Tolerate experimental RFC9091 DMARC policies for Public Suffix Domains #876
Comments
|
These subdomains and test cases might be of interest for some additional testing: 3LD with DMARC record [DMARC validation already OK - RFC9091 is overruled] 3LD without DMARC record [DMARC validation FAIL -> should validate OK] 4LD without DMARC record [DMARC validation FAIL -> should validate OK] JvB [edit 20230502] last two test cases should fail now (see #876 (comment)) and correctly do so. |
|
👍 Nice you're looking into protecting subdomains without DMARC. Slightly off-topic: did you already consider to preload HSTS for
It easier to do that now, than later. BTW currently checking Update: actually only |
|
<offtopic @bwbroersma> Opinions on HSTS Preload differ, there are substantial downsides as well, it depends on who you ask. It is not a mandatory or recommended open standard published on the "Pas Toe of Leg Uit"-lijst (comply or explain list for NL government, in dutch). There are reasons for that, which we have to weigh in also. |
What makes you say these should succeed? |
|
Thanks for the commit, @mxsasha
Without respecting the PSL, 3LD and 4LDs without their own DMARC policy set should make use of the DMARC policy set for the 2LD (gov.nl in these two cases). The error "Your DMARC policy is not syntactically correct." implies that was the case at the time. However, running the tests now (https://www.internet.nl/mail/economicdiplomacy.gov.nl/919744/#control-panel-8) shows the error "Your domain does not have a DMARC record". This indicates the PSL is respected. In that case the reported DMARC error is correct (both 3LD and 4LD tests should fail for this reason). TLDR; It looks like PSL handling has changed, both tests should fail now and correctly do so. PS: We'll add DMARC records to these subdomains soon, which will render these two subdomain test cases obsolete also. |
|
Any indication if/when this fix will be in production?
https://en.internet.nl/mail/gov.nl/1027065/#control-panel-9 https://internet.nl/mail/gov.nl/1027065/#control-panel-9 JvB |
|
I see this is fixed now... thanks! https://en.internet.nl/mail/gov.nl/1078340/#control-panel-9 [edit 20231127] The API testresult still shows a DMARC error JvB |
|
Yes, well spotted. The 'single test' server has been upgraded. Note that the allowance for the |
The currently experimental RFC9091 (https://datatracker.ietf.org/doc/rfc9091/) aims to improve DMARC functionality for domains published on the Public Suffix List (PSL, https://publicsuffix.org/), also known as Public Suffix Domains (PSD's). This RFC facilitates extending the curent DMARC spec, to be able to set policies for the special treatment of these PSD's, especially the non existing subdomains without their own DMARC record/policy.
The internet.nl email test currently marks these RFC9091 additions as errors, because "Your DMARC policy is not syntactically correct.". Despite indeed being a syntax validation of the DMARC1 spec, throwing an error when a DMARC record complies with the RFC9091 spec might not be the optimal test result. Imho, it would be better to validate ok, if RFC9091 is implemented correctly for a PSD. Perhaps with the information/disclaimer added, that experimental DMARC elements have been detected.
Example: gov.nl
The gov.nl domain is published on the PSL and the published DMARC record contains the experimental "np=reject" policy. DMARC test fails, see https://en.internet.nl/mail/gov.nl/868398/#control-panel-9.
JvB
The text was updated successfully, but these errors were encountered: