Re: [Bimi] MUA Evaluation of BIMI
Jakub Olexa <jakub@mailkit.com> Tue, 15 March 2022 18:45 UTC
Return-Path: <jakub@mailkit.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75D813A1501 for <bimi@ietfa.amsl.com>; Tue, 15 Mar 2022 11:45:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mailkit.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rFXLSQeFhHgx for <bimi@ietfa.amsl.com>; Tue, 15 Mar 2022 11:45:27 -0700 (PDT)
Received: from mail.mailkit.eu (mail.mailkit.eu [185.136.200.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 566223A10C0 for <bimi@ietf.org>; Tue, 15 Mar 2022 11:45:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.mailkit.eu (Postfix) with ESMTP id 9CD2D20F38 for <bimi@ietf.org>; Tue, 15 Mar 2022 19:45:24 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mailkit.eu
Received: from mail.mailkit.eu ([127.0.0.1]) by localhost (mail.mailkit.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 95KTfCccevNu for <bimi@ietf.org>; Tue, 15 Mar 2022 19:45:21 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------RLISIq8y238nvBJRNDEa8YvF"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailkit.com; s=mk-2; t=1647369921; bh=wsvlz6NGGcIJJTfb7QJ9hf/VCVKGsxrusaTdHUFB6Vo=; h=Date:To:References:From:Subject:In-Reply-To; b=h8+AGH6XynoABpRO+0u9zC4PD5LlNbrvQeqan43AAtyB3qOeUJBodEA/E8d0Q4isu sZLmHmIDn+L4lgaK0zqLMTmFeIzxHFsmeNJ1tB6UJRp16vOY3k03ljGih4Xcjx+XXO xI047XfZWxs71Gu3OttZPBcpEFu7TGi6NcW/lAD8IT6E/qDYHef6DTnvGusijam44/ F3lefLi/qjTlxr3tcxhtbCvw/D+aNfLfKAUuD7299fHw1j54Ba/5FPdKFssZz2NKIc Rlck9FSsf396Zh1KcwlxP53EhiTwvUEVL25GxR5Mitm0WZXeCYfkBlXPNcfOVZS9y+ poPtGoLb+EZ7A==
Message-ID: <0aba2ca2-d499-0f88-c490-cc83eb493760@mailkit.com>
Date: Tue, 15 Mar 2022 18:45:20 +0000
MIME-Version: 1.0
Content-Language: en-US
To: bimi@ietf.org
References: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com> <VI1PR01MB7053B6AF625A5FFB2222F795C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <MN2PR11MB4351276056888F77815E220EF70F9@MN2PR11MB4351.namprd11.prod.outlook.com> <CB922168-3B56-488E-90DD-2591B064F9FF@proofpoint.com>
From: Jakub Olexa <jakub@mailkit.com>
Organization: Mailkit
In-Reply-To: <CB922168-3B56-488E-90DD-2591B064F9FF@proofpoint.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/-Sds_Bh6DUpD7acjGe_M_IYdvLs>
Subject: Re: [Bimi] MUA Evaluation of BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 18:45:34 -0000
Hi Trent, my concern with this approach is that it would essentially prevent MUAs from implementing BIMI support. a) ARC would essentially become a requirement for BIMI outside the BIMI standard itself b) MBPs would have to implement ARC, which would result in reduced support for BIMI c) MUAs would have to do way more complex checks then they do at the moment... involving DNS lookups, signature validation etc. - this could be a problem when logos are displayed in the message list For example when using Fairmail on our mailserver via IMAP I'm getting all the info about authentication from the headers added by our MTA and FairMail will display BIMI where available. We haven't had to do any changes to our MTA to get BIMI working. This will most likely apply to a large number of mail servers. Having an ARC requirement would break it... and for what good? Jakub Olexa Founder & CEO E-mail: jakub@mailkit.com Tel: +420 778 535 877 <tel:+420778535877> Mailkit - Closing the circle between Deliverability and Engagement <https://www.mailkit.com> On 15.03.2022 16:14, Trent Adams wrote: > > OK… what if we start from the premise that an MUA **MAY** evaluate > BIMI, but in order to do is it **MUST** be able to trust the > Authentication-Results header supplied by the mailbox provider (read: > it there's no trusted A-R header, the MUA **MUST NOT** display the > BIMI logo)… > > Given that… What if the specification calls for the mailbox provider > performing BIMI validation to ARC sign the messages they receive? > Would that be a useful way to preserve the A-R results such that the > MUA can verify them? > > Curious, > > Trent > > *From: *"Brotman, Alex" <Alex_Brotman=40comcast.com@dmarc.ietf.org> > *Date: *Monday, March 14, 2022 at 2:56 PM > *To: *Ken O'Driscoll <ken@wemonitoremail.com>, Trent Adams > <tadams@proofpoint.com> > *Cc: *"bimi@ietf.org" <bimi@ietf.org> > *Subject: *RE: MUA Evaluation of BIMI > > > It’s really up to the user of the MUA to determine whether or not to trust upstream > authentication headers. There are already plugins for the likes > Roundcube and Thunderbird that are parsing the current AR headers. > > > > It’s really up to the user of the MUA to determine whether or not to trust upstream authentication headers. > There are already plugins for the likes Roundcube and Thunderbird that > are parsing the current AR headers. > > I feel like an item that needs to be considered is that if you’re to > rely on these headers, you need to have a reasonable assurance they > came from the MBP for which the message was intended. Do we need > notes to describe how it is that the MUA is meant to evaluate that > header and its origin? Or is that beyond our scope? > > -- > > Alex Brotman > > Sr. Engineer, Anti-Abuse & Messaging Policy > > Comcast > >
- [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Jakub Olexa
- Re: [Bimi] MUA Evaluation of BIMI John Levine
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Brotman, Alex
- Re: [Bimi] MUA Evaluation of BIMI Richard Clayton
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Jakub Olexa
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI Stephen Farrell
- Re: [Bimi] MUA Evaluation of BIMI Ken O'Driscoll
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Brotman, Alex
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI John Levine
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams
- Re: [Bimi] MUA Evaluation of BIMI John R Levine
- Re: [Bimi] MUA Evaluation of BIMI Dave Crocker
- Re: [Bimi] MUA Evaluation of BIMI Jakub Olexa
- Re: [Bimi] MUA Evaluation of BIMI Trent Adams