Hi Jan,
We have noticed similar issue with CNAME that is used by some of the
vendors. However, we have not fully concluded if this is the issue of
software as RFC stipulates that TXT records should be used.
https://tools.ietf.org/html/rfc7489#section-6.1
KR,
Tonu
CERT-EE
On 02.03.2021 09:49, jbouwh wrote:
Hi all,
I am new to this list, and will give a short introduction to myself.
I work for the Dutch government as an IT architect. One of my goals is
improving mail security.
As Dutch government we commit to comply to SPF, DKIM, DMARC, DANE and
IPv6 standards.
With this we are challenged to keep the technical environment manageable.
Some of our government IT partners use CNAME records to refer to DMARC
templates, and we are planning to use the same technique. Using
templates makes it more easy to maintain DNS records.
For private purposes I am running my own mail server using opendmarc
together with postfix, amavis, spamassasin, opendkim and
postfix-policyd-spf.
During testing mail policies that where published using a CNAME, I
noticed opendmarc is not handling the published policies, but is
acting as if no policy was published. To address this issue I have
submitted an issue to the opendmarc project.
https://github.com/trusteddomainproject/OpenDMARC/issues/103
My questions are:
- Is it a common practice to use CNAME DNS record to reference
DMARC templates?
- Is it a known issue opendmarc does not process the published
policies when they are published using a CNAME? If this is caused due
to a software bug, this could be a serious security issue.
Regards,
Jan
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc