Feature request: add a test on bogus subdomain

[mktl73]

Most users are going to (only) check their primary domain (domain.tld)
Could be interesting to add a test on a bogus subdomain (random.doamin.tld) in order to ensure the configuration is correct and that a non-existing subdomain cannot be misused for impersonation

[bwbroersma]

Bogus in the term of DNSSEC?
Or giving an invalid TLS certificate instead of unrecognized_name error? (see https://datatracker.ietf.org/doc/html/rfc8446#page-90)
Or a CNAME on the subdomain to the apex, so the subdomain also has an MX (which is not always an error, but mostly is).

Wonder what your though is.

[mktl73]

I was thinking of misusing a host as a subdomain. For example trying to use @www.internet.nl
The objective would be to ensure that the DMARC policy does cover all subdomains (so not having sp=none) and that SPF and/or DKIM will enforce a DMARC alignment failure. This could be seen as ensuring that SPF has a wildcard DNS entry.
Does this make sense?

[apio-sys]

The idea is interesting indeed. But I think this could be handled by the "normal" DMARC check. If no SP param is provided, all subdomains (without their own explicit policies, hence covers "bogus" sub-domains), then they would all inherit from their parent domain. That is the same as using sp=reject. But what could be nice to add in the check is verifying if an sp=none parameter is present and that could trigger an alert/warning to state that subdomains, including bogus ones are not protected properly. As far as I can see, that param does not trigger an alert and passes the test as sufficiently strict. Just tested this on a test domain of mine here on which I have set sp=none here: https://internet.nl/mail/apio.ovh/1472828/#control-panel-9 and I'm getting all good. If we would check this and maybe add a warning that would cover this case rather then running a separate test on a random domain domain, right @mktl73 ?

[bwbroersma]

I agree sp=none should at least produce a ⚠️ warning.

[mktl73]

Adding a warning if sp=none would be great ... but is it enough?
Let's imagine you only have p=reject (or have explicitly added sp=reject) but no DNS reply for SPF and DKIM on that bogus domain. I believe the MTA will do a DMARC skip has not having any valuable input to do the alignment check.

[apio-sys]

@mktl73 I you were to test on a bogus subdomain, you would never get the SPF/DKIM reply. So the sp=reject (or it's absence) will protect that subdomain. I think it would be enough with this warning added. But maybe I'm missing your point. Please suggest a better approach if needed.

[mktl73]

I believe it depends if you have a wildcard entry for SPF or not.
Example with www.internet.nl
;; QUESTION SECTION:
;www.internet.nl. IN TXT

;; ANSWER SECTION:
www.internet.nl. 3600 IN TXT "v=spf1 -all"

Here, I believe the SPF response comes from a wildcard and therefore DMARC can be checked and will prevent misuse. This is the kind of test I would be adding.

[bwbroersma]

The www is there for CNAME-purposes (CNAME to apex would include the MX to the subdomains).

$ dig +noall +answer en.internet.nl AAAA

en.internet.nl.		3600	IN	CNAME	www.internet.nl.
www.internet.nl.	3600	IN	AAAA	2a00:d00:ff:162:62:204:66:10

Although a wildcard below the apex is present:

$ dig +noall +answer a.internet.nl TXT

a.internet.nl.		3600	IN	TXT	"v=spf1 -all"

But it's actually (not yet) created below other subdomains, e.g. the www label:

$ dig +noall +comment +answer a.www.internet.nl TXT

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4580
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232

[mktl73]

Don't focus specifically on www
I do understand that the main focus of the test is to assess the MTA(s) security and to improve the overall security by enhancing the MTA configuration and usage of security mechanism.
However, most of these mechanism can also prevent impersonation and this is what I am trying to improve
This would mean that all use cases should be identified and then checked to ensure they are covered by SPF, DKIM and/or DMARC
What I see is:
@domain.tld
@subdomain.domain.tld where subdomain is a delegated zone (so with its own SOA, NS ...)
@subdomain.domain.tld where subdomain is defined as a host
@host.domain.tld where you misuse an existing host entry as a subdomain
@non_exisiting_host.domain.tld
@something.level2.level3...leveln.domain.tld

DMARC will cover all if only used with p= or with a strict sp=
But then, it still relies on SPF and DKIM and this is would I would further check

[apio-sys]

Agreed Martin @mktl73. In that case, the check could be:

• Do you have a proper sp configuration in DMARC. I.e. either sp=reject or param not defined which has the same result. In my case I have:

dig -t TXT _dmarc.apio.systems
_dmarc.apio.systems.	3600	IN	TXT	"v=DMARC1; p=reject; pct=100; rua=mailto:re+qqqrwmpw1pu@dmarc.postmarkapp.com; sp=reject; aspf=r;"

• In combination with, do you have a proper wildcard SPF, in my case:

dig -t TXT *.apio.systems
*.apio.systems.		3600	IN	TXT	"v=spf1 -all"

So here all subdomains including bogus ones are covered. You don't have to retest test.bogus.apio.systems which doesn't exist, since it will give the same SPF answer anyway. I could add a wildcard for DKIM as well (for instance *._domainkey.apio.systems. "v=DKIM1; p=")which I usually only do on parked domains not supposed to send email at all.

Is this closer to what you suggest? In which case it could be added to existing DMARC and SPF tests (maybe as recommended option just displaying a warning)?