IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 18 May 2021 05:19 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A0903A1057 for <dmarc@ietfa.amsl.com>; Mon, 17 May 2021 22:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqLv0A_UBQTf for <dmarc@ietfa.amsl.com>; Mon, 17 May 2021 22:19:08 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D03DA3A1038 for <dmarc@ietf.org>; Mon, 17 May 2021 22:19:08 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id q7-20020a9d57870000b02902a5c2bd8c17so7623866oth.5 for <dmarc@ietf.org>; Mon, 17 May 2021 22:19:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=N7HC3FJOf8GDSkhe0cWce0yThyUZTi57ZmS3zMeqY+k=; b=EOB7PCzx0RdiUlJpi37YyOlwVoLVVYqWBEsrKVaeI6yKsPUR9lQy8Wim7az3wvfbid YCCWEKwc/5pdrRC7bdAHjdYRPOa5K6n4+TXZ2WOBY0eF4SGR0gacr8ExJTNQJuyJwbRB l+9OhXp6izWXLcC/Mvt3kDbbrhQpr4hHhk9MN4dCevHZnIgzT/yi8NFtYPRYL8xM5Q4P Pc4f9BQhCMV5xBxxbzQP0cNnJ7QFutNWXiwEC/dYDZGQKEYt4k9S9k/3RA2Bdh+IeV8g JxCXv7RB+7dY9Mb/AQeK4cbSMfI2iIJKYyHffJAbULorOrpUxf71wFI+hzFcReB1eip4 eL+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=N7HC3FJOf8GDSkhe0cWce0yThyUZTi57ZmS3zMeqY+k=; b=R+wxNJvViNiEEAwZ7g74evO/xM24qf8x0DzXbvxcRfYiOFR8hR8xf63YRvkt+Y1qhK wtBDqsp7jYPrGPAWun2/mSB/VGYvVVmfvL+zXzt65mvPHspR5FFqrJfHhq9MVLuMaoVB YuoSGx2Y9FBOr4bqCLZMCYHxj20cBdvSWPjp3lMEVIdK/NjpRWUnqmlODuJw3csyLLDp svEd8ZEsZIClbn/jKmmH9qGmdFPSYwUAkRZGVyeM9jhUyWO7f38HeXeWcUz+4AxWWLae AmL0yaeokjXImCD8uiciAo7n4pnTkmz2QTyK8hbXy+xTBERPoestj8HUuy5p8ZqIUk4t TLRQ==
X-Gm-Message-State: AOAM532TtxrsXWqbCdseG6yOQgposqqN2G6ZVZiofPfN7DzprHY3i2ZV p8ai65RDKypiFyO07OvU53rOIHJ7Chcpyi0DDZsEbG4C
X-Google-Smtp-Source: ABdhPJyILMnKTmdD5a1WEKFGWeBsDm2N3TFHwuLZFxri0Fi4eYPYK+PcqdR950rM7kY1i0iFKpqr4ZPbMb8WkB9TlRU=
X-Received: by 2002:a9d:7348:: with SMTP id l8mr2849406otk.240.1621315147087; Mon, 17 May 2021 22:19:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfz67fFkyPMhvcQ6JHJLSwH9UAtENrDrzDC=1p-CHJ9oPg@mail.gmail.com> <20210507014508.78064719D42@ary.qy> <CAOZAAfMA4t_prVSKHLq_oifoTh=dLWs9uOjxeMsysZQQ7gqvvg@mail.gmail.com> <CAH48Zfz3ABtxLTOrwVj_YKwkz=4rVpFhDB1-QMRzQFdJbvpwiw@mail.gmail.com> <CAL0qLwZLTyPBj3Mq+spq1ZfFeQoBHeypzREQ68DPMXN5f0HROg@mail.gmail.com>
In-Reply-To: <CAL0qLwZLTyPBj3Mq+spq1ZfFeQoBHeypzREQ68DPMXN5f0HROg@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 18 May 2021 01:18:56 -0400
Message-ID: <CAH48Zfy=wd=f35BRtoPiJKXPbUYvknVdy9OeG-q5kAwg72rJeQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006941f205c293d95e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ppgcr_Q7cR1pWi_aA2bofOkECs0>
Subject: Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 May 2021 05:19:22 -0000

Fatal flaws with the MX/A/AAAA test


   - During DMARC policy evaluation, the process may have retrieved an SPF
   policy or a DKIM public key which is associated with the RFC5322.From
   domain or one of its descendants, even though the SPF test did not pass and
   any relevant DKIM tests did not verify.   Obtaining such data provides
   evidence that the domain name is in use by the domain owner and therefore
   the failure should be handled as SP rather than NP.   But adding this
   condition into the evaluation means that the evaluation is no longer
   deterministic, since the pool of supplementary information can vary from
   one message to the next..
   - If the RFC5321.MailFrom domain is a parent of, or unrelated to, the
   RFC5322.From domain,. then the DMARC evaluation will not have checked for
   an SPF policy on the From domain.   The presence of an SPF policy indicates
   that the domain does exist and that the domain owner has implemented this
   sender authentication mechanism.    If SPF is present, the policy
   evaluation should be SP, not NP, but the SPF policy is not considered by
   the MX/A/AAAA rule.

