Skip to content

Wildcard DMARC report destination #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kazet opened this issue Jul 31, 2024 · 1 comment
Open

Wildcard DMARC report destination #261

kazet opened this issue Jul 31, 2024 · 1 comment

Comments

@kazet
Copy link

kazet commented Jul 31, 2024

Hello,

The RFC says that:

A Report Receiver that is willing to receive reports for any domain can use a wildcard DNS record. For example, a TXT resource
record at "*._report._dmarc.example.com" containing at least "v=DMARC1" confirms that example.com is willing to receive DMARC reports for any domain.

There are two possible interpretations of this paragraph. One is that to allow receiving reports from all domains the recipient domain should add a wildcard DNS record (not with a literal asterisk in the domain name) so that a query for any domain under _report._dmarc will return the same.

The second interpretation is that a DNS record with a literal asterisk should be added. Opendmarc (and checkdmarc) is checking for a domain with a literal asterisk. Are you sure this is a correct behavior?
@thegushi
Copy link
Collaborator

thegushi commented May 5, 2025

So we're clear you're talking about RFC7489, Section 7.1, steps 1-3.

Here's an example for isc.org, which uses dmarcian as its reporting collector:

# dig +short _dmarc.isc.org TXT
"v=DMARC1; p=none; sp=reject; rua=mailto:[email protected]; ruf=mailto:[email protected], mailto:[email protected]; fo=1;"
# dig +short isc.org._report._dmarc.fr.dmarcian.com TXT
"v=DMARC1;"
# dig +short \*._report._dmarc.fr.dmarcian.com TXT
"v=DMARC1;"

I see what you're talking about, in line 689 of libopendmarc/opendmarc_policy.c -- note that this happens only after we do the query for the real name (on about line 639, where we return on line 674 if we get success).

There's no way in DNS to tell if a wildcard is the reason for a synthesized domain name (at least without dnssec). The answer you get in response to a wildcard record will be the same whether your answer was generated by way of either a wildcard record, or a properly-existing text record.

It feels like the literal wildcard lookup is a single last-ditch effort to check for, perhaps, the existence of a wildcard record where the authoritative server is not properly returning wildcard answers. Per my reading of the RFC, we shouldn't be doing this at all, but we also don't log when we do it, so I'm loathe to rip it out.

My question is: are you seeing any actual breakage here, as a result of this check (modulo minor extra DNS queries?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thegushi @kazet