Re: [mailop] DMARC external destination verification ignored?

2024-02-06 Thread Ángel via mailop
On 2024-02-06 at 15:55 +, Vitali wrote:
> 
> Are they violating the RFC or is there a new DMARC report exception
> if both domains share the MX root domain?
> 
> Thank you.
> Vitali

It would have been preferable that you shared that domain, but it does
seem to violate the RFC.
The only pecuiar bit I see is that _report._dmarc.emailzustellbarkeit.d
e IS set.

$ dig  _report._dmarc.emailzustellbarkeit.de txt
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52922
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
_report._dmarc.emailzustellbarkeit.de. 7200 IN TXT "v=DMARC1"


but the RFC is clear that the wildcard need to be on *._report._dmarc.e
mailzustellbarkeit.de, a record on
 _report._dmarc.emailzustellbarkeit.de wouldn't match

(and, if strictly conforming, there should also be a semicolon after
"DMARC1")


___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop


[mailop] DMARC external destination verification ignored?

2024-02-06 Thread Vitali via mailop
Hi list,

I've found this case where DMARC reports are sent to an external destination 
without the verification TXT record being published.

```

❯dig _dmarc.[redacted] txt +short

"v=DMARC1; p=none; rua=mailto:dm...@emailzustellbarkeit.de";

```

The external destination domain does not publish a `v=DMARC1;` TXT record for 
that domain.

```

❯dig[redacted]._report._dmarc.emailzustellbarkeit.de txt

[...]

;; QUESTION SECTION:

;[redacted]._report._dmarc.emailzustellbarkeit.de. INTXT

;; AUTHORITY SECTION:

emailzustellbarkeit.de.1614INSOAns5.kasserver.com. hostmaster.kasserver.com. 
2401241842 28800 7200 1209600 7200

[...]

```

The only common factor is the root domain of the MX record.

```

❯dig[redacted]mx +short

10 w01ad564.kasserver.com.

❯dig emailzustellbarkeit.de mx +short

10 w01b9b8a.kasserver.com.

```

Some ISPs that send reports are Microsoft (Outlook), Seznam, emailsrvr. I 
already reached out to emailsrvr but didn't get a response yet.

Are they violating the RFC or is there a new DMARC report exception if both 
domains share the MX root domain?

Thank you.Vitali

Sent with [Proton Mail](https://proton.me/) secure email.___
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop