On Mon, Apr 5, 2021 at 2:02 PM Douglas Foster < [email protected]> wrote:
> As a result of earlier discussions, I have been investigating NXDOMAIN as > an email filtering criteria. > > One question from those discussions was the best way to detect NXDOMAIN. > I realized that I needed a query which specifically returns NXDOMAIN as a > result, not simply the absence of a particular result. Additionally, a > lookup on A/AAAA with results could represent either a domain name with no > host segment, or a host segment and a parent domain.. Consequently, the > best test seems to query for type=TXT, match=domainname. > > I have applied this rule to incoming RFC5322.MailFrom addresses and found > the test to be useful. For my mail stream, 20% of the messages with > SPF=NONE have this result because of NXDOMAIN. The percentages were > roughly equal whether evaluating unique domain names or unique messages. > > While both SPF=NONE and SPF=NXDOMAIN are indicators that the message is > probably unwanted, NXDOMAIN has a higher probability of being unwanted. > > I have not yet begun evaluating NXDOMAIN on the RFC5322.From address, but > hope to get that done in the weeks ahead. > > Is anyone else collecting data on NXDOMAIN, and able to share experience? > Due to terminology pedantry, I'm having trouble understanding this. Someone please check my math here: If I ask for MX records for example.com, NXDOMAIN comes back as the response's error code not if there's no MX record for that name, but rather if there are no records of any kind for that name. On the other hand, if there's no MX but there is an A or AAAA, I'm going to get a success error code (NOERROR), but with an answer count of 0. So I don't know what "detect NXDOMAIN" means: Your DNS reply either has that error code, or it doesn't. If instead you're trying to determine whether a name can receive mail, at least according to DNS data, it seems to me you query one record type (MX) and see if you get >0 answers, 0 answers, or NXDOMAIN. If you got NXDOMAIN, you're done; there's no way to route this message. If you got 0 answers, you should query A and/or AAAA and send there. If you got >0 answers, now you have to resolve the names you got to addresses; assuming at least one of those resolves, you have someplace to send the message. This is what RFC 5321 says to do. I don't think querying TXT would tell you anything more. What am I missing? -MSK
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
