On Thu, May 6, 2021 at 8:14 PM Douglas Foster <
dougfoster.emailstanda...@gmail.com> wrote:

> My argument is that that A/AAAA/MX has no useful relevance to determining
> whether the RFC5322.FROM address of a message should be evaluated based on
> SP or NP. NP is described as testing "non-existent", rather than "possibly
> able to receive mail". We need a test that evaluates whether the domain
> exists or not, and is maximally protected from false positives caused by
> host names and wildcards.
>
> If this group is convinced that A/AAAA/MX is meaningful for the distinction 
> between SP and NP, I am asking someone to provide the justification and 
> define the algorithm.  Right now I have seen neither.
>
>
I continue to be unclear on why you think that test suite against a name is
inadequate.  Can you demonstrate a live case of a false positive or false
negative?  Perhaps an actual example will help to move this from the
abstract to the concrete.

In the meantime, here's what I think is the justification: If you try to
send me mail apparently from a domain that appears to have no email-related
presence in the DNS, that strikes me as a reasonable situation in which to
bounce such a message, and accordingly, a viable test for DMARC to use.
It's also relatively cheap, given that the DNS is a globally distributed
highly resilient database specifically built to answer such questions.  An
"email-related presence" is the three RRTYPEs that SMTP specifically uses
in trying to make use of a reverse path, and since this is an email
application, that also strikes me as reasonable.

You could (and some have) go one step further and attempt to make a
connection to whatever address that test resolved, on port 25, and see if
something answers.  You could go even further and try to interact via SMTP
with the server you find there, and test to see if the RFC5322.From address
responds 250 to RCPT.  But those are far more heavyweight tests, which can
add substantial time to DMARC processing, and such tests can get you
blocked from further interaction with those sites as they look like
address  harvesting probes.

Wildcards are a fact of life.  We will make no progress asserting that
everyone has to stop using them because they muddy DMARC's waters.  DMARC
could confirm on getting a positive MX reply that there is (or is not) a
wildcard MX in play, but I don't know how you would use that information
because the answer is the same both for "real" names and "fake" ones.  Is
this the basis for your position that the triple query done today is
inadequate?

-MSK
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Reply via email to