[ietf-dkim] why we should clearly specify domain existence

Douglas Otis dotis at mail-abuse.org
Mon May 26 17:31:51 PDT 2008 

On May 26, 2008, at 3:09 AM, Wietse Venema wrote:

> Tony Finch:
>>
>> We already have years of operational experience of validating  
>> domain according to RFC 2821 section 5.
>
> You are seriously advocating that verifiers connect to an  
> authoritative SMTP server for the author domain? I remind you that  
> the mere existence of an A/AAAA/whatever record does not "validate"  
> something as an author domain. It could be a device that does not  
> even have an SMTP implementation.

This is the wrong concept.  Receiving hosts may limit Author Domain  
acceptance to email-addresses that are not invalidated by not having  
SMTP discovery records.  This requirement limits spoofing without  
reliance on ADSP or DKIM having being implemented by the sender.  (An  
incentive.)  The discovery record check should represent less overhead  
than that needed to qualify the Author Domain with PTR records in the  
reverse zone, largely due to the poor maintenance of this zone.

By ADSP making this recommendation, sending domains can obtain  
comprehensive sub-domain protection by publishing ADSP records below  
only the domains containing MX and A records.  This approach  
alleviates publishing ADSP records below _all_ domains, and  
importantly also permits use of wildcard records by other protocols.

> I find it embarassing to see people keep assuming that the bad guys  
> will play by the rules. In this case, people are assuming that the  
> bad guys will use only those author domains that resolve to valid  
> SMTP server implementations.

Is it not embarrassing to accept messages from Author Domains that  
can't possibly resolve to a valid SMTP server?  These are not rules  
for bad-actors, these are recommendations for receiving hosts that  
wish to reduce acceptance of messages being sent with spoofed email- 
addresses.

> DNS lookup alone cannot validate an author domain, so one might just  
> as well use the least complicated mechanism. The SSP NXDOMAIN check  
> is sufficient; the RFC 2821 section 5 MX/A/AAAA lookups create  
> overhead without actual security benefit.

Once SMTP takes a rather small step and only ensures a public exchange  
when an MX records is published, then the check would represent  
significantly less overhead than any other scheme and would further  
reduce the number of domains where an ADSP record would be needed.

An MX record mandate also offers protection for domains not  
implementing SMTP, DKIM, from any number transactions often occurring  
as a result of spoofed originating email-addresses.  SMTP can't be  
allowed to recommend the use of bogus MX records either.  That  
approach does not scale and would set a bad precedent.  Until the MX  
mandate occurs, at least the recommended process of first checking MX  
records will detect a non-existent domain, and when used legitimately,  
the algorithm will conclude with a request for an ADSP record.   
Without the MX record mandate, a bad-actor may still induce requests  
for A records.

-Doug

More information about the ietf-dkim mailing list