[dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 05 May 2021 11:28 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DF43E3A116C for <dmarc@ietfa.amsl.com>; Wed, 5 May 2021 04:28:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gO8Swb77Kj8G for <dmarc@ietfa.amsl.com>; Wed, 5 May 2021 04:28:25 -0700 (PDT)
Received: from mail-ot1-x32d.google.com (mail-ot1-x32d.google.com [IPv6:2607:f8b0:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9996A3A116A for <dmarc@ietf.org>; Wed, 5 May 2021 04:28:25 -0700 (PDT)
Received: by mail-ot1-x32d.google.com with SMTP id r26-20020a056830121ab02902a5ff1c9b81so1347871otp.11 for <dmarc@ietf.org>; Wed, 05 May 2021 04:28:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=13PjhmWWbVLrXmmS8ro+ouadnJDejqu7mXYjPgTfIkY=; b=gcpberZx2BRE3VZ6S9+/h/d5icnlpx9z3HNt84sTbMYwCIstoutjOg/++2WqwmDQj7 IgIUFuyOdqFs/iHXLThj+kmTdmmVeogONlppQNRn+EG2zQ3VtmbKQD0gRL0uzw1KaCw7 Q7qnCpzyU4wzT0RdLpwWnz7I72qJ9MiB/GkTzFFgKiafcmxPdcDA5ufDNOdC2RWIW9O6 4cl+C/n5ktMtqNH1KIxZwyZSfcBPnGe9htXQZ87ljCRHrxurGagRjkP4ckFo8bAZf5Wc 4nMEOQdnczlmES2kGppXvQggnjkKUcRdMakSx++n4G0v1TRMzcuWs2jZgGNmkmkSfCPl +aqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=13PjhmWWbVLrXmmS8ro+ouadnJDejqu7mXYjPgTfIkY=; b=Sr98J3zAlcvGgmXoKdf+N5F4T4UC9qqUQguI5vOurnWbXPs0732TcdCZ4K3XWJyxrY +vXb9ZhpEP8qMYSIyH2UQb4MlYQ3mT4EOK6U23XueUV9J2oHFgneZQU9UwxHjYmaea/E bGtBBUETzATPcmSjdX9+2FrgFhR8CY4TdM1uzPLtg/gaEJg9u/OIpyiVppKS1mCdlZ4w i/6v2Nw86bLwDC9AS2qMpTQKQAFsAVL85opj2uF28Awmdy0qZpIoy/eqReBbvVXyhyLC 1N9bFYMZUqLV+aUVCcaerFRXuvIbRjTKtAFNiWCqEh8jtroDwb6CGRNxjlkXSG2YTtpo uBMw==
X-Gm-Message-State: AOAM531DqirO+i/DAFy70U9VFGCc0TRQjqbyT/uIE4qP3v/4YcS4xK2D bw/1jxUNFngZmGMLeoiK1Vn1J97suXxispV5YgzbvELLIDs=
X-Google-Smtp-Source: ABdhPJw243nv7UpvUddHRIWj/FXQuFedozxJPo9dhASCj/FVg93zIk5RcjxUUkmyrzBIYd58q+zcmOSK/3USWWeGsVw=
X-Received: by 2002:a9d:30b:: with SMTP id 11mr22695485otv.298.1620214102900; Wed, 05 May 2021 04:28:22 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 5 May 2021 07:28:12 -0400
Message-ID: <CAH48Zfw36HJ0C4owJXPowgVqwZ5eLxSwibQ6ANzryZDKO0B6dw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000010447c05c1937e0d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ramwCXjQGSnmr97HCAdOs5vadsA>
Subject: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2021 11:28:27 -0000

The MX/A/AAAA test is an appropriate tool for verifying the probable
existence of a return-path based on the RFC5321.MailFrom address. In the
early days, the requirement to send and receive non-delivery reports meant
that all mail systems had to participate bi-directionally. This is no
longer the case. Non-delivery reports are officially discouraged, and many
messages announce that the return-path is unusable with a NoReply username.
For testing RFC5321.MailFrom, SPF is now a necessary part of the
calculation, so its absence from the proposed test is baffling.
Additionally, use of MX/A/AAAA as a substitute for a missing SPF policy is
now discouraged in some circles.

The A/AAAA portion of the test reflects a necessary transition process to
MX, but that process should be complete for any domain with enough
sophistication to publish DMARC policies. As defined in RFC 5321, the
A/AAAA test does not even require that the A/AAAA record be a domain-level
name. We know that there are many more A/AAAA records than mail systems, so
we can be certain that the test will produce false positives.

Equally important, the RFC5322.From address has no necessary connection to
an actual mail server, since the From address can be used exclusively for
messages sent by an EMail Service Provider (ESP) using the ESP's identity
for the RFC5321.MailFrom? address. Consequently, the relevance of the
MX/A/AAAA test for distinguishing between SP and NP is lacking.

In sum, the test will produce both false positives and false negatives,
making its value doubtful, and it has at best a tenuous connection to the
way that RFC5322.From addresses are actually used.