Re: [mailop] DMARC and subdomains

[John Levine via mailop]

It appears that Andrew C Aitchison via mailop  said:
>> FWIW, future development provides for walking down the DNS tree.
>> So a DMARC verifier would lookup _domainkey.foo.bar.example.com and 
>> _domainkey.bar.example.com before reaching _domainkey.example.com.
>
>Are we talking about _dmarc...example.com  or _domainkey...example.com ?

DMARC

>Is this future development published for comment ?

Of course it is.  See the DMARC WG's drafts.

>Is this a way of allowing residential broadband and cloud providers to
>distinguish their clients and not have to control what said clients do ?

No.

R's,
John
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Andrew C Aitchison via mailop]

On Sun, 18 Jun 2023, Alessandro Vesely via mailop wrote:


On Fri 16/Jun/2023 22:41:39 +0200 Gellner, Oliver via mailop wrote:

On 16.06.2023 at 16:13 Jaroslaw Rafa via mailop wrote:
[...]
So at least one (and important one, given the size of this mail service) 
implementation of DMARC does not use the PSL.


eu.org is located in the private domain section of Mozillas public suffix 
list. Apparently Google does not treat those private domains as public 
suffixes (at least not all of them) or uses a different public suffix list. 
The DMARC specification does not mandate that you have to use Mozillas PSL 
and pick up every self-appointed entry from there.



FWIW, future development provides for walking down the DNS tree.
So a DMARC verifier would lookup _domainkey.foo.bar.example.com and 
_domainkey.bar.example.com before reaching _domainkey.example.com.


Are we talking about _dmarc...example.com  or _domainkey...example.com ?

Is this future development published for comment ?

Is this a way of allowing residential broadband and cloud providers to
distinguish their clients and not have to control what said clients do ?

Eu.org would have to publish a "psd=y" tag to say it is a public suffix 
domain.  Psd domains can specify policies.


Their current record specifies a pct=, which won't be supported by the 
upcoming standard.


So the future development will break compatibility with the current standard ?
I hope the future development requires a new value for the "v" tag.


"v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org;


Thanks,

--
Andrew C. Aitchison  Kendal, UK
   and...@aitchison.me.uk
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Alessandro Vesely via mailop]

On Fri 16/Jun/2023 22:41:39 +0200 Gellner, Oliver via mailop wrote:

On 16.06.2023 at 16:13 Jaroslaw Rafa via mailop wrote:
[...]
So at least one (and important one, given the size of this mail service) 
implementation of DMARC does not use the PSL.


eu.org is located in the private domain section of Mozillas public suffix list. 
Apparently Google does not treat those private domains as public suffixes (at 
least not all of them) or uses a different public suffix list. The DMARC 
specification does not mandate that you have to use Mozillas PSL and pick up 
every self-appointed entry from there.



FWIW, future development provides for walking down the DNS tree.  So a DMARC 
verifier would lookup _domainkey.foo.bar.example.com and 
_domainkey.bar.example.com before reaching _domainkey.example.com.

Eu.org would have to publish a "psd=y" tag to say it is a public suffix domain. 
 Psd domains can specify policies.

Their current record specifies a pct=, which won't be supported by the upcoming 
standard.

"v=DMARC1;p=none;sp=none;pct=10;rua=mailto:dmarc-mas...@eu.org;ruf=mailto:dmarc-mas...@eu.org;


Best
Ale
--




___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Gellner, Oliver via mailop]

> On 16.06.2023 at 16:13 Jaroslaw Rafa via mailop wrote:
>
> At some time I noticed that Gmail started to indicate DMARC failure. I
> checked and found out that the admins of parent eu.org domain put a DMARC
> record on it, which caused emails from my domain rafa.eu.org (not from the
> parent eu.org) to fail DMARC check.
>
> But... eu.org is on the PSL! So, if DMARC check did actually use the PSL to
> determine the organizational domain, it would have determined that
> rafa.eu.org *is* the organizational domain itself and it shouldn't check
> anything above it. It wasn't the case, however.
>
> So at least one (and important one, given the size of this mail service)
> implementation of DMARC does not use the PSL.

eu.org is located in the private domain section of Mozillas public suffix list. 
Apparently Google does not treat those private domains as public suffixes (at 
least not all of them) or uses a different public suffix list. The DMARC 
specification does not mandate that you have to use Mozillas PSL and pick up 
every self-appointed entry from there.
Andy Smith is likely using a domain below an ICANN registered TLD and is 
therefore unaffected by this issue anyway.

—
BR Oliver


dmTECH GmbH
Am dm-Platz 1, 76227 Karlsruhe * Postfach 10 02 34, 76232 Karlsruhe
Telefon 0721 5592-2500 Telefax 0721 5592-2777
dmt...@dm.de * www.dmTECH.de
GmbH: Sitz Karlsruhe, Registergericht Mannheim, HRB 104927
Geschäftsführer: Christoph Werner, Martin Dallmeier, Roman Melcher

Datenschutzrechtliche Informationen
Wenn Sie mit uns in Kontakt treten, beispielsweise wenn Sie an unser 
ServiceCenter Fragen haben, bei uns einkaufen oder unser dialogicum in 
Karlsruhe besuchen, mit uns in einer geschäftlichen Verbindung stehen oder sich 
bei uns bewerben, verarbeiten wir personenbezogene Daten. Informationen unter 
anderem zu den konkreten Datenverarbeitungen, Löschfristen, Ihren Rechten sowie 
die Kontaktdaten unserer Datenschutzbeauftragten finden Sie 
hier.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Andy Smith via mailop]

Hi Todd,

On Fri, Jun 16, 2023 at 09:31:58AM -0400, Todd Herr via mailop wrote:
> Yes, the DMARC protocol does describe the search for the organizational
> domain for the RFC5322.From domain in an email message.

