Opened 9 months ago

Last modified 3 months ago

#112 new defect

MX/A/AAAA needs definition

Reported by: dougfoster.emailstandards@… Owned by:
Priority: minor Milestone: Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Component: dmarc-bis Version:
Severity: - Keywords:
Cc:

Description

If we use the MX/A/AAAA test, it needs a formal definition.

The dilemma

  • If we mandate more detailed checks, we add complexity which hurts throughput.
  • If we take no position, we hinder interoperability.
  • If we say MUST NOT check, we provide guidance about how to defeat the test with false positives.

Below are the algorithm details that should be addressed.

For MX lookup:
Is the condition satisfied if at least one MX record exists, or do we need to examine contents?
If we examine contents, do we only look at host name formats, or do we resolve it to an IP address?
If we resolve to an IP address, do we check for non-routable addresses (loopback, private, multicast)?
If we resolve to an IP address, and all of the returned addresses are in a different address space than the source IP, is the condition satisfactory or failed? If failed, do we proceed to the A lookup or stop?

For A/AAAA lookup
The A/AAAA test will generate a lot of false positives. Do we accept that DMARC-publishing domains will still be using Implicit MX, or do we create an expectation, for purposes of this test, that DMARC-publishing domains will use only MX records?
Do we check just the address space that matches the source IP, or both IPv4 and IPv6?
Do we check the returned IP for non-routable addresses?

For an A record that is not equal to a DNS domain:
Do we check the host name to determine whether it is a domain name or a host record within a parent domain?
If the host name is determined to be a host record within a parent domain, is the domain DMARC policy determined by the host name (which will produce No Policy Found) or is the DMARC policy lookup applied to the parent domain of the host record?

Change History (2)

comment:1 Changed 8 months ago by johnl@…

This is the same as 110 and 111. The MX test is optional, whether to use A/AAAA fallback is out of scope.

The last questions make no sense. I don't understand what a "host record" is supposed to be, and domain names are domain names, and "parent domain" means nothing here. The way that DMARC looks for a record and falls back to the Organizational domain if none is found is well defined.

There is nothing to fix here.

comment:2 Changed 3 months ago by todd.herr@…

  • Milestone set to Deliverable #3 (changes to DMARC base spec + DMARC Usage Guide
Note: See TracTickets for help on using tickets.