Re: [dmarc-ietf] NXDOMAIN
Todd Herr <todd.herr@valimail.com> Fri, 09 April 2021 13:09 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21CCE3A209E for <dmarc@ietfa.amsl.com>; Fri, 9 Apr 2021 06:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHNyv7N3BzQg for <dmarc@ietfa.amsl.com>; Fri, 9 Apr 2021 06:09:17 -0700 (PDT)
Received: from mail-qk1-x72a.google.com (mail-qk1-x72a.google.com [IPv6:2607:f8b0:4864:20::72a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B823A209B for <dmarc@ietf.org>; Fri, 9 Apr 2021 06:09:17 -0700 (PDT)
Received: by mail-qk1-x72a.google.com with SMTP id b139so302949qkc.10 for <dmarc@ietf.org>; Fri, 09 Apr 2021 06:09:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=anZ/AMLGn29OhevKuDu1hTkmY0KAH/VdAzg07iqzFuQ=; b=ctSQeOHleBqqAWyafRgfdY/tFyXb0I+TyU6BWoKOptq9ITbGSv4zfhlgdGmDR2NoKB ZK+HPZi4jprYLcXNpbS4x/Ess6rcx62Lk5ESUoVNqkHBk2PRmSNpAoiou8B+p5rJIyxC Htl6KqikElLmvyvANGs5sCUtS1LHT1GVjs7kNZPDtAcPjQdLL+gn6hdE8av5FuVY6XQC bDNJOn9kUd1q9EkQlQMwRkkyyKszfmFUgA+BNwcKJ64xd4nHFxBkAVpxyMJ16zL2cMsD iOop+oyxmM7a5WPbscCcEqdWvez+7sK3cV+zUUReSBAzc+jVHQyL0U45Uovft9KqI5GI ExpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=anZ/AMLGn29OhevKuDu1hTkmY0KAH/VdAzg07iqzFuQ=; b=fZ38h+Yl+JfgPvaFxDGa2cF+0dJGtnYrnnMLjYXjHfXykuZqAp9NFTUPaeYhbSmZQq 9Hje9hSEXHVwrUHLgDvWkTb/M5/PfwNAuDEMVjhkCEA8JWEY12UPa3kprTj8W3UqrklK EXyBm5aZPjUhJ8p3Dmg9Ho+xtNGs5tkebtYODNf4uvXKau8tMMq2R+J4dEuPqvI0zJjV Eixm57hMYMAA2sxFht36MmfdPdfes4Do+diqrgpzl4SRdybpZGcyTPAzdKeO5howEPgb e1DYB3YJF+bhrfQG+RkvI3os7IxBlTcesB2YwCIDFMCILZG0dKbL5O2QvXOhmn3BXRC6 6Gxg==
X-Gm-Message-State: AOAM530GxcR9vmrK8qor8Fb6pLLPKPDlyS9tUxcC9kByR51HBonIsR7t L66EJqU0KMijKIIRN0+9PYutbdTI4Bpme8ay498rgqlOJdeIqw==
X-Google-Smtp-Source: ABdhPJzNyVz0fII33UUcjaxpCxK+7VAVY0UQ48JMQfUpVQThJLmJZ/UuhtHteVFcd5/ccSRBzt8DPrJQE87GqX1b2v8=
X-Received: by 2002:a05:620a:1388:: with SMTP id k8mr7318517qki.387.1617973754756; Fri, 09 Apr 2021 06:09:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwYr+w1hjV3Wez6xd96OmmXjYU3D=-4+2qfCxkQ5TVA+Ww@mail.gmail.com> <20210408182948.5E4AF7282ACE@ary.qy> <CAH48ZfxM5DgDds1-wHiXMSfSAoT3+rSL_L4wbADtLz=JQ9QU=w@mail.gmail.com>
In-Reply-To: <CAH48ZfxM5DgDds1-wHiXMSfSAoT3+rSL_L4wbADtLz=JQ9QU=w@mail.gmail.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Fri, 09 Apr 2021 09:08:58 -0400
Message-ID: <CAHej_8kNa89c_wvo71Vd7as1SrF5xv0a78J0PVE5wyi-Ybizrg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8923005bf89dec7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rk6I5sK8O2t1evFpTQq144hpIZ8>
Subject: Re: [dmarc-ietf] NXDOMAIN
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Apr 2021 13:09:22 -0000
On Thu, Apr 8, 2021 at 4:51 PM Douglas Foster < dougfoster.emailstandards@gmail.com> wrote: > DNS Examples that Murray requested, which should also addresses John's > question about relevance to DMARC: > > nslookup > > set type=txt > > > > _dmarc.junk.thisisjunk.com > *** <server> can't find _dmarc.junk.thisisjunk.com: Non-existent domain > > Domain has no DMARC policy. > Is this because it chose not to deploy one, or because it does not exist? > That answer requires a second query. > > > junk.credcontrol.com > *** <server> can't find junk.credcontrol.com: Non-existent domain > > The TXT query demonstrates that this is a non-existent domain, and > therefore not under the full administrative control of any parent domain. > The message is DMARC NOT_VERIFIED even if domain alignment occurs with a > DKIM signature or SPF PASS. Since there is no domain-level policy record, > disposition depends on local policy related to non-existent domains and > this particular domain name. The organizational policy record may be > useful if its requested action is more stringent than the local policy > default action for non-existent domains. > > > junk.thisisjunk.com > *** <server> can't find junk.thisisjunk.com: Non-existent domain > > Domain has no DMARC policy. > Is this because it chose not to deploy one, or because it does not exist? > That answer requires a second query. > > >thisisjunk.com > primary name server = ns1.dreamhost.com > responsible mail addr = hostmaster.dreamhost.com > serial = 2018071003 > refresh = 19193 (5 hours 19 mins 53 secs) > retry = 1800 (30 mins) > expire = 1814400 (21 days) > default TTL = 14400 (4 hours) > > The TXT query demonstrates that the domain exists. This is true whether > the result returns data or NODATA, and in this case the result is NODATA. > The message can be DMARC-verified using domain alignment to a DKIM > Signature or SPF PASS. > > Doug Foster > > > I think you may have a cut and paste error here: > junk.thisisjunk.com *** <server> can't find junk.thisisjunk.com: