tptacek incoming in 3...2...1...
I feel like we need the angry goose meme here.
"But why are those providers returning incorrect data?"
In this case, because they decided actually implementing the protocol they were supposed to be implementing didn't work for their hacky design, so they hacked together a series of Good Enough workarounds.
These cloud companies are the Microsoft Internet Explorer of DNS service but unlike IE6 they're considered cool enough that they're tolerated.
The solution is simple, if you want to use this DMARC feature then don't host with companies that do weird stuff with NXDOMAIN.
This seems like a major design flaw in DNSSEC, if so.
(I don’t have an opinion on whether Cloudflare or whoever else is a good participant in the DNS.)
But it seems odd that www.company.com should be considered present for this purpose even if it has no MX records. And if I want to send from noreply.company.com, then setting some unrelated DNS record type there to prevent it from being not “not present” seems like a giant kludge.
And lots of domains have subdomains that are intended for some non-email purpose (api.company.com or whatever), and those shouldn’t be allowed without further policy. Nor should (technically invalid for SMTP but maybe allowed anyway) delights like _dmarc.company.com itself.
Why didn’t the DMARC spec say that a domain is “not present” if it lacks MX records?
That doesn't match the SMTP spec, RFC 5321 says
> If an empty list of MXs is returned, the address is treated as if it was associated with an implicit MX RR, with a preference of 0, pointing to that host.
MX implies a domain can receive email, you don't need it to send email. A setup where company.example sends email from companymailings.example but sets a reply-to for support@company.example is perfectly valid (even if it's stupid and confusing). Plus there's that weird legacy behaviour of mail servers delivering to port 25 to the IP in the A record if MX records are missing.
So shouldn’t this be done explicitly by setting a policy at _dmarc.companymailings.example instead of implicitly by setting at otherwise entirely useless record (of type A? some unused TXT variant?) at companymailings.example?