On 2022-04-22 at 18:19 -0400, John R Levine wrote: > As an experiment, I added 32K of junk to the _dmarc.johnlevine.com TXT > record and as far as I can tell, it's made no difference. I still get the > same reports saying the same things. DNS libraries need to use TCP to > fetch it but they all seem able to do that.
I wouldn't describe that as a "broken" DMARC record. I would describe it as a perfectly legal DMARC record... with lots of unknown tags (129), which it is explicitly stated MUST be ignored. I can think on many ways to make a broken DMARC record, such as "p=none" # the "v=DMARC1" tag is mandatory and MUST appear first in the list "v=DNARC1; p=none; rua=mailto:dmar...@abuse.net"; # invalid version "v=DMARC1; rua=mailto:dmar...@abuse.net"; # policy tag is required "v=DMARC1; p=burnwithfire" # invalid policy "v=DMARC1; p=none; idontlikespam" # not a valid tag-value "v=DMARC1; p=none; 100=pct" # not a valid tag-value "v=DMARC1; p=reject; p=reject; p=reject; " # thrice is not a charm here "v=DNARC1; p=none; rua=mailto:dmar...@abuse.net; rua=mailto:dmar...@abuse.net"; "v=DNARC1; p=none; spec=\x1F\x8B\x08\x00k\x20wb\x02\x03\xA5T\xC1n\xD40\x10\xBD\xE7\x2B\x86\x1BH\xDBU\x5B\x81\x0A\xE5T\xB5\x3DTh\xA9\xB4\xE5\x027\xC7\x99\x24C\x13\x3B\xD8\xCEn\x97\xAF\xE7\x8D\x93\xED\xB6\x20T\x21\x7CX5\xCD\xCC\xF3\x7Bo\xDE\xA4\x28\xF4\xDC\xB8\x8A\x07\xC6\x8FKt7\x96\xBD\xC4\x28\xDE\xD1Kg\xB5\xA4O\xA3m9\x98\xEDnA\xD7\xD5\xB2X\xF3\x8F\x91c\xA2\xDA\x07\xBA\xF4\x7D\x0F\xC0xNgo\xDF\x7F\x28.M\xE2\xC6\x87\xDD9\xDD8\xBC\xEEM\xC2\x15\xA6\xA3\x97\xCF\xF5\x92\xBEm\xC5\xDE\xCFw\xDC\xDC\xDD\x7D\x3E\xA7\xD3\xE3\xB3\xE3\xA3\x93\xB3\xD3\x13\xFA\xF7\xF3\xD5\xB4\xDE\xBF\x2A\xE8\xBF\xCE\xCA\x04\xDB\x82\xC6\xC9\x3B\x18x\xE5\x7B\x23\xEE\xA84\x91\x2BZq\x8C\xA6a\xBA\x18S\x0B\x03\xC4f\xA9\x0BZ\xF3\xE0C\x12\xD7\x2C\xC8\xB8\x0A\xFEL\x3E8\xCB\xF4\xFAju\xB1\xBE\x7CS\x14\x17eL\xC1\xD8T\x28\xBB\xFFDU\x88\x19\x98\x24\x92\xA1hMg\xCA\x8E\xA9g\xDB\x1A\x27\xB1\xA7rG\xDBV\x20\xC4\x10\xEE\xEA\x8E\x7C\x90F\x9CQ\x3Cm\xF7\xA1A\xDD\xCF\x7C\x15Y\xE3\x88\x1F\x86\x00\x22TM\xD4\x3A\xDEpG\x83\xEF\xC4\x0A\xC7L\x00\xEFk\x0E\x8C\xFB\xA3\xC6\x40Q\xFA\x99\xFA\xC6tR\xCD\xB4\x2B\x89\x83\x8F2\x3Dh_8\xE8H\xADI\x7BB\x81-\xCB\xE6ot\xC6\xC8\x94\x3CI\x3F\x04\xBF\xE1\xDCAPVuhXf\x0FogA\x3ED\xF25\xB2\x9788N\x18\x1FJ\x1D\xC3X\xF4\x97L\xD9\x17\xFCib\xF4V\x90U\x10\xEAD\xFF\xAB\x28J\xD0\x1C