxWsvTG5+rJwV8/ykrLszWsnPIGstpA7 GRs2U4CjG7v1XSgXLjEfrJ5Y9im780QSEeyPUPDkWO4hl8UBgg==
X-Google-Smtp-Source: ABdhPJzzghJS6sR+rb0Ytz1g4TSkKFnldF+WwJbW/9PvctxOou9SE1w6IGCGY8Hmm3X4AX9KkL+XHOBTfE0B9ru3Z9s=
X-Received: by 2002:a05:6830:240f:: with SMTP id j15mr24335188ots.288.1617659216117; Mon, 05 Apr 2021 14:46:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com>
In-Reply-To: <CAH48ZfxjotxU8G4ZucGTqERP0ZXSF8i9EH9vvQyi2SacbPxvvw@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Mon, 05 Apr 2021 17:46:45 -0400
Message-ID: <CADyWQ+F4XDx4HsXFdWQZE3gwg8yk7zBv+f5iHk2nEzOpRT4n1g@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f1c23c05bf40a2c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/aaHnaAAUmyXSXM7CsflNDn83eDY>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Apr 2021 21:47:02 -0000

Can you point me to some of the tests you are running? you can do that
offline.

you also want to do some testing with domains signed with DNSSEC and those
without.

This came up as an issue in opendmarc:

https://github.com/trusteddomainproject/OpenDMARC/issues/103#issuecomment-810036114





On Mon, Apr 5, 2021 at 5:02 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> As a result of earlier discussions, I have been investigating NXDOMAIN as
> an email filtering criteria.
>
> One question from those discussions was the best way to detect NXDOMAIN.
> I realized that I needed a query which specifically returns NXDOMAIN as a
> result, not simply the absence of a particular result.   Additionally, a
> lookup on A/AAAA with results could represent either a domain name with no
> host segment, or a host segment and a parent domain..   Consequently, the
> best test seems to query for type=TXT, match=domainname.
>
> I have applied this rule to incoming RFC5322.MailFrom addresses and found
> the test to be useful.  For my mail stream, 20% of the messages with
> SPF=NONE have this result because of NXDOMAIN.  The percentages were
> roughly equal whether evaluating unique domain names or unique messages.
>
> While both SPF=NONE and SPF=NXDOMAIN are indicators that the message is
> probably unwanted, NXDOMAIN has a higher probability of being unwanted.
>
> I have not yet begun evaluating NXDOMAIN on the RFC5322.From address, but
> hope to get that done in the weeks ahead.
>
> Is anyone else collecting data on NXDOMAIN, and able to share experience?
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email