L.S.
I would suggest update the DMARC standard make explicit how CNAME can be
used or not.
Beside of that, the opendmarc software should address this as a bug in
some way. Their opendmarc-check tool shows the correct policy that fails
from the opendmarc service when used on a CNAME-ed DMARC policy.
The usecase I have seen failing only was one CNAME level deep.
The failing mechanism in opendmarc for fetching the DMARC policy now
seems to leed leads to a 'none' policy.
Regards, Jan
Douglas Foster schreef op 2021-03-02 12:51:
Because CNAME usage was not mentioned in the previous DMARC document,
existing implementations may not have tested this configuration. For
the policy publishing organization, this increases the possibility
that some recipients may treat the mail as not protected by DMARC.
As with any deployment issue, the publishing organization has no
reliable way to know if the deployment of DMARC implementations with
full CNAME support is "essentially complete". This uncertainty may be
acceptable for some organizations, but may be an obstacle for others,
depending on their motivations for implementing DMARC.
On the implementation side, the use of CNAME will introduce the
possibility of referral errors, which may or may not require
mentioning in the DMARC specification, since such issues have probably
been addressed in core DNS documents. The issues that come to mind
are:
CNAME referrals to non-existent names
Nested CNAME referrals (what depth is allowed?)
CNAME referrals that produce loops or excessive nesting depth.
DF
On Tue, Mar 2, 2021 at 6:12 AM Tim Wicinski <[email protected]>
wrote:
Using a CNAME at _dmarc.example should not be a problem, as long as
the CNAME target is a TXT record. The DNS resolver functions should
should handle this seamlessly. This does sound like a vendor
software
problem.
I am aware of DKIM records being deployed using CNAMEs pointing to a
TXT record target.
Has anyone seen the above error condition when testing DKIM records?
This definitely sounds like an issue with the software.
Nobody should shy away from publishing DMARC records that are CNAMEs
to DMARC
TXT records elsewhere. Using this design should be strongly
encouraged.
tim _______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