Problematic ambiguity, depending on the presumed justification for the
MX/A/AAAA test

   - Both MX and SPF can be used to allow or block traffic.   MX can block
   message delivery using a host name of "." (RFC 7505) or any other invalid
   or non-routable name.   SPF can be used to block traffic if the policy is
   "-ALL".   If the selection of MX is intended to score the domain for a
   probability that it is used for email, then the block signals should be
   considered as indicators of NP, and the non-blocking signals should be
   considered as SP.   But then what to do if the signals are not in the same
   direction?

Constraints imposed by DNS

DNS Queries for a specific RR type produce one of three results

   - Data:  An entry matches the requested name, exactly or by wildcard,
   and also matches the requested RR type.
   - NoData:   An entry matches the requested name, exactly or by wildcard,
   but the requested RR type cannot be matched
   - NXDomain:  No entry exists for the name, either exactly or wildcard,
   for any RR type.

When multiple query types are checked for the same domain name, the
multiple three-way results must be consolidated into a single binary
conclusion: SP or NP.    That conclusion will be heavily influenced by
assumptions about how domain administrators will configure their domains,
and such assumptions are difficult to apply globally.

The one exception to this problem is the NS query.   It acts as a query for
type=ANY with the specific results discarded.   As a result, it has only
two outcomes:

   - Data:  The name is used in DNS (policy applied = SP)
   - NXDomain:  The name is not used in DNS.(policy used = NP)

This query has no dependencies on other mail message attributes, so it is
deterministic.
It directly addresses the stated question:   "Has the domain administrator
configured this name into DNS, and therefor has been given the opportunity
to implement sender authentication controls?"
It does not attempt to guess whether the domain configuration indicates
mail system participation or not.
If eliminates the possible need to evaluate specific RR types for allow or
block signals.
It is simple to define and simple to implement.

Doug Foster



On Fri, May 7, 2021 at 5:43 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Thu, May 6, 2021 at 8:14 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> My argument is that that A/AAAA/MX has no useful relevance to determining
>> whether the RFC5322.FROM address of a message should be evaluated based on
>> SP or NP. NP is described as testing "non-existent", rather than "possibly
>> able to receive mail". We need a test that evaluates whether the domain
>> exists or not, and is maximally protected from false positives caused by
>> host names and wildcards.
>>
>> If this group is convinced that A/AAAA/MX is meaningful for the distinction between SP and NP, I am asking someone to provide the justification and define the algorithm.  Right now I have seen neither.
>>
>>
> I continue to be unclear on why you think that test suite against a name
> is inadequate.  Can you demonstrate a live case of a false positive or
> false negative?  Perhaps an actual example will help to move this from the
> abstract to the concrete.
>
> In the meantime, here's what I think is the justification: If you try to
> send me mail apparently from a domain that appears to have no email-related
> presence in the DNS, that strikes me as a reasonable situation in which to
> bounce such a message, and accordingly, a viable test for DMARC to use.
> It's also relatively cheap, given that the DNS is a globally distributed
> highly resilient database specifically built to answer such questions.  An
> "email-related presence" is the three RRTYPEs that SMTP specifically uses
> in trying to make use of a reverse path, and since this is an email
> application, that also strikes me as reasonable.
>
> You could (and some have) go one step further and attempt to make a
> connection to whatever address that test resolved, on port 25, and see if
> something answers.  You could go even further and try to interact via SMTP
> with the server you find there, and test to see if the RFC5322.From address
> responds 250 to RCPT.  But those are far more heavyweight tests, which can
> add substantial time to DMARC processing, and such tests can get you
> blocked from further interaction with those sites as they look like
> address  harvesting probes.
>
> Wildcards are a fact of life.  We will make no progress asserting that
> everyone has to stop using them because they muddy DMARC's waters.  DMARC
> could confirm on getting a positive MX reply that there is (or is not) a
> wildcard MX in play, but I don't know how you would use that information
> because the answer is the same both for "real" names and "fake" ones.  Is
> this the basis for your position that the triple query done today is
> inadequate?
>
> -MSK
>

v2.23.0 | Report a Bug | By Email