IETF Logo Mail Archive

Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd

Alessandro Vesely <vesely@tana.it> Tue, 16 July 2019 14:53 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E24B12061C for <dmarc@ietfa.amsl.com>; Tue, 16 Jul 2019 07:53:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Um7-RE-geRqb for <dmarc@ietfa.amsl.com>; Tue, 16 Jul 2019 07:53:24 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79FD712064D for <dmarc@ietf.org>; Tue, 16 Jul 2019 07:53:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1563288787; bh=ZBabvkqn06BrLanNkZe6KDhDNtPrCJpuX0CVHMP+nH4=; l=10946; h=To:References:From:Date:In-Reply-To; b=BWe7oiLuHtdeQF2cAACiA9wc4W03uU0SeBusjtj5OvlmowZJYKUn2rFuzn24NQim6 lMV3VSrCN6iAA619detmDQQOATGYDbxd2QYO57KT/ZMHTTZ/HrsNE4niny6om/uDFa VYGVDvSk+Llv8bzKHD5ikuub0ffWBwkBwnDBKsswaP2Jv9QdgZ5Et1TGPskf+
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [192.168.1.100] ([5.170.10.39]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLSv1.2, 128bits, ECDHE-RSA-AES128-GCM-SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC07B.000000005D2DE4D2.00005C18; Tue, 16 Jul 2019 16:53:06 +0200
To: dmarc@ietf.org
References: <20190713043409.A5EB64A61C0@ary.local> <3017917.gKNyNSpcLf@l5580> <LO2P123MB22851389EC8F8098BD80211CC9CF0@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
From: Alessandro Vesely <vesely@tana.it>
Openpgp: preference=signencrypt
Message-ID: <51e6b971-270e-a54f-bfb1-4a5d0ba8a94f@tana.it>
Date: Tue, 16 Jul 2019 16:53:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=_north-23576-1563288786-0001-2"
In-Reply-To: <LO2P123MB22851389EC8F8098BD80211CC9CF0@LO2P123MB2285.GBRP123.PROD.OUTLOOK.COM>
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jRpdSxny6T9fIYubpRkkaFdKtEU>
Subject: Re: [dmarc-ietf] Nonexistent Domain Policy was: Re: Working Group Last Call: draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 14:53:27 -0000

On Mon 15/Jul/2019 09:08:04 +0200 Ian Levy wrote:

> Sorry for not contributing more to this thread - please don't take it as any indication of lack of interest. For UK NCSC specifically, I think we'd prefer NXDOMAIN rather than NODATA, given it's more constrained and this is an experiment. My view would be that if we've published a name under gov.uk, even with no valid (in the eyes of the receiver) associated records, then *someone* is responsible for it and we can go find and educate them. They may even believe they have a valid reason for doing so that may outweigh any email authentication concerns. But there's a conversation to be had. If there's no published name, then there's no-one responsible, so it should default to the top-level policy. 


I agree that np should default to p.  The original wording for sp is also simpler than''If absent, the policy specified by the "sp" (if present) and then the "p" tag, if not, MUST be applied for non-existent subdomains.''  (BTW, mind that "sp" instead of "np" in the new tag's definition.)


> [...] 
> Here's the volume of reports received on our normal DMARC processing chain in January 2019 (noting Microsoft are one of the bigger providers in the UK and *still* don't generate any reports): 
> 
> Reporter 	Total Reports 
> google.com 	61,363,605 
> Yahoo! Inc. 	18,876,201 
> Mail.Ru 	699,554 
> sercoglobal.com 227,587 
> AMAZON-SES 	178,262


That is at odds with the order reported by dmarcian:

NetEase (163.com, 126.com, yeah.net)
Google *
Yahoo!
Microsoft
AOL
cisco Systems
DHL
Comcast *
Tencent (qq.com)
Mail.ru
... https://dmarc.org/stats/dmarc-reporting/
(That used to be on dmarcian, but couldn't find it any more)


> And here's the volume for the same month for the synthetic DMARC reports : 
> Reporter 		Total Reports 
> google.com 		23,745 
> Yahoo! Inc. 		1,060 
> emailsrvr.com 		64 
> dev.johnlewis.co.uk 	37 
> bridgend.gov.uk 	30
> 
> Just from that, it's pretty clear that the synthesized DMARC records are not universally processed, which gives weight to completing this work and starting to try things out. Given the level of inconsistency we see in receiver behaviour, I think it'd be easier to start with NXDOMAIN and see what that actually achieves. 
> 
> I may well be missing something subtle, so please correct me if I've got this wrong. 


Hmm...  Mail.ru reports seem to be missing from non-existing domains.  My experience differs slightly.  Yesterday I sent a few messages to mail.ru.  Five of them from a nonext domain (IP 5.170.8.66), all of which were rejected, two of which were reported in the aggregate report attached.  However risible these numbers may sound when compared to yours, it is clear that not all messages are reported.

It is possible that some cases of non-existent domain are treated as a short-cut, skipping message registration and DMARC verification altogether, even if the reject always came after DATA...  Just mumbling.  Considering that most DMARC packages work as mail filters, I'd expect messages filtered out before will never make their way to aggregate reports.  Is that a DMARC violation?


Best
Ale
--
--- Begin Message ---
Feedback from Mail.Ru

Feedback from Mail.Ru

Id: 68064799912189070641563148800; begin: 2019-07-15T00:00:00Z; end: 2019-07-16T00:00:00Z
Domain: tana.it; DKIM: relaxed; SPF: relaxed; policy published: none none 100

Relaying IP message count reason and disposition From header
(opt. envelope) 		SPF DKIM
http://www.tana.it/lookup.php?host=5.170.8.66" rel="nofollow">5.170.8.661nonext.tana.itme
http://www.tana.it/lookup.php?host=5.170.8.66" rel="nofollow">5.170.8.661nonext.tana.ittana.it
http://www.tana.it/lookup.php?host=82.195.75.100" rel="nofollow">82.195.75.1007tana.itlists.debian.org tana.it
http://www.tana.it/lookup.php?host=62.94.243.226" rel="nofollow">62.94.243.2261tana.ittana.it tana.it

Legend
disposition: quarantine, reject.
spf: pass, fail, softfail, temperror or permerror.
dkim: pass, fail, policy. 

This is an aggregate report from Mail.Ru.
--- End Message ---

v2.23.0 | Report a Bug | By Email