My expectations of what is feasible have collapsed greatly. My numbers
were unique domains.
I was hoping that the boundary between existent and non-existent would
align along a natural boundary, and as a result would require little or no
effort for domain owners to ensure that their legitimate mail was in the
"existent" category. If so, the NP=reject policy could be deployed
early. Instead, it seems that ensuring "existence" becomes just another
burden on the DMARC implementation process, and N{=reject will be the final
step in the deploymnent process.
Because we do not have a natural boundary, we need to create a signalling
system to define the SP/NP boundary. The signal must be purposefully
implemented by the domain owner, so any signalling system could be chosen.
MX/A/AAAA has an obvious advantage, because pre-existing compliance rates
are high. But when MX/A/AAA records do not exist, they do not exist
because an ESP-based mail source does not need them. Any invented
MX/A/AAA record will need an IP address, but the choice of IP address
becomes arbitrary and possibly problematic. MX, A, AAAA, and SPF are all
used to communicate meaning into the SMTP context, so we may have
unexpected consequences from adding one of those records where they are not
needed.
Consequently, I think the search list should be MX/A/AAA/TXT. The
TXT record content seems unimportant, and it could be as simple as
TXT="This Domain Exists". The domain owner simply needs a way to provide
an "existent" signal without affecting other functions. TXT seems like the
appropriate way to do this.
Doug Foster
On Tue, May 25, 2021 at 3:39 PM Murray S. Kucherawy <[email protected]>
wrote:
> On Sun, May 23, 2021 at 12:25 PM Douglas Foster <
> [email protected]> wrote:
>
>> [...]
>> 145 of 169 (86%) of non-verified domains had MX or A records,
>> Of the 24 without MX or A records, 23 were spam and 1 was legitimate
>> For 20 of the 24 , SPF on the From address returned NXDomain and were
>> obvious spam without checking NS
>> All of the remaining 4 domains had NS records
>>
>
> I believe this means that for 2.4% of the non-verified domains, or 0.65%
> of the total domains, the proposed NS check yielded useful signal beyond
> the standard checking of MX/A/AAAA.
>
> One surprise for me:
>> NS lookup on email3.reachmd.com returns NXDomain, but NS lookup on
>> sg.email3.reachmd.com returns NS data.
>> I thought that the existence of a subdomain would be sufficient for a
>> domain to return NS data.
>>
>
> Right, it isn't.
>
> Summary:
>> - MX/A produced 11 false positives
>>
>
> Is that 11 false positive messages, or 11 false positive unique domains?
> If the former, we're talking about around 0.3%. If the latter, we're
> talking about 1.8%.
>
> So based on the data you collected, what conclusion are you proposing?
>
> -MSK
>
>
>
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
