On Sunday, September 29, 2019 8:05:07 AM EDT Jane Moneypenny wrote: > Regarding: > 2.6. Non-existent Domains > For DMARC purposes, a non-existent domain is a domain for which there is an > NXDOMAIN or NODATA response for A, AAAA, and MX records. > > Comments: > - sometimes a domain used for mailing purposes does not have a MX record - I > am not sure if 'and' is appropriate word here, - question: what if there is > a CNAME record?,
Yes. The way it's written, if any of A, AAAA, or MX give some answer other than NXDOMAIN or NODATA, then the domain exists. As previously discussed during WGLC, CNAMES would be followed prior to such a determination, so the existence check would, correctly, be for the target of the CNAME, no issue. > - email receivers could/should perform reverse DNS lookup, however they do > not - as a result, an email from (both: Envelope and Mail from), is > accepted by the MTAs, - today, an email ‘from’ (Envelope and Mail) NXDOMAIN > is accepted by vast majority of MTAs, and SPF check result is “spf=neutral” > (in general), same with non-existent sub-domains (even if there is DMARC in > place a message from non-existent sub-domain could be successfully > delivered). > > There is a solution for non-existent subdomains: Wildcard SPF. Wildcard SPF > covers sub-domains (if there is no other RR for such sub-domain), and (in > general) it works with DMARC. For example: > *.example.com IN TXT v=spf1 -all > together with > example.com IN TXT v=DMARC1; p=reject; > Covers each and every NX-sub-domain, and it works pretty well. > > Currently proposed solution, even with the 'np' tag, may not work. It could > be rather fatally flawed. > > That being said, we should consider (for PSDs) a solution similar to a > Wildcard SPF, if we want PSD-DMARC work as it should. > > And, because a Wildcard SPF is a TXT - not A, AAAA, MX - record, and it does > not mess with the definition (2.6. Non-Existent Domains). We have also discussed making broader recommendations on email processing behavior and concluded they were out of scope. Wild cards aren't so simple. The DMARC record for example.com isn't published at example.com. It's published at _dmarc.example.com and you can't wild card _dmcarc.*.example.com. Scott K _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
