As a result of earlier discussions, I have been investigating NXDOMAIN as an email filtering criteria.
One question from those discussions was the best way to detect NXDOMAIN. I realized that I needed a query which specifically returns NXDOMAIN as a result, not simply the absence of a particular result. Additionally, a lookup on A/AAAA with results could represent either a domain name with no host segment, or a host segment and a parent domain.. Consequently, the best test seems to query for type=TXT, match=domainname. I have applied this rule to incoming RFC5322.MailFrom addresses and found the test to be useful. For my mail stream, 20% of the messages with SPF=NONE have this result because of NXDOMAIN. The percentages were roughly equal whether evaluating unique domain names or unique messages. While both SPF=NONE and SPF=NXDOMAIN are indicators that the message is probably unwanted, NXDOMAIN has a higher probability of being unwanted. I have not yet begun evaluating NXDOMAIN on the RFC5322.From address, but hope to get that done in the weeks ahead. Is anyone else collecting data on NXDOMAIN, and able to share experience?
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
