Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues

Douglas Foster <> Tue, 02 March 2021 11:51 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 245843A166F for <>; Tue, 2 Mar 2021 03:51:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mC5-Do6rO1-I for <>; Tue, 2 Mar 2021 03:51:31 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 180DA3A166E for <>; Tue, 2 Mar 2021 03:51:31 -0800 (PST)
Received: by with SMTP id c6so24840406ede.0 for <>; Tue, 02 Mar 2021 03:51:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Ba2tmH/1rNZl9oRRa99iJC+XjWyMrfLPKSrrwyWxI8I=; b=DZMhlgMvoQFmJpGKA8X0GW4VgMGzNVyw5/zbvNfPRTX+4xOWLYTrQpFsNxURRpz2gq 5lFibSiBySZ2/q8JTlc2/DivDE/ySZ+cURu8BAREboRZVWG5AjQ9vq3yf/O87eHZbx1g r4Xgdi2rf6T+ceQay0um04YxyDsTbikX4BJ4YS1VAgyiOW19ioYhMwtMHLMkWc48rcQy t+A0wn+TtySg9Yhl0QJC6baAcOCIUXffOZntH8zPAj42NULY4PX3NUXmBSnyUomm5RNt /7xjvizvuFRv7uhj/EXm3QEClgL/xC6YdxfDaRjYW0gjQzBqBwYjwEV2mwWFWnJ69Jig +A7Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Ba2tmH/1rNZl9oRRa99iJC+XjWyMrfLPKSrrwyWxI8I=; b=sZUVEhNz03E5k0VbJalOJcsw2sYABQISmwLg+a8N4o3vYcKiGOYczM01l4d8hbs/w4 BG05DO4PAnGzdhRejZr9sK8eIwiPfslFQHcR/ft0p0uXFQm7ACZqucAKYORIxf89U/lp Xgi5ZYi6oNmsS8d3sJ0v+1iRlFa9wzhBYQrlr+53ZcYW0qfv+cqCEP2pm4qWEUthMCZ/ JBMFwhleCMH0XsMlR1k7Y9UA/Ww5G/pL1OYpAoTmrWvTV+TdicKPh1qoPkkACLiyVsLx xcye++D8DLCltdW0TWwcYhic27gEqhJl2ITuqgzHPCWvlQhkF2lLLGkqD5dIXqNTLKJw JhRQ==
X-Gm-Message-State: AOAM531JZ6TERJP7kTNRPX1mExBaD+kDl8VaBFdoW7q5BmcZRn/jRqYD jTw8/HzyQGxidRFGiOVGleCptj21fDXrhy6gWdE=
X-Google-Smtp-Source: ABdhPJwrUrBfp17fx4ErmqM/e6MMj+Pf1iiy1qcS7eLTdn7F+BmlBEHIHzUKmZxSeo6x1x5IB5qx+hHSoMFuhV+Jnzw=
X-Received: by 2002:a50:d753:: with SMTP id i19mr19535888edj.43.1614685889452; Tue, 02 Mar 2021 03:51:29 -0800 (PST)
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Tue, 2 Mar 2021 06:51:17 -0500
Message-ID: <>
To: Tim Wicinski <>
Cc: Henning Krause <>, "" <>
Content-Type: multipart/alternative; boundary="000000000000dd616405bc8c5a8d"
Archived-At: <>
Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes issues
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 02 Mar 2021 11:51:33 -0000

Because CNAME usage was not mentioned in the previous DMARC document,
existing implementations may not have tested this configuration.   For the
policy publishing organization, this increases the possibility that some
recipients may treat the mail as not protected by DMARC.     As with any
deployment issue, the publishing organization has no reliable way to know
if the deployment of DMARC implementations with full CNAME support is
"essentially complete".  This uncertainty may be acceptable for some
organizations, but may be an obstacle for others, depending on their
motivations for implementing DMARC.

On the implementation side, the use of CNAME will introduce the
possibility of referral errors, which may or may not require mentioning in
the DMARC specification, since such issues have probably been addressed in
core DNS documents.   The issues that come to mind are:
CNAME referrals to non-existent names
Nested CNAME referrals (what depth is allowed?)
CNAME referrals that produce loops or excessive nesting depth.


On Tue, Mar 2, 2021 at 6:12 AM Tim Wicinski <> wrote:

> Using a CNAME at  _dmarc.example should not be a problem, as long as
> the CNAME target is a TXT record.  The DNS resolver functions should
> should handle this seamlessly. This does sound like a vendor software
> problem.
> I am aware of DKIM records being deployed using CNAMEs pointing to a TXT
> record target.
> Has anyone seen the above error condition when testing DKIM records?
> This definitely sounds like an issue with the software.
> Nobody should shy away from publishing DMARC records that are CNAMEs to
> TXT records elsewhere. Using this design should be strongly encouraged.
> tim
> _______________________________________________
> dmarc mailing list