Non-existent domain Domain has no DMARC policy. Is this because it chose not to deploy one, or because it does not exist? That answer requires a second query. The above isn't a query for a DMARC policy record. To your larger point though and your claim of a second query being required to determine if a domain exists if there is no published DMARC policy, I think you've got the order of the queries exactly backward. My expectation for any policy rules that are based on a domain's existing and/or a domain having published an MX or A/AAAA record is that such queries will be done *before* any attempt to suss out a DMARC policy record and perform DMARC validation checks, not after. For example: 1. Client connects to my server. At this point I know the source IP of the client, and so I can apply any policy rules I may have in place for the source IP, such as rejecting the connection due to the IP's being blocked, refusing the connection if the IP has no corresponding PTR record, refusing the connection if the PTR record matches a pattern of names from which I don't want to accept mail (such as the naming pattern being generic or indicating that it's dynamic space), perhaps throttling the connection based on a lack of FCrDNS for the IP or other rules based on local reputation data known about the IP. 2. If the connection is still open, the client issues a MAIL FROM command. At this point I now have a domain (RFC5321.From) and I can run checks to make sure the domain exists in the DNS and publishes either an MX or A/AAAA record and do any DNSBL lookups for the domain. I can also, if I wish, do the SPF check here and reject if there's a failure and the record ends in "-all". 3. If the connection is still open, the client issues one or more RCPT TO commands. I can answer "250 ok" or "550 5.1.1 user unknown" as appropriate. 4. If the client has exhausted its RCPT TO commands and has gotten "250 ok" in response to at least one of them, then it will issue a DATA command, and I can respond "ok" if I still potentially want to accept a message from this connection. 5. Client transmits the message, ends with "." 6. Before I reply with "ok", I will definitely do step 1 below, and might do either or both of steps 2 and 3: 1. Test for existence of the RFC5322.From domain in DNS and do any DNSBL lookups on the domain. 2. Run the message through an anti-spam filtering engine, if I'm the type to reject mail based on its content. If instead I'd just route it to the spam folder if the engine says it's spam, I may do this step at a layer closer to my message delivery/storage layer. 3. Do DMARC validation checks, if I'm the type to honor a domain's published policy and reject mail that fails DMARC checks if that's what the policy asks me to do. If instead I'm the type to apply a quarantine disposition to anything with p=reject or p=quarantine, I might accept the message so that the connection can be closed and I can do DMARC processing at a layer closer to my message delivery/storage layer. Now, I could be wrong here, but I've always viewed DNS queries as computationally cheaper than content scanning and DKIM hash validation (note that I'm going to do DKIM hash validation regardless of the existence of a DMARC policy record, but it's all a matter of where in my infrastructure I do the validation). DNS queries that allow me to make an immediate yes/no decision on message acceptance (IP or domain on block list, domain exists and has an MX or A/AAAA record) get done before DNS queries that might cause me to do more work. A DNS query for a DMARC record can result in additional work for me if the DMARC policy record exists, not just going through the validation steps but also recording the results in the data store that supports my reporting engine, so I'm going to do that one last, not first. But that's just me. -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.herr@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- Re: [dmarc-ietf] NXDOMAIN John Levine
- [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Tim Wicinski
- Re: [dmarc-ietf] NXDOMAIN Grant Taylor
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Grant Taylor
- Re: [dmarc-ietf] NXDOMAIN Laura Atkins
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Kurt Andersen (b)
- Re: [dmarc-ietf] NXDOMAIN John Levine
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Murray S. Kucherawy
- Re: [dmarc-ietf] NXDOMAIN John Levine
- Re: [dmarc-ietf] NXDOMAIN Jan Bouwhuis (DMARC)
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster
- Re: [dmarc-ietf] NXDOMAIN Todd Herr
- Re: [dmarc-ietf] NXDOMAIN Douglas Foster