Summary
All nine filter tests in opendmarc/tests/ make live DNS queries to external domains as part of their test logic. Five of them hardcode paypal.com as the From domain and rely on it publishing a p=reject DMARC policy. One test (t-verify-nodata.lua) even documents this assumption with the comment:
-- As of 7/1/2012, paypal.com advertises a "p=reject" DMARC policy
That assumption is now 14 years old. If paypal.com changes their DMARC policy (or if DNS is unavailable in CI), the tests break for reasons entirely unrelated to our code.
Affected tests and their DNS dependencies
| Test |
Domain |
What it assumes |
t-verify-nodata |
paypal.com |
p=reject DMARC policy |
t-verify-nodata-reject |
paypal.com |
p=reject DMARC policy |
t-verify-multi-from-reject |
paypal.com |
DMARC record exists |
t-verify-multi-from-malformed |
paypal.com |
DMARC record exists |
t-verify-unspec |
paypal.com |
DMARC record exists |
t-verify-received-spf-good |
trusteddomain.org |
DMARC record exists |
t-verify-received-spf-bad |
trusteddomain.org |
DMARC record exists |
t-verify-authservid-jobid |
trusteddomain.org |
DMARC record exists |
t-verify-self-spf |
trusteddomain.org |
SPF record fails for 66.220.149.251 |
The trusteddomain.org tests are more stable since we control that domain. The paypal.com tests are the fragile ones.
Fix
libopendmarc exposes opendmarc_dns_fake_record() specifically for injecting DNS responses in tests. The filter tests should use this (or a test-only config option) to supply a known DMARC record for a placeholder domain (e.g. test.example) rather than querying a live external domain.
This would also make the tests runnable in network-isolated environments (containers, some CI setups).
Summary
All nine filter tests in
opendmarc/tests/make live DNS queries to external domains as part of their test logic. Five of them hardcodepaypal.comas the From domain and rely on it publishing ap=rejectDMARC policy. One test (t-verify-nodata.lua) even documents this assumption with the comment:-- As of 7/1/2012, paypal.com advertises a "p=reject" DMARC policyThat assumption is now 14 years old. If paypal.com changes their DMARC policy (or if DNS is unavailable in CI), the tests break for reasons entirely unrelated to our code.
Affected tests and their DNS dependencies
t-verify-nodatapaypal.comp=rejectDMARC policyt-verify-nodata-rejectpaypal.comp=rejectDMARC policyt-verify-multi-from-rejectpaypal.comt-verify-multi-from-malformedpaypal.comt-verify-unspecpaypal.comt-verify-received-spf-goodtrusteddomain.orgt-verify-received-spf-badtrusteddomain.orgt-verify-authservid-jobidtrusteddomain.orgt-verify-self-spftrusteddomain.orgThe
trusteddomain.orgtests are more stable since we control that domain. Thepaypal.comtests are the fragile ones.Fix
libopendmarcexposesopendmarc_dns_fake_record()specifically for injecting DNS responses in tests. The filter tests should use this (or a test-only config option) to supply a known DMARC record for a placeholder domain (e.g.test.example) rather than querying a live external domain.This would also make the tests runnable in network-isolated environments (containers, some CI setups).