Facebook
Twitter
nethubonline
Regular Pleskian
Username:
TITLE
Plesk DMARC checker parses invalid TXT records that do not start with "v=DMARC1;" - deviates from RFC 7489
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian Web Host Edition 18.0.75
AlmaLinux 9.7
Postfix + Dovecot, DMARC checking enabled (Tools & Settings → Mail → Enable DMARC to check incoming mail)
PROBLEM DESCRIPTION
When a domain has multiple TXT records at _dmarc.domain.com and one (or more) of them does not start with v=DMARC1;, Plesk's DMARC filter still tries to parse the invalid record(s). This leads to syntax errors even though a perfectly valid DMARC record also exists.
Example DNS records:
_dmarc.example.com. TXT "v=DMARC1; p=reject; sp=reject"
_dmarc.example.com. TXT "somerandomstring v=DMARC1"
Observed error in /var/log/maillog:
dmarc[...]: Wrong the essential DMARC policy parameters for 'example.com': 'Found DMARC record lacked a required p= entry'
Result: legitimate incoming (or even local) mail gets rejected because of the garbage record.
According to RFC 7489 §6.6.3 (Policy Discovery):
"Records that do not start with a "v=" tag that identifies the current version of DMARC are discarded."
reference: RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
STEPS TO REPRODUCE
ACTUAL RESULT
Plesk sometimes tries to parse the invalid record (the one without leading v=DMARC1).
Please log this as a bug in the Plesk DMARC integration and prioritize aligning the behavior with the RFC.
EXPECTED RESULT
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
TITLE
Plesk DMARC checker parses invalid TXT records that do not start with "v=DMARC1;" - deviates from RFC 7489
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Obsidian Web Host Edition 18.0.75
AlmaLinux 9.7
Postfix + Dovecot, DMARC checking enabled (Tools & Settings → Mail → Enable DMARC to check incoming mail)
PROBLEM DESCRIPTION
When a domain has multiple TXT records at _dmarc.domain.com and one (or more) of them does not start with v=DMARC1;, Plesk's DMARC filter still tries to parse the invalid record(s). This leads to syntax errors even though a perfectly valid DMARC record also exists.
Example DNS records:
_dmarc.example.com. TXT "v=DMARC1; p=reject; sp=reject"
_dmarc.example.com. TXT "somerandomstring v=DMARC1"
Observed error in /var/log/maillog:
dmarc[...]: Wrong the essential DMARC policy parameters for 'example.com': 'Found DMARC record lacked a required p= entry'
Result: legitimate incoming (or even local) mail gets rejected because of the garbage record.
According to RFC 7489 §6.6.3 (Policy Discovery):
"Records that do not start with a "v=" tag that identifies the current version of DMARC are discarded."
reference: RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC)
STEPS TO REPRODUCE
- Add two TXT records to a test domain's _dmarc subdomain:
Valid: "v=DMARC1; p=reject; sp=reject"
Invalid (no leading v=): "randomtext v=DMARC1"
- Enable DMARC checking in Plesk for another domain.
- Send a few emails from the test domain to the domain with DMARC checking enabled.
- Observe error in maillog from the invalid record.
ACTUAL RESULT
Plesk sometimes tries to parse the invalid record (the one without leading v=DMARC1).
Please log this as a bug in the Plesk DMARC integration and prioritize aligning the behavior with the RFC.
EXPECTED RESULT
- Discard anything not starting with v=DMARC1.
- Use the one valid record if it exists.
- No policy applied only if zero or multiple valid records.
ANY ADDITIONAL INFORMATION
(DID NOT ANSWER QUESTION)
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM
Confirm bug