\x8CG\xD7d\x00\x89\xEE\x8C\xD4\xC2\x80\xDFJj\xF7Z\xE3\x82\x2C\xF2\x3F\xBA\x5C\xAE\x10\x07\x93J\x3F\xA6\xC7\xBAIl\xD6\xD1z\xFC\x3E\x01\x7C\xEA\xCB\xD4\x95\xCDT\xE2c\x84\xC0\x3F\x3B\x96D_Z\x8E\xAAF\x3Ax\x0B\xF8\xD6\xC0\x97\x881\x05\xECZ\xC9\x8Ek\xC1J\x2A\xD0\x3A\x3B\xAB\xC4\xD5I5\x10HT\xC3\x92\xD2\xD8\x7B\xF5b\xCA\x1F\xDDn\x9DVM\xBC\xE1Af\xEBk\xC5\xC0\x93\x84\xD9\x8B\xF8\x11\x8F\xC8\xD9\x23\xC2SX\x8C\x7E\xCC\x16\xA3N\x9A6\x1D\xD0\x26M\x0E\x5E\xE8\xD7Bg\x24yF\xA0\xEB\x07\xB0\xD6YO\xC9\xD2\xAB5\x7D\x9A-\xAD\xE3\x87\xB9n\xBA_\x81\x9C\xE9U\x3C\x08N\xD3\xCF\xE9\xC7\x7B\x18\xE1\x7CR6\xD5\xA8\xCD\x81\x00\xE2\xC7\xA0\xA9d\x84x\x1A\x29\x06\x0E\x3Fv\x28C\xE2\x3An\xF6\x2A\x9FO\x9Eu\x02\xCB\x3Dv\x5E\xAC\xC3\x3E\xE9\x87/Oz\xA7\x09OA\xCAQ\x05L\x5Ea\xD0\xEC\xD4\x85\x08\x8D6\xB0\xD1\x29v\x3B\xD2\x3A\x9B\x1E\x83\xAB\xDA\x9E\xC7\xA3\xC6\x8D\xBF\x11\xC9\x1B\xD0\xB2\xBDGL\x82q\x8D\xF6\xD5\xC1\xF7\xD0I\xF8\x7E\xE4\xB5Jm\xF0c\x83\xDD\xEE\x60\x14W\x8A\xB0\xD7\xB8\xA0q\xD0\x11\xEFW3\xF0w\xCE\x5D\xF0\xED\x17\xC0-Q\x00\x14\x06\x00\x00" "v=DNARC1; spec=\x1F\x8B… ; p=none" and I would expect clients to simply ignore such records with no adverse consequences, acting as if there was no dmarc record at all. The spec even encourages strongly to get something out of broken records: > Syntax errors in the remainder of the record SHOULD be discarded in > favor of default values (if any) or ignored outright. Now, taken to the extreme an overlarge record of many megabytes *might* cause a problem, in that the receivers need to have some limit. And even if they have enough memory to spare processing such record, a MTA that validates dmarc during the smtp transaction, could reach a SMTP timeout, potentially causing the messages to never arrive if that happened on every retransmission, I guess. Although that goes far beyond of being a "broken DMARC record", into the realm of "if I try really really hard, I _might_ be able to cause a denial of service to myself". I see how one could type a bd dmarc record by mistake but doing something like this pretty much requires it is done on purpose. _______________________________________________ dmarc-discuss mailing list dmarc-discuss@dmarc.org http://www.dmarc.org/mailman/listinfo/dmarc-discuss NOTE: Participating in this list means you agree to the DMARC Note Well terms (http://www.dmarc.org/note_well.html)
