A brief history of TXT Records

txt
When the Domain Name System was designed thirty years ago the concept behind it was pretty simple. It’s mostly just a distributed database that lets you map hostname / query-type pairs to values.
If you want to know the IP address of cnn.com, you look up {cnn.com, A} and get back a couple of IP addresses. If you want to know where to send mail for aol.com users, you look up {aol.com, MX} and you get a set of four hostname / preference pairs back. If you want to know the hostname for the IP address 206.190.36.45 you look up {45.36.190.206.in-addr.arpa, PTR} and get a hostname back.
There’s a well-defined meaning to each of those query types  – A is for IP addresses, MX is for mailservers, PTR is for hostnames – and that was always the intent for how DNS should work.
When DNS was first standardized, though, there was one query type that didn’t really have any semantic meaning:

TXT RRs are used to hold descriptive text. The semantics of the text depends on the domain where it is found.

TXT records didn’t really have a use. Some domain owners used them to provide their contact information for the domain, and there were some funny messages scattered around, but that was about it.
Around the year 2000 email people started thinking about publishing data in the DNS. Email people are not the same as DNS people. To a DNS person the obviously correct way to do that would be to define a new query type, persuade people to agree on that definition and then make it a standard by publishing an RFC.
But email people have a long history of piling standards on top of other standards and deploying ad-hoc approaches (e.g. X-Headers, Uuencoding, PGP encapsulation and ascii armoring) without more than the bare minimum of agreement on the right way to do things. That approach helps with fast-yet-gradual deployment of new solutions, but also leads to a certain impatience with the bureaucracy of an actual standards development process.
Just stick it in a TXT record!” became the rallying cry.
SPF was the first widely deployed protocol to do that. There was an attempt to migrate SPF from using TXT records to using a dedicated SPF record type, but given the deployed base of users already using TXT records it was doomed to failure.
Whenever someone is rolling out a new protocol that needs a domain owner to publish something – whether it’s something fairly standardized or pretty much ad-hoc – they tend to reach for a TXT record.
Some more things you need to know about TXT records on Monday.

Related Posts

Email Authentication in a nutshell

There are 3 types of authentication currently in use for email.

Read More

Spam, Phish or Malware?

Some mornings I check mail from my phone. This showed up this morning.
PizzaHutMail
My first thought was “oh, no, Pizza Hut is spamming, wonder who sold them my address.”
Then I remembered that iOS is horrible and won’t show you anything other than the Friendly From and maybe it was some weird phishing scheme.
When I got to my real mail client I checked headers, and sure enough, it wasn’t really from Pizza Hut. I’m guessing actually malware, but I don’t have a forensics machine to click the link and I’m not doing it on anything I can’t wipe (and have isolated from the rest of my network).
The frustrating thing for me is that this is an authenticated email. It not from Pizza Hut, the address belongs to some company in France. Apparently, that company has had their systems cracked and malware sent through them. Fully authenticated malware, pretending to be Pizza Hut, and passing authentication on various devices.
Pizza Hut isn’t currently publishing a DMARC record, but in this case, a DMARC record for Pizza Hut wouldn’t matter. None of the email addresses in the headers point to Pizza Hut.
I spent last week listening to a lot of people discussing DMARC and authentication and protecting people from scams and headers. But those all the protocols in the world won’t protect against this kind of thing. Phishing and malware can’t be fixed by technology alone. Even if every domain on the planet published a p=reject policy, mail like this would still get through.
 
 
 

Read More

Troubleshooting tools

There have been a number of comments on my post about Hotmail moving to SPF authentication having to do with troubleshooting authentication failures. I have been helping clients troubleshoot these issues, and am able to take on new clients to solve authentication problems. Contact me for more information.
Of course, many of these issues can be solved with access to the right tools. Steve’s been working on a number of tools that may help the troubleshooting process and we’ve recently launched them on Emailstuff.org. The website itself contains a number of DNS and data related tools we use for investigations and thought we’d share with the public at large.
One of the really useful tools is the SPF record expander. Plug in any domain, like google.com, and see what IP addresses they authorize to send mail.

Read More