IETF Logo Mail Archive

Re: [Bimi] MUA Evaluation of BIMI

Jakub Olexa <jakub@mailkit.com> Sun, 13 March 2022 08:24 UTC

Return-Path: <jakub@mailkit.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 699653A14F1 for <bimi@ietfa.amsl.com>; Sun, 13 Mar 2022 00:24:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mailkit.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6OigidPrXDm for <bimi@ietfa.amsl.com>; Sun, 13 Mar 2022 00:24:27 -0800 (PST)
Received: from mail.mailkit.eu (mail.mailkit.eu [185.136.200.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14D793A14ED for <bimi@ietf.org>; Sun, 13 Mar 2022 00:24:26 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.mailkit.eu (Postfix) with ESMTP id 6F57120630 for <bimi@ietf.org>; Sun, 13 Mar 2022 09:24:22 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mailkit.eu
Received: from mail.mailkit.eu ([127.0.0.1]) by localhost (mail.mailkit.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IEfPYvv3S247 for <bimi@ietf.org>; Sun, 13 Mar 2022 09:24:18 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------r98BHpjwAmaUNiCmUy5TQxcz"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mailkit.com; s=mk-2; t=1647159858; bh=/IVTMtdiDmfCyKgV3F8J31pKZLAdacUnbhaSvFbIN/Y=; h=Date:Subject:To:References:From:In-Reply-To; b=jbuP85nRO48IljEXwtHBT7an+QUWLJJ3BjpZT0dLFiZLljvH8BuN3tabb5sxjxofO tOOmKmqb4f+0UK2xAVFjeE8E3CdUmt6ac8XGK0/6S2+oxdgRNlnGn0R+M05WjQjEV3 o160k/dE+KsLVO9GZH3RxUciKTOWVBDvI7ryWlbYeTN8AWoa1CQolJukQLHA4YynEQ jQZ2VGGz0Te2HHgwSeStxZN4HXSaB1Qw9nIJ4B7LZQ+XP1Hul8W/GE+oxDMDD3S15o QTg3CTYnPtUFKyb90G92RAz+Mp4QkYqwu8J2ABMxCXW995i8mhCxYM819l+3WRFQvG NdupYZTeOvkXw==
Message-ID: <4b81bf15-f599-661a-b8da-97d7b0b92f52@mailkit.com>
Date: Sun, 13 Mar 2022 08:24:17 +0000
MIME-Version: 1.0
Content-Language: en-US
To: bimi@ietf.org
References: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com>
From: Jakub Olexa <jakub@mailkit.com>
Organization: Mailkit
In-Reply-To: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/989EtWslzBk166Y_5dMpQzbMNrU>
Subject: Re: [Bimi] MUA Evaluation of BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2022 08:24:34 -0000

Hi Trent,

FairMail does a very good job at checking the Authentication-Result 
headers to make a decision about whether should be displayed or not. MUA 
should be able to take advantage of the Authentication-Result headers 
and do this. Discouraging BIMI would mean limiting adoption.

Jakub Olexa
Founder & CEO
E-mail: jakub@mailkit.com
Tel: +420 778 535 877 <tel:+420778535877>

Mailkit - Closing the circle between Deliverability and Engagement 
<https://www.mailkit.com>

On 12.03.2022 0:35, Trent Adams wrote:
>
> I'm looking for clarity about what folks think about whether or not 
> MUAs alone can evaluate BIMI (or be discouraged from doing so).  
> Either way… I think the next draft of the specification needs to be 
> more clear (as its currently ambiguous).
>
> To provide context… most of the MUAs supporting BIMI today are 
> operated by major mailbox providers that control their clients.  That 
> means that the MUAs (whether they're desktop, mobile, or web clients) 
> are designed to inherently trust the MTAs validation of BIMI and the 
> underlying AuthN requirements.  So, this question is really more aimed 
> at addressing the issues of "independent" MUAs (i.e. email clients 
> that are developed by folks without ties to specific mailbox 
> providers)… something like FairEmail <https://email.faircode.eu/>.
>
> On the one hand, it's the MTA that's performing the underlying 
> validation required by BIMI (e.g. SPF, DKIM, and DMARC).  And since 
> the MUA may not have access to the necessary information in order to 
> perform the validations (e.g. SPF), it relies upon the evaluation 
> performed by the MTA.  Without a close coupling between the evaluating 
> MTA and the MUA… perhaps BIMI validation should be discouraged.
>
> On the other hand, even if an independent MUA doesn't have access to 
> the initial conditions available to the MTA, there are signals they 
> can use for BIMI.  For example, perhaps they can forego SPF and only 
> rely upon DKIM (which may survive all the way to the MUA).  So, maybe 
> there's a path there (albeit with diminished returns).
>
> So, that's what I'm wondering about… how can the next draft of the 
> specification be improved to clarify whether MUAs can (or should not) 
> implement BIMI.
>
> Thoughts?
>
> - Trent
>
> -- 
>
> *J. Trent Adams*
>
> /Director, Ecosystem Security/
>
> *Proofpoint*
>
> tadams@proofpoint.com
>
> https://www.linkedin.com/in/jtrentadams
>
>

v2.23.0 | Report a Bug | By Email