Yep, got itnow; I want the subdomain policy ("sp"). Not sure how I
missed that, or the other silly errors in my email.

My brain is baking in a non-air-conditioned London!

Thanks,
Andy

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Todd Herr via mailop]

On Fri, Jun 16, 2023 at 10:11 AM Jaroslaw Rafa via mailop 
wrote:

> Dnia 16.06.2023 o godz. 09:31:58 Todd Herr via mailop pisze:
> > Yes, the DMARC protocol does describe the search for the organizational
> > domain for the RFC5322.From domain in an email message.
> >
> > It doesn't rely on the "_domainkey" hostnames (that's DKIM), but it does
> > currently rely on the Public Suffix List to determine the organizational
> > domain in cases where there is no DMARC policy record published for the
> > RFC5322.From domain.
>
> Well, in reality it doesn't use PSL.
>
> [snip]
>
> So at least one (and important one, given the size of this mail service)
> implementation of DMARC does not use the PSL.
>

Those are two different statements, though.

The current DMARC protocol (
https://datatracker.ietf.org/doc/html/rfc7489#section-3.2) specifies
acquiring a public suffix list as the first step in determining an
organizational domain.

Your example demonstrates an implementation of DMARC that may not be
following the published protocol, but that's different from saying DMARC
doesn't use the PSL.

-- 

*Todd Herr * | Technical Director, Standards & Ecosystem
*e:* todd.h...@valimail.com
*p:* 703-220-4153
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Jaroslaw Rafa via mailop]

Dnia 16.06.2023 o godz. 09:31:58 Todd Herr via mailop pisze:
> Yes, the DMARC protocol does describe the search for the organizational
> domain for the RFC5322.From domain in an email message.
> 
> It doesn't rely on the "_domainkey" hostnames (that's DKIM), but it does
> currently rely on the Public Suffix List to determine the organizational
> domain in cases where there is no DMARC policy record published for the
> RFC5322.From domain.

Well, in reality it doesn't use PSL.

When my issues with deliverability to Google began a few years ago, I had no
DMARC record on my domain rafa.eu.org. It has been so since the beginning of
the domain and Gmail only used its "best guess" rule to indicate SPF pass
(as SPF record was not present as well).

At some time I noticed that Gmail started to indicate DMARC failure. I
checked and found out that the admins of parent eu.org domain put a DMARC
record on it, which caused emails from my domain rafa.eu.org (not from the
parent eu.org) to fail DMARC check.

But... eu.org is on the PSL! So, if DMARC check did actually use the PSL to
determine the organizational domain, it would have determined that
rafa.eu.org *is* the organizational domain itself and it shouldn't check
anything above it. It wasn't the case, however.

So at least one (and important one, given the size of this mail service)
implementation of DMARC does not use the PSL.
-- 
Regards,
   Jaroslaw Rafa
   r...@rafa.eu.org
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

Re: [mailop] DMARC and subdomains

[Todd Herr via mailop]

On Fri, Jun 16, 2023 at 9:21 AM Andy Smith via mailop 
wrote:

> Hi,
>
> Let's say I have domain example.com with SPF, DKIM and DMARC
> records. I've put an A record in there to point foo.bar.example.com
> at someone else's IP address.
>
> Probably some cron job or other automated task on that host has sent
> an email from usern...@foo.bar.example.com that has ended up at
> gmail. gmail have sent me an aggregated DMARC report that includes
> SPF and DMARC failures for that mail.
>
> I did not expect that such email from foo.bar.example.com would
> consult the DMARC record for the parent example.com. Is this
> expected?
>
> Does DMARC use the Public Prefix List or something to determine that
> foo.bar.example.com is under the same administrative control as
> example.com, and in the absence of _domainkey.foo.bar.example.com
> will look for _domainkey.example.com? Amnd perhaps even
> _domainkey.bar.example.com?
>
>
Yes, the DMARC protocol does describe the search for the organizational
domain for the RFC5322.From domain in an email message.

It doesn't rely on the "_domainkey" hostnames (that's DKIM), but it does
currently rely on the Public Suffix List to determine the organizational
domain in cases where there is no DMARC policy record published for the
RFC5322.From domain.

-- 

*Todd Herr * | Technical Director, Standards & Ecosystem
*e:* todd.h...@valimail.com
*p:* 703-220-4153
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop

[mailop] DMARC and subdomains

[Andy Smith via mailop]

Hi,

Let's say I have domain example.com with SPF, DKIM and DMARC
records. I've put an A record in there to point foo.bar.example.com
at someone else's IP address.

Probably some cron job or other automated task on that host has sent
an email from usern...@foo.bar.example.com that has ended up at
gmail. gmail have sent me an aggregated DMARC report that includes
SPF and DMARC failures for that mail.

I did not expect that such email from foo.bar.example.com would
consult the DMARC record for the parent example.com. Is this
expected?

Does DMARC use the Public Prefix List or something to determine that
foo.bar.example.com is under the same administrative control as
example.com, and in the absence of _domainkey.foo.bar.example.com
will look for _domainkey.example.com? Amnd perhaps even
_domainkey.bar.example.com?

Thanks,
Andy

PS I don't care about making it work, and the host name is just a
   convenience for someone else. I'd rather not set or be
   responsible for DMARC policy for it at all. The desired SPF, DKIM
   and DMARC records for the example.com here were intended to be
   for a domain that doesn't send any email at all.

-- 
https://bitfolk.com/ -- No-nonsense VPS hosting
___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop