#97 closed defect (wontfix)

Non-existent domains need a separate evaluation result

Reported by: dougfoster.emailstandards@… Owned by:
Priority: major Milestone: Deliverable #2 (DMARC improvements to better support indirect email flows)
Component: dmarc-bis Version:
Severity: - Keywords:


If a domain exists, the absence of an SPF or DMARC policy record indicates that the domain owner has not chosen to public it, something that is within his right.

However, if a policy record does not exist because the domain has never been registered, there is no domain owner to have made that decision. Our current specifications fails to distinguish between these two results.

With an unregistered domain, the applicable policy defaults to the Internet name registration process, which says that everyone must register domain names before using them on the Internet. Therefore, use of unregistered names is a policy violation even though a policy record is not present.

SPF and DMARC evaluators SHOULD check for a non-existent domain when the policy record is not found, by testing for the presence of an NS record of the domain being evaluated. If no NS record is found, the result SHOULD be NXDOMAIN, with a disposition action chosen by the evaluator.

My opinion is that for SPF, NXDOMAIN should be treated as equivalent to FAIL, and for DMARC, NXDOMAIN should be treated as equivalent to Quarantine. But I don't know that our specification needs to make a recommendation.

This affects at least SPF and DMARC. It also has implications for any published but deprecated protocols such as ADSP and ATSP.

Change History (1)

comment:1 Changed 16 months ago by todd.herr@…

  • Resolution set to wontfix
  • Status changed from new to closed

This appears to be outside the scope of the working group charter.

It is not the responsibility of DMARC, or SPF, or other protocols to determine whether or not a domain exists; DMARC and SPF are correctly limited in their function to operating on specific policy records as published (or not) by the domain owners.

It is my personal opinion that the test for existence of a domain used in either the MAIL FROM command or the RFC5322.From header can and should be done prior to the check for an SPF or DMARC record, and that if a domain is found to be non-existent, mail should be refused at that point on the theory that there's no point in accepting mail to which one cannot reply. However, that's a policy decision that each mailbox provider is free to make, policy that would be part of a general anti-abuse posture, not one specific to DMARC or SPF.

Note: See TracTickets for help on using tickets.