Re: [dmarc-ietf] Rethinking DMARC for PSDs

"Douglas E. Foster" <> Mon, 08 April 2019 11:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D0F721202E7 for <>; Mon, 8 Apr 2019 04:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yVYLJYeZnSQ7 for <>; Mon, 8 Apr 2019 04:10:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 39F391203D6 for <>; Mon, 8 Apr 2019 04:10:59 -0700 (PDT)
X-ASG-Debug-ID: 1554721857-0990573e633ea60001-K2EkT1
Received: from ( []) by with ESMTP id P2GzLMYvydN6WNmY (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Mon, 08 Apr 2019 07:10:57 -0400 (EDT)
X-ASG-Whitelist: Client
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=s1025; h= content-type:mime-version:message-id:reply-to:date:subject:to:from; bh=8ORfGKnPzCAJpgKX2JxdR7segzloXUGiyKlQkjJH/04=; b=ZppLa66wvkuGACc73eekUh6dfW6PPdfZhH2U6hVu3VwJU0UDCvLVDVkeZjxwhsWSE NGCaFThDlA1I0ZylxKWrxZskdAY/JBsFaWV+jsMmpTd0GEwU2r2OqR6vVP3QP7GG8 Pr6FW1TVmT1v4XdEI8zxfj9VxtlHKWklMSvayKjDM=
Received: by via HTTP; Mon, 8 Apr 2019 07:10:49 -0400
From: "Douglas E. Foster" <>
To: <>, "Scott Kitterman" <>
Date: Mon, 8 Apr 2019 07:10:49 -0400
X-ASG-Orig-Subj: Re: [dmarc-ietf] Rethinking DMARC for PSDs
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=afe27a23aea84dbe8feb2cbc0a766b1a
X-Originating-IP: []
In-Reply-To: <2380056.rpXNijDuEj@kitterma-e6430>
References: <20190408005045.5EC462011B2BFE@ary.qy> <2380056.rpXNijDuEj@kitterma-e6430>
X-Exim-Id: 4d1471de0a9c482e9a51a1a1deb2d71c
X-Barracuda-Start-Time: 1554721857
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Virus-Scanned: by bsmtpd at
X-Barracuda-Scan-Msg-Size: 7676
X-Barracuda-BRTS-Status: 1
Archived-At: <>
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 08 Apr 2019 11:11:07 -0000

Have the national CIRT groups made an issue about needing to block 
non-existent domains?
 Because a spammer can create a non-existent government agency like 
"", this email weakness becomes a national security issue and 
should be handled as a CVE.    This should get the vendors moving.  Has it 
been done?
 If not, perhaps Mr Levy would be willing to start the process on behalf of
 Doug Foster

 From: "Scott Kitterman" <>
Sent: Sunday, April 7, 2019 10:00 PM
Subject: Re: [dmarc-ietf] Rethinking DMARC for PSDs   
On Sunday, April 07, 2019 08:50:44 PM John Levine wrote:
> In article <> you
> > The problem:
> > Spammers use non-existent domains to achieve identity spoofing, such 
> >
> >
> >
> > This is primarily a reception problem, because many recipient mail 
> >
> >are not equipped to block this type of fraud. ..
> Right, and we can stop right there.
> A decent spam filter will treat a nonexistent From: domain or envelope
> bounce address as extremely suspicious and send the message into spam
> folder purgatory. If someone's filters aren't doing that, it is
> unlikely that they're paying much if any attention to DMARC, and no
> amount of fiddling with DMARC will make any difference.
> My mail server rejects anything with a non-existent bounce address at
> SMTP time and I don't think it's ever rejected anything my users would
> want.
> The solution to this problem is for mail systems to fix their filters,
> not to invent yet another mail-breaking hack that they won't use
> anyway.

Which mail breaking hack is that? Since PSD DMARC almost entirely applies 
domains that don't send mail, I don't think it breaks anything. It is in 
a tool to make hard rejects easier for receivers that don't typically 
solely due to non-existence and in part a tool to provide feedback to PSD
operators so they can understand patters of abuse in their namespace.

As I understand it, rejecting mail from non-existent domains is a long
standing, well-known tool for receivers. I hear you saying it works for 
in your circumstances, but that doesn't mean it scales. Given that 
non-existent domains is a well established option, but not everyone does 
what basis for optimism do you have that 'fix their filters' will change

If fixing filters was enough, would anyone bothered to have published:

$ dig txt +short

All PSD DMARC would do is make that record apply to domains lower in the 
without their own DMARC record. It's not that complicated.

Fielding of DMARC did a huge amount of damage to the e-mail ecosystem that 
not convinced it will ever fully recover from, but PSD DMARC doesn't add 

Scott K

dmarc mailing list