Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dmarc-lookup wrongly concatenates DNS records #72

Open
mimi89999 opened this issue Jan 14, 2025 · 0 comments
Open

dmarc-lookup wrongly concatenates DNS records #72

mimi89999 opened this issue Jan 14, 2025 · 0 comments

Comments

@mimi89999
Copy link
Contributor

Hello,
I noticed that when a domain has multiple TXT records on the _dmarc subdomain like:

;; ANSWER SECTION:
_dmarc.bydgoszcz.wsa.gov.pl. 3600 IN	CNAME	bydgoszcz.wsa.gov.pl.
bydgoszcz.wsa.gov.pl.	3600	IN	TXT	"v=DMARC1; p=quarantine; rua=mailto:[email protected]"
bydgoszcz.wsa.gov.pl.	3600	IN	TXT	"pX3i6iYSKd77WMie73PT5pW/guHjaXgOeZ7j3u6HbvjILYuAoNP6roZJ3iTeg6RLafnNVLI63q+hLYsHb5XEvNTVspMvFWKlFrxmGwvVmog1ncUgSyZ2/2pTlziCta36ZrxFSc0wIDAQAB"
bydgoszcz.wsa.gov.pl.	3600	IN	TXT	"v=spf1 ip4:194.181.28.4 ip4:195.117.224.231 a mx -all"
bydgoszcz.wsa.gov.pl.	3600	IN	TXT	"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt5+U2+iqKWH/OL1OhMvwZxUTiNzmzP9WPTwmpSUzQ2upuksWIBqIDzj6RsOQ4a0T7y6yKiM4q09KQMqVak1l0B9qIFG6aGiJudQOqAP3Mm4TNiLtqo9T70Ev9oH5eqHsRPuteLrTTV423+WXlrzdROTgAjA3IyjRSN5Sw8R00ueE1SGmK2d4DbPImhjzeqVoKihZVwRfEjY9" "tH"

dmarc-lookup will concatenate the records and the results will depend on the order in which the records were received:

michel@debian:~$ dmarc-lookup bydgoszcz.wsa.gov.pl
2025/01/14 22:38:12 dmarc: unsupported DMARC version
michel@debian:~$ dmarc-lookup bydgoszcz.wsa.gov.pl
2025/01/14 22:38:13 &dmarc.Record{DKIMAlignment:"r", SPFAlignment:"r", FailureOptions:0, Policy:"quarantine", Percent:(*int)(nil), ReportFormat:[]dmarc.ReportFormat(nil), ReportInterval:0, ReportURIAggregate:[]string{"mailto:[email protected]=spf1 ip4:194.181.28.4 ip4:195.117.224.231 a mx -allp=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt5+U2+iqKWH/OL1OhMvwZxUTiNzmzP9WPTwmpSUzQ2upuksWIBqIDzj6RsOQ4a0T7y6yKiM4q09KQMqVak1l0B9qIFG6aGiJudQOqAP3Mm4TNiLtqo9T70Ev9oH5eqHsRPuteLrTTV423+WXlrzdROTgAjA3IyjRSN5Sw8R00ueE1SGmK2d4DbPImhjzeqVoKihZVwRfEjY9tHpX3i6iYSKd77WMie73PT5pW/guHjaXgOeZ7j3u6HbvjILYuAoNP6roZJ3iTeg6RLafnNVLI63q+hLYsHb5XEvNTVspMvFWKlFrxmGwvVmog1ncUgSyZ2/2pTlziCta36ZrxFSc0wIDAQAB"}, ReportURIFailure:[]string(nil), SubdomainPolicy:""}

The RFC states that:

Per [DNS], a TXT record can comprise several "character-string"
objects. Where this is the case, the module performing DMARC
evaluation MUST concatenate these strings by joining together the
objects in order and parsing the result as a single string.

I believe that it means concatenating several character strings that are only in one record like in:

;; ANSWER SECTION:
mail2._domainkey.lebihan.pl. 300 IN	TXT	"v=DKIM1; h=sha256; k=rsa; s=email; p=MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAriPnDqY37/IEeo1IXDTIcYGx1zMlB1a5YFquE1sd0ic1pfApA1SkYctwtEi0BlrIs6avdTnOnh+Dg2ci6qYTdWNlkwGjnYvNvg5nUVz6D0e4GlFWwqdl/AsKhd+gfUoD9jgE+D4wlu7HFnJ+PJf0qTOLoBztCg5CqoB+wRPV5+Er3+" "WONgtSjP+9BR75V81Lyo7kWpH+ay0MFMD/yANkwcroZ0dwoUVmW/J6w7oC2IvsN1dcBR3cFwZj1kgm+bzyDJBmWUkFLgO7C8yHW6V7wuTHiUwsEHTrbH6nW8tzQUG//Rmlgn4M7FJJqE1PuckJSsvc0hB3RLshg8glTED3svWP8jEV4j+IRCMr6YGZDXytkO6Qqa/SDLt9dlLlPh21Mcb9MqIzrF2iy7xxozN1zBqbwTRWz++7t6XpwoJn8HG/j" "wF+eQSUG0pYI6pDXRBB0xJI7a2l3Iy2f41wL1a+Ofm7YwvWdezdlrpnT84yZCnPmuBrzgz2JTd/t3yv0Cm44xNOTvNrJDAvMHnfEof+40K4HOX1OjbFgKMQcjhUQ7tQFk/gvzxh9wmeQ/dInmhpxYs+g4TW4srYGl0Vo0NtfOc02qd78vodNDitU632DOns1BFImpvNLc4qGozsvB1PZWyMirji0bj5oFqql3OZwihRdUtT1Uy5d4/oGIW+HwkC" "AwEAAQ=="

where a string was split.

Section 6.6.3. Policy Discovery explains how results with multiple records should be treated:

  1. Mail Receivers MUST query the DNS for a DMARC TXT record at the
    DNS domain matching the one found in the RFC5322.From domain in
    the message. A possibly empty set of records is returned.
  1. Records that do not start with a "v=" tag that identifies the
    current version of DMARC are discarded.
  1. If the set is now empty, the Mail Receiver MUST query the DNS for
    a DMARC TXT record at the DNS domain matching the Organizational
    Domain in place of the RFC5322.From domain in the message (if
    different). This record can contain policy to be asserted for
    subdomains of the Organizational Domain. A possibly empty set of
    records is returned.
  1. Records that do not start with a "v=" tag that identifies the
    current version of DMARC are discarded.
  1. If the remaining set contains multiple records or no records,
    policy discovery terminates and DMARC processing is not applied
    to this message.

I will contribute a fix for this issue.
mimi89999 added a commit to mimi89999/go-msgauth that referenced this issue Jan 15, 2025
@mimi89999
dmarc: fix handling if multiple records
744ac2d 
Fixes emersion#72
mimi89999 added a commit to mimi89999/go-msgauth that referenced this issue Jan 15, 2025
@mimi89999
dmarc: fix handling if multiple records
552330f 
Fixes emersion#72
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mimi89999