Punicode domain — DMARC Management Bug

General Email Routing
1

Having punicode domain, try to enable Email service and add DMARC policy. Even if _dmarc record is added in DNS section, DMARC Management section shows N/A status & emails Delivery Failed.

Steps to reproduce:

  1. Add punicode domain to Account
  2. Enable Email Routing
  3. Add Custom addresses
  4. Go to: DMARC Management
  5. See alert: There’s no default RUA found in your DMARC record. You may not receive reports with this configuration
  6. Hit the link: Fix record
  7. See default configuration & accept it clicking “Add” button
  8. Still see alert “There’s no default RUA found in your DMARC record” in DMARC Management section
  9. Send email to your address
  10. Catch Delivery Failed with message: Unknown error: permanent error (550): 5.7.1 [104.30.8.73 12] Our system has detected that this message is5.7.1 likely unsolicited mail. To reduce the amount of spam sent to Gmail,5.7.1 this message has been blocked.

Proof of Concept: brizing .com/hlam/dmarc-bug.mov

Screenshot 2023-08-19 at 11.37.12 AM
Screenshot 2023-08-19 at 11.37.12 AM2198×816 69.3 KB

4

Screenshot 2023-08-19 at 11.36.45 AM
Screenshot 2023-08-19 at 11.36.45 AM2162×1208 260 KB

5

Screenshot 2023-08-19 at 11.38.03 AM
Screenshot 2023-08-19 at 11.38.03 AM2150×1340 350 KB

6

How to send a bug to the developers?

7

Hi @ser.artuh can you confirm that the record is visible via a third-party DNS lookup tool? If it is, can you submit the bug here,

8

Yes, visible at nslookup io

image
image2880×678 79 KB

I already sent report on HackerOne, they didn’t accept it because the bug doesn’t affect security

9

image
image1154×702 59.8 KB

1 Like
10

How to send a bug to the developers?

1 Like
11

The link in the image has more details, but if you can share the steps to reproduce on an account ticket and share that ticket number here we’ll flag it for our colleagues. Go here to file an account ticket, https://dash.cloudflare.com/?to=/:account/support

2 Likes
12

Finally found how to create ticket 2928813.
Since I’m using a free tier, the ticket was automatically closed :slightly_frowning_face:

2 Likes
13

The question is relevant

14

@ser.artuh - I just hit the very same issue just now.

What cloudflare says:
image

What the record looks like:
image

The “fix” for this is to remove the quotes that wrap the DMARC record. I did this and the error went away immediately. Here’s what my record looks like now:
image

Obviously a bug in cloudflare itself, because the record that it complains about being incorrect is added by the wizard itself.

Just remove the " and yo’ure good.

15

image
image2060×282 28.4 KB

I don’t have and never had quotes.
The problem is urgent.
The problem occurs only with domains with punycode.

16

I was able to repeat your case. If I delete the record and have it generated by the system, it is surrounded by quotes.
If this bugs anyone, please note this.
However, the bug from this topic has other problems — with or without quotes, the _dmarc record in punycode domain is not visible by the “DMARC Management” section.

I keep trying to reopen ticket 2928813, they keep generating some absurd autoresponder.
My God, finally accept the bug report :person_facepalming:

17

I don’t think it’s just a Punicode issue. I am having the same issue with the with my domains:

 % dig @1.1.1.1 TXT _dmarc.dudas.win

; <<>> DiG 9.10.6 <<>> @1.1.1.1 TXT _dmarc.dudas.win
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;_dmarc.dudas.win.		IN	TXT

;; ANSWER SECTION:
_dmarc.dudas.win.	300	IN	TXT	"v=DMARC1;  p=none; rua=mailto:[email protected]"

;; Query time: 56 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 21 12:41:57 BST 2023
;; MSG SIZE  rcvd: 149

I get the same error as you and also on other domains. Not sure if the error is actually stopping functionality though.

18

image
image2146×978 168 KB

With this setup i have error:

Message not delivered

There was a problem delivering your message to **********. See the technical details below, or try resending in a few minutes.

19

image
image1234×580 36.7 KB

Such an error… This error occurs only with domains that have the banner “There’s no default RUA found in your DMARC record. You may not receive reports with this configuration. Fix record.” in the “DMARC Management” section.
In my case, only punicod domains, because in the rest of the domains I press the button “Fix record” and everything is configured.

20

image
image2216×984 210 KB

I also see the Activity log. Delivery Failed because no dmarc rule is applied to the email being checked.

21

The ticket shows as open, I added myself to it in order to track and adjusted so that it would get routed to the correct team. I’ll keep an eye on it.

2 Likes
22

Hi @ser.artuh,

2928813

Ticket is being worked on with Engineering.
Real time update on Engineering Team:

IMG_1995
IMG_19951920×1440 130 KB

On a more serious note, Support (I have it assigned to me atm) will update you when there is a resolution.

Thank you.

4 Likes