a @www. subdomain without SPF -all can be handled better

[janwillemstegink]

After testing carien.eu (from a company nearby) the links shown are:

Test direct: www.carien.eu Test direct: @carien.eu

Please consider to show also such a @www link. @www.carien.eu

Note 1: DMARC reject combined with SPF -all turns DKIM gray. Note 2: Relying on DMARC alone is not secure enough.

[bwbroersma]

Your point is that www. is not suggested for the mail test right?

Currently the www. case is handled here: https://github.com/internetstandards/Internet.nl/blob/f15c239c3303e61e928a189adacf144dab7cbe25/interface/views/domain.py#L73-L95 and here: https://github.com/internetstandards/Internet.nl/blob/f15c239c3303e61e928a189adacf144dab7cbe25/interface/views/mail.py#L73-L95

It is different in the sense that the mail test does not suggest the www. prefix, while the domain/web test does suggest the www. prefix. I think ideally the apex domain would be tested 'first' and then the 'non mailing' www., so maybe a different hint could be given, depending on if the current test is either the web/domain or mail test.

[janwillemstegink]

Subdomains are overlooked. Suggest @www. for the mail test might help.

In the first web function after example.com, just @example.com is generated.

• If exists, generate @www.example.com as second @ link.

In the second mail function after @example.com, no @ link is generated.

• If exists, generate @www.example.com as @ link.

• To add may be textually: DMARC reject combined with SPF -all, turns DKIM gray.

[dennisbaaten]

I don't think we should suggest a @www. for the mail test. For web the suggestion of the prefix www (which is actually declining in usage) makes sense, but not in any other cases.

[janwillemstegink]

Dennis has a history with @www.internet.nl. Now we can direct users to safe subdomains.

[bwbroersma]

I agree with both: the main 'mail' domain to check is the apex domain, however subdomains (like www, but especially CNAME's) should also be configured correctly, a lot of times SPF is not setup for anything else than the apex, resulting in a SPF neutral, in combination with an DKIM fail without DMARC sp=reject (p=reject isn't that common, update: ~, let alone sp=reject, sp= isn't setup that often as p=~, if p is not set to reject there should be a sp=reject) would result in a domain that is spoof-able in many occasions, even if the apex scores a 100%. However I don't have an easy solution, but hinting after* checking the apex to also check the subdomains would be preferable.

[janwillemstegink]

Subdomains may some way get user attention. An apex domain can use clear setup: v=DMARC1; p=reject; sp=reject; np=reject;

[bwbroersma]

If there is p=reject in the DMARC there is no need for sp=reject and np=reject (other than being explicit), see RFC 9091.