Hi, true, the RFC states nothing about CNAMEs. It would be great to have that feature, though. Not only would this make the handling with many domains easier, but it would also allow a domain owner to outsource the management of DMARC to a hosting provider.
Kind regards, Henning > -----Original Message----- > From: dmarc [mailto:[email protected]] On Behalf Of Tõnu Tammer > Sent: Dienstag, 2. März 2021 09:13 > To: [email protected] > Subject: Re: [dmarc-ietf] Using CNAME records to DMARC templates causes > issues > > Hi Jan, > > We have noticed similar issue with CNAME that is used by some of the > vendors. However, we have not fully concluded if this is the issue of > software as RFC stipulates that TXT records should be used. > > https://henningkrause- > eu.cloud.nospamproxy.com/link?id=BAgAAABHZ9Ttc2FwX4YAAAAQ0QbPZM > d8IglxIBHZeYT_CtxhFEYvYRHhRnnk6DY35fNGAvZWHzvf-sQp2- > Z4HsyMK2rPPj5C0aQElSQEnqgX7oG0mxxCzUmIl5aK0Vo0LYfCwxfRpzRhbvTx > R7Aq4olfez2_wwONaujm-aezcoVcUIgZKHsmTlj2iKcfJO0qgBhJ63lLIA2 > > KR, > > Tonu > CERT-EE > > On 02.03.2021 09:49, jbouwh wrote: > > Hi all, > > I am new to this list, and will give a short introduction to myself. > > I work for the Dutch government as an IT architect. One of my goals is > > improving mail security. > > As Dutch government we commit to comply to SPF, DKIM, DMARC, DANE > and > > IPv6 standards. > > With this we are challenged to keep the technical environment > manageable. > > Some of our government IT partners use CNAME records to refer to > DMARC > > templates, and we are planning to use the same technique. Using > > templates makes it more easy to maintain DNS records. > > > > For private purposes I am running my own mail server using opendmarc > > together with postfix, amavis, spamassasin, opendkim and > > postfix-policyd-spf. > > During testing mail policies that where published using a CNAME, I > > noticed opendmarc is not handling the published policies, but is > > acting as if no policy was published. To address this issue I have > > submitted an issue to the opendmarc project. > > > > https://github.com/trusteddomainproject/OpenDMARC/issues/103 > > > > My questions are: > > - Is it a common practice to use CNAME DNS record to reference > > DMARC templates? > > - Is it a known issue opendmarc does not process the published > > policies when they are published using a CNAME? If this is caused due > > to a software bug, this could be a serious security issue. > > > > Regards, > > Jan > > > > _______________________________________________ > > dmarc mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/dmarc > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
