[Mailman-Users] DNS error behaviour with DMARC

Barry S. Finkel bsfinkel at att.net
Wed Aug 27 20:54:56 CEST 2014


On 8/27/2014 10:54 AM, Jeff White wrote:
> With dmarc_moderation_notice set to anything but "Accept" Mailman will
> do a DNS query for every message that comes in and check the DMARC
> record of the sending domain.  I have two questions regarding this:
>
> 1. Has anyone on this list noticed any performance issues with the
> overhead this adds?  I doubt there is anything noticeable but curious if
> anyone has seen any issue.
>
> 2. What is Mailman's behaviour if the query fails (e.g. times out)?
> Defaults.py says:
>
> # Parameters for DMARC DNS lookups. If you are seeing 'DNSException:
> # Unable to query DMARC policy ...' entries in your error log, you may need
> # to adjust these.
> # The time to wait for a response from a name server before timeout.
> DMARC_RESOLVER_TIMEOUT = seconds(3)
> # The total time to spend trying to get an answer to the question.
> DMARC_RESOLVER_LIFETIME = seconds(5)
>
> ... but what happens to the post when DNSException is thrown?  Is the
> message rejected and a bounce sent to the poster?  Is it re-queued and
> tried again?  If so when does Mailman give up?  Does Mailman simply
> shunt the post and throw an error?
>
>
> If someone can point me to the file that holds this code I can review it
> and report what the behaviour is.
>

As for item 1 - What is your DNS setup?  If the Mailman server has a
cacheing-only name server on the same box (and it is good to do so),
or if the Mailman server is contacting a local DNS server for DNS
resolution, then the local DNS server should have the information
cached (for a TTL determined by the owner of the DNS record), so DNS
traffic should be minimal.  I assume that the owner of a DMARC record
in DNS will place an appropriate TTL on the record so that the record
will remain in a DNS cache for a time that will limit the number of
DNS requests back to the master DNS server.  A domain owner should
have multiple DNS servers so that one is always accessible for queries.

--Barry Finkel


More information about the Mailman-Users mailing list