Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification

Douglas Foster <> Fri, 07 May 2021 16:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DD5863A27EA for <>; Fri, 7 May 2021 09:05:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NneyZo8du8FB for <>; Fri, 7 May 2021 09:05:53 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 72F7A3A27EB for <>; Fri, 7 May 2021 09:05:53 -0700 (PDT)
Received: by with SMTP id d3-20020a9d29030000b029027e8019067fso8298059otb.13 for <>; Fri, 07 May 2021 09:05:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dToh4e2osIzfVyOZMrHTNz5OK9KA1gTTtVeu/t7e/c4=; b=sy5TCgCjYJKlGYQdl9EuWkCzH6G3k13XOlMBHyZnszCc+3MA++DmTG+rWE3KFc9MRD dGvWi/p0opsTX3jhUWDED8F5WEYlhPHV86Go/JgqWwGlCqAvOR7GeqjIrpu65BQaO6wO E+5tfnpTGyyLwZSuslqDHlo4TsDMOwcIcFOQnzsO6P3BHwrL/ro/qIv6JRZL8nxStI2X E56xtCcc08gIELR+zvF5IQwXuzxTq25DafsQ/InIqoq/yPZAvvBkeCh+gvBKScVOPdJ6 8M618ILS7dwLJ/RP6Qk0qdZgQcCaHiXd3x0SR3LkEF2JZfpobOqOSRaXDS9Ql/4dqvZC 1UnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dToh4e2osIzfVyOZMrHTNz5OK9KA1gTTtVeu/t7e/c4=; b=Z+w0MOf8OLwmCh6qT5oAli4SvcKpp6aCJkQddVaJ7VY34j1zftPEg7IWv0sE8/QzNk BOGRsksQF0oOzs54drvQdL01NRmYz9mk7OIYFjX7UWhe2ngA5UjsX4RVN/0YWlf9kSIb tYi9+Q15hTMi1BvGNIFbzPN2hRWhz7eav+iEzUXQlqCNo1MkPiT54/FI53ybrXjPSSjQ iYQG907+7Ymz7BXvrGPGtpwIxB9HKSIonDLSgaa0eatlkbC25z2ac7HRX1hg1FrFWHOD K+ZDQNoryL1uvQQWOHplAtgAlxt77/F1cZ+wzPH7QiUkfc/6lphL7+JUVgwhi23NHpjI SRDw==
X-Gm-Message-State: AOAM533F+U5s45AzkEnqlr7RDUIJUMUjSON8Zn75HIeSmMXzXrFLCE8Y 4ydYLAwS306fhqZVZrrsCPmnAPHPHhrA8QlJru7+YhwW
X-Google-Smtp-Source: ABdhPJxfl5cZK6xkQKbgNV4IHgJH+yHMFZt85o+cOkRFelMXg1PD9a7HjoZRYyITLrZeN0sNRQ+u2GrIB3CfU1PhkjM=
X-Received: by 2002:a9d:30b:: with SMTP id 11mr8429816otv.298.1620403551114; Fri, 07 May 2021 09:05:51 -0700 (PDT)
MIME-Version: 1.0
References: <> <20210507014508.78064719D42@ary.qy> <> <> <>
In-Reply-To: <>
From: Douglas Foster <>
Date: Fri, 7 May 2021 12:05:36 -0400
Message-ID: <>
To: Todd Herr <>
Content-Type: multipart/alternative; boundary="0000000000000e9ab905c1bf9a73"
Archived-At: <>
Subject: Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 07 May 2021 16:05:58 -0000

I objected vigorously during the PSD review, but the Area Director directed
me to defer the discussion so the experiment could move forward.

Nonetheless, repeating inadequate language does not render it adequate.

Separating NP from SP should enable a significant improvement in threat
management if we can get the test right.  Unfortunately, a test that is
prone to both false positives and false negatives does not serve the
purpose well, especially if those problems are swept under the rug rather
than being articulated.

On Fri, May 7, 2021, 10:55 AM Todd Herr <todd.herr=> wrote:

> On Thu, May 6, 2021 at 11:13 PM Douglas Foster <
>> wrote:
>> This is about
>> Section 3.8. Non-existent Domains
>>    For DMARC purposes, a non-existent domain is a domain for which there
>>    is an NXDOMAIN or NODATA response for A, AAAA, and MX records.  This
>>    is a broader definition than that in [RFC8020].
>> My argument is that that A/AAAA/MX has no useful relevance to determining whether the RFC5322.FROM address of a message should be evaluated based on SP or NP.  NP is described as testing "non-existent", rather than "possibly able to receive mail".   We need a test that evaluates whether the domain exists or not, and is maximally protected from false positives caused by host names and wildcards.
>> If this group is convinced that A/AAAA/MX is meaningful for the distinction between SP and NP, I am asking someone to provide the justification and define the algorithm.  Right now I have seen neither.
> For what it's worth, the text in question was copied directly from
> draft-ietf-dmarc-psd
> <>  (Section 2.7 of
> that document, to be precise). As I understand it, draft-ietf-dmarc-psd
> imposes some requirements on the text in DMARCbis, and so to support
> satisfying those requirements, other bits of text were imported, too.
> --
> *Todd Herr* | Sr. Technical Program Manager
> *e:*
> *m:* 703.220.4153
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list