Opened 21 months ago

Last modified 15 months ago

#111 new defect

MX/A/AAAA test needs justification

Reported by: dougfoster.emailstandards@… Owned by:
Priority: major Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords:


The MX/A/AAAA test is an appropriate tool for verifying the probable existence of a return-path based on the RFC5321.MailFrom? address. In the early days, the requirement to send and receive non-delivery reports meant that all mail systems had to participate bi-directionally. This is no longer the case. Non-delivery reports are officially discouraged, and many messages announce that the return-path is unusable with a NoReply? username. For testing RFC5321.MailFrom?, SPF is now a necessary part of the calculation, so its absence from the proposed test is baffling. Additionally, use of MX/A/AAAA as a substitute for a missing SPF policy is now discouraged in some circles.

The A/AAAA portion of the test reflects a necessary transition process to MX, but that process should be complete for any domain with enough sophistication to publish DMARC policies. As defined in RFC 5321, the A/AAAA test does not even require that the A/AAAA record be a domain-level name. We know that there are many more A/AAAA records than mail systems, so we can be certain that the test will produce false positives.

Equally important, the RFC5322.From address has no necessary connection to an actual mail server, since the From address can be used exclusively for messages sent by an EMail Service Provider (ESP) using the ESP's identity for the RFC5321.MailFrom? address. Consequently, the relevance of the MX/A/AAAA test for distinguishing between SP and NP is lacking.

In sum, the test will produce both false positives and false negatives, making its value doubtful, and it has at best a tenuous connection to the way that RFC5322.From addresses are actually used.

The replacement:
A much simpler test, which fits the problem space without false positives and false negatives, is to test for TYPE=TXT, name=FromDomain?, to see if it returns status NXDOMAIN.

Change History (2)

comment:1 Changed 21 months ago by johnl@…

The MX test is optional, and a check for TXT will produce NXDOMAIN in exactly the same situations where an MX or A or AAAA will.

There is nothing to fix here.

Last edited 21 months ago by johnl@… (previous) (diff)

comment:2 Changed 15 months ago by todd.herr@…

  • Milestone set to Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Note: See TracTickets for help on using tickets.