On Sunday, December 5, 2021 2:40:16 PM EST John Levine wrote: > It appears that Scott Kitterman <skl...@kitterman.com> said: > >> How about if it has a null MX and a DMARC record or DKIM keys? Remember > >> that those records are at different names than the MX. ... > > > >There's two ways we could go at this question: > > > >1. A domain that, except for the null mx, would fit the criteria for non- > >existent. This would be kind of weird, since mull mx only makes sense if > >you have an A/AAAA, but I wouldn't think existence of a null mx alone > >would be enough to make the domain 'exist'. > > > >2. A domain which has an A/AAAA and null mx. Since it claims to be a no > >mail domain, we could treat it as not existing for DMARC purposes. Since > >RFC 7505 specifies null mx is for domains that don't accept mail, but is > >silent on sending mail, these should probably exist for DMARC purposes. > > > >I think that your point is about #2 and I agree. #1 is definitely a corner > >case, but if the only thing there is a null mx, I'd be quite comfortable > >saying it doesn't exist. > > It's about both. What if a domain has a null MX and a DMARC record? Maybe > it has an SPF record, too. > > For your #2 you seem to be saying that if I send no-reply transactional > mail, my DNS would look like this: > > notifiy.bigcorp.com. IN MX 0 . /* we don't receive replies /* > IN A 0.0.0.0 /* make the domain exist */ > _dmarc.notify.bigcorp.com. IN TXT "v=DMARC1; p=reject; ..." /* it's all > aligned */ s._domainkey.notify.bigcorp.com. IN TXT "v=DKIM1; h=sha256; > p=MIIBIjANB..." /* it's signed */
In the current definition one of MX, A, or AAAA needs to return something other than NODATA or NXDOMAIN. For #1, I'm not suggesting a change to the existence test based on TXT records, so you're correct from my POV. A domain can (based on the RFC 9091 definition that has been imported into the draft) already have an SPF record, a DKIM key record, and a DMARC record and "not exist". I think extending that to maintain a state of non-existence when there is a null mx doesn't really change anything, except to cover a corner case. For #2, yes. Something like that. I don't think we want to make that domain not exist since it clearly does. This is about if the sp= or np= policy should apply (if defined). I think it's reasonable to apply np= if the only thing that makes the domain exists in our terms in the null mx (#1). For #2, I think the sp= policy should apply. Scott K _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
