DMARC policy lookup violates RFC 7849.

Bug #1931029 reported by Mark Sapiro
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GNU Mailman
Fix Released
Low
Unassigned

Bug Description

If DNS lookup of TXT records for a domain finds more than one v=DMARC1; record, it checks them all for policy = reject or quarantine.
RFC 7849, Sec 6.6.3 item 5 says
   5. If the remaining set contains multiple records or no records,
       policy discovery terminates and DMARC processing is not applied
       to this message.
Thus, if we find multiple records we should assume no DMARC policy for this domain.

Related branches

Revision history for this message
Jim Popovitch (jimpop) wrote :

Here's the 5 items: https://datatracker.ietf.org/doc/html/rfc7489#section-6.6.3

If item 2 matches multiple v=DMARC1 records, and therefore item 3 is ignored, does item 5 even apply?

Mark Sapiro (msapiro)
Changed in mailman:
status: Triaged → Fix Committed
Revision history for this message
Mark Sapiro (msapiro) wrote :

We are concerned about a domain which has multiple v=DMARC1 TXT records. This is exactly the case that item 5 addresses. I.e. a domain which publishes multiple _dmarc TXT records with v=DMARC1 is treated as publishing no policy.

Revision history for this message
Jim Popovitch (jimpop) wrote :

I guess RFC 7849 is just not clear to me that item #5 applies if item 3 contains more than 1 v=DMARC1 record. I say this because item 2 and 4 are identical, and to me that signifies that the items are a logical path, not a list of mandatory principals.

That said, to err on the side of common sense, makes good sense, otherwise we'd have to choose which v=DMARC1 record to honor.

Revision history for this message
Mark Sapiro (msapiro) wrote :

The items are steps in a process, not an unordered list of rules.

Step 3 says if There are no DMARC records for the domain, check the organizational domain if different. Thus, step 4 is saying discard any non-v=DMARC1 records from the organizational domain.

If the From: domain has any v=DMARC1 records, we skip step 3 and step 4 is moot because of step 2 and we get to step 5.

If the From: domain has no v=DMARC1 records, we check the organizational domain if different per step 3 and then we get to steps 4 and 5

Revision history for this message
Jim Popovitch (jimpop) wrote :

RFCs should really include logic trees. Thanks Mark.

Mark Sapiro (msapiro)
Changed in mailman:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers