Re: [Bimi] MUA Evaluation of BIMI

Trent Adams <tadams@proofpoint.com> Tue, 15 March 2022 18:50 UTC

Return-Path: <tadams@proofpoint.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 270E03A1563; Tue, 15 Mar 2022 11:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proofpoint.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmT73gtBlE8g; Tue, 15 Mar 2022 11:50:27 -0700 (PDT)
Received: from mx0a-00148503.pphosted.com (mx0a-00148503.pphosted.com [148.163.157.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2690D3A1586; Tue, 15 Mar 2022 11:50:21 -0700 (PDT)
Received: from pps.filterd (m0162103.ppops.net [127.0.0.1]) by mx0a-00148503.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 22FIL6d0004244; Tue, 15 Mar 2022 11:50:20 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp-2019-08-07; bh=HADimOAQiVMLRjh/JMlQV3v8ZXOnpDg0mOR3s6QRP0w=; b=S5415CVTOiDjGehgYjPnFe0aKBB/N2ZU9GW92Xqa4El65Dqop6Jf39Swxbhbl6O+mM7x KtiBNQEzX9aAB9oG/2a6zFBqW2UroVCGoFrwigXcKkDD+QAifKpTTB+mos3PZDavijDu 4lxbHNjDwxgWTzFieF1wl4GpEMNe+WtkPXxqtJ1ImYUM1nW6cREhumjZPxhtUudRRi8n 1FlOrIxsHBnpYOKbkl4lkwsbGnLIeuxoSNl9e0XWScrp373sZTzLFm4CvoasFhGNDKxQ NaOBt6Sk0MFzSttniteF9dHoKkRj5p8FWBYcXXpz5PgEJLDXOcg0fu4CNPe1jn0ptMGb Zg==
Received: from lv-exch02.corp.proofpoint.com ([136.179.16.100]) by mx0a-00148503.pphosted.com (PPS) with ESMTPS id 3eruyjs6wq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 15 Mar 2022 11:50:20 -0700
Received: from lv-exch01.corp.proofpoint.com (10.94.30.37) by lv-exch02.corp.proofpoint.com (10.94.30.38) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2308.21; Tue, 15 Mar 2022 11:50:19 -0700
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (10.19.16.20) by lv-exch01.corp.proofpoint.com (10.94.30.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2308.21 via Frontend Transport; Tue, 15 Mar 2022 11:50:19 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PB9OH5jv3+RKfoQrijTwKb3cc5M1y7EWsPdMUZJrTRbuIaOIiwarWA7YLGLPSl2qp7C3dKELvRyI8LYwFEiTnUxFPh04msOLkPZdpDwMRVsZM7ybl+7/RxiN/Ldi1LF2kohjFY1jW6LMl7lgRxg8+osm7yxvF7hWhlVKJ4rqj+CamQF16IX0cy62xmljQYI1Tp/RW7lHHULn6LA11xv49CMYWRcDMMu2UtVe3+q2Hq5lZwYbYEAyzA5305DXaYpvimI2Ai1S2rWILJnjgyAU6diEljz0AhVI2WAAkjv50P//ih6coluvCcMNJxciB8Qtxb4N6LxwWk8dsAkZUpkrVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=kmTvCWE5B3QnMf0mIgAPshz4JM7VfPwdu8+eqN4FuC0=; b=Kju+F5qi6QDoKeUa8IBrXzOD4IPxve+SFqxHGZmqr56TYe6Bd8UaPkiO9+LhKtyK72d9zXBuYpQaF2OH+DUHTnALdN1obwShqtsJ/g9Im6vLhfV3CzKG8yU2O3UT3ovjmzNx2Q1l4t2bzzPhsxGjKDDrl3GDdX9Q/Yv/SYjbmgVG1o3VGSE+wL380UemAG4RC55l/21hgiHMaF0mZb/2eWwLMMm0XOl/B+w3UCsSJZoGLGncxs2NcbXgzIXmQ9hIjMjHlKU3MeBiZwO0SESry5KjMCqhGwahi5CVT1LM5Nwz2TJPMSNNP0fKEZvxOkjEOsDUzzud++HoOm+HWgjbqg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=proofpoint.com; dmarc=pass action=none header.from=proofpoint.com; dkim=pass header.d=proofpoint.com; arc=none
Received: from CH2PR12MB5001.namprd12.prod.outlook.com (2603:10b6:610:61::18) by BN9PR12MB5065.namprd12.prod.outlook.com (2603:10b6:408:132::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5061.22; Tue, 15 Mar 2022 18:50:11 +0000
Received: from CH2PR12MB5001.namprd12.prod.outlook.com ([fe80::4d89:e9d3:abef:5ebe]) by CH2PR12MB5001.namprd12.prod.outlook.com ([fe80::4d89:e9d3:abef:5ebe%7]) with mapi id 15.20.5061.028; Tue, 15 Mar 2022 18:50:11 +0000
From: Trent Adams <tadams@proofpoint.com>
To: Jakub Olexa <jakub=40mailkit.com@dmarc.ietf.org>, "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: [Bimi] MUA Evaluation of BIMI
Thread-Index: AQHYNakS7cBGBKKcikGTe1q57Bj1Vqy/BUnggABVaQCAAOT4gIAAjqgA//+cxAA=
Date: Tue, 15 Mar 2022 18:50:11 +0000
Message-ID: <E67E3A80-AC7C-455F-8251-640DFB148944@proofpoint.com>
References: <7639D8E5-B8CA-48E6-B6F3-63BA091C3AC5@contoso.com> <VI1PR01MB7053B6AF625A5FFB2222F795C70F9@VI1PR01MB7053.eurprd01.prod.exchangelabs.com> <MN2PR11MB4351276056888F77815E220EF70F9@MN2PR11MB4351.namprd11.prod.outlook.com> <CB922168-3B56-488E-90DD-2591B064F9FF@proofpoint.com> <0aba2ca2-d499-0f88-c490-cc83eb493760@mailkit.com>
In-Reply-To: <0aba2ca2-d499-0f88-c490-cc83eb493760@mailkit.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.58.22021501
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 03d12426-7d33-470a-8fea-08da06b4a23e
x-ms-traffictypediagnostic: BN9PR12MB5065:EE_
x-microsoft-antispam-prvs: <BN9PR12MB50652C885CBB599954D52E83B3109@BN9PR12MB5065.namprd12.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oNUtC3kAvAxQZd3h6N7fgSE/Z33haaIGhgx1vcYGHeyoZ8u5yfgI5iSndtRWzQ4jUMOng3CwRD9IYPnSJF32nksGScNywSRVR1tV2D6EdXOWxlXfIxjC4bQ3qn0aD3+XfIUzpyU6lZiMkOkV77gX+jD/yx+vSz+Yx5FkmadFiU35DgHzgibpOuyoJwYjlcGyF472RGQhPFqa5m5NOjQPUbFNncz/Tfb7x69dGFtMkTPUszXze6DwdYHk4jXi8KSJ7ufoAnE3moh/bQwjnTuPvVRcaBQ64DvDtYOv4ED+onsQfH0E9oyRfdKC9jqqsBMI+PmO4jZr9vWkyUMgjmNC+Gdsi22LPh3+znsby4Sq9QolvaOXcQSivawZzDwOmO16y9m+Q0ajL5KEUORKHcw9HZv2s7i8axiCx30idNXq+21ENWSwKASboIncTP8nVLh1IFKadvROTfq1oTyTZ6J8cOP+nfT3gDAYmzcY/u9PVUnWvzAXnhlYB56rV4uV6rUFWsxJOnujyO+pNV7q7xAnT0GlBxBNWSuLtH73w4/Y1dfum9RGdgxF0jRB2xL0lnyWrpcG+5f7pZrlYDs5OiP5d2NbU58FIQxzyL2VNUhtt+4O+HDtZ1ihHJgD7FhaDkN6XVQP4mSu9E5/QcNkxKdmYd6tUlvnSzNSl+YIr3yQhy3d09JJHleXBDFbc4qDQkQgFYzBbfFvX5AoKclzfcsc/WWntyu3Ji5tAZl207+CY74UnxeiMuW9/Fq+mkEpBcd+xzHE3ZggByI6K0pS+0VvL9b9+mOP1+gIt5VMmK1NPyYLHX7w74khlMKEazM/v4ko3XdiGPAvaXl/lF6ld9g2Kg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR12MB5001.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(53546011)(64756008)(6512007)(66446008)(66946007)(8676002)(76116006)(38100700002)(6506007)(2616005)(66556008)(91956017)(122000001)(2906002)(66476007)(186003)(83380400001)(316002)(110136005)(6486002)(38070700005)(508600001)(71200400001)(33656002)(166002)(36756003)(86362001)(8936002)(5660300002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2onluXiIGIW7SYOqcAJBDg83HWbSE3KOzIBfmxIAfU8ZO3e1rTlJMv2By7wfT2mJ6+EiUTQhVaHjObYsPVwcwIGl8L+d3o1LDuSaXTmkW6/fyQmIHRca/75vo4D4htSP4dtQlq+CbVEKElE8OB0qlAeChM3ovUETvomTnQErrXCxNSQYNkXGKYrUje0wDgyIdi0LDHkY3RAwhxO8IQwJAHQYdm7R3jUwV8/Nf992PBazllE7WxP4T6W7YRlYkaSp/Vdnh0GfJvL0M3VZvugQ912uQwhrdNTS5ZGdqdzEKAKEQHJrs25NeMPcxBo2w42dI6N6yOT9QXoA6+H8EVJ/AaPjKewSu5tZ6SugTRS7LfgePhHImPEVHWzOb+pOV8nJsGpQJkh7jUkk3uTzpn8MR1t0weIn8FNVi/qB0PTU/Abq62qI8sOyq/rgRMTEoazj41Gv1H9HE/BcnBe7q/sdTx/LkSGvqwNy3xv8hkEkrfa6f0fFg7fsSvZ5DVsLBMevQ1Lo6+hEsU0mgoThXeB5VsXgiD1cVdr4AhzjaBNU806TzhRLyH25C1rwqwwVurfvf0i4KWMYWlZY4qEq/SAf5pzHH4RcvFWtEs87+Mc0JBhcT4lTqKqVVcoVk9Spu5074AnhAqkCrOHzuILBpyAg+5srxvkl3qGCS14dqbVS1Zfo5GBjIFkFSRtWwwMOLVuIdyA7VvRRgsKfp7wlnK39e29AWlOhg3EM0W6RI2IK6LItAib7ZRfXghOD37DU9JAYlOCWzYWjeRhH/ArJ0Aa2z6l0U9b9gTuMxy0jk1HA4BWwr2Ry+E7JqqeiUGl3xFVq2aU1ORej2sqLUFnTdpkgHLzsdElLN1FfRvG0sYAlL5KEba4iPzTIIMJdPjeIFb6BZA/JFv0doRigaWI8fGWMxW0AUrSG83IBjD1Tr3SFRn62DNikVizz7D4vbhuY/XBt2Bqf8A9evSSsdRAZSWOnr0eYqrRiKpm9Sxu5uzcWOPkid+0OuikBGRb4KRn6TOQVi1zVbBDJNdJ64LJBxv20Y3C5GgWhXKcyplFA+/z6SzFl/JhbZsLFGR0NUqaTigB7tXlDUhFKXQaKpoKQkeRVo6ZxTSRpjt61QiyBeVsYM2LdGlZWaP4LHwt5z5EZ4fW3g6qYkgAD6jP+xYTvMXd/URo2Xf9BzUAzloGOH7hMh/KdJ/BVDnsRI920VWzuUFd2Htf8Bk04+CQs/RMidu0KZ4EQdyl38S84dM42avqAF4HqivueMpeIxdrtKVsrQljiAvIjMRuSxWS7UXUeUor6jhPbBX1agRa74tRP+wt3+tGyBZrVl9pOrPqFeukJwV6moROz2ThS4AY1ehKPMhjg0Vz3gT1IYR0SbcxeYlOWRKDOpg1HlVvJDSUhErYvXbNMJRhyhYrbktxZSFVyGuCffvMHcslAf3BiLJhQE+PsG5cXZmKgX8HbvnwgXCPJL09kzsIJPMMDUINFdkpWnUZTliyGy3fEVudIbPitvE6GsNvxieoV/B8cLgp8uCC2Gpleh4MH/IF+1lrkJl4BP9nPVA==
Content-Type: multipart/alternative; boundary="_000_E67E3A80AC7C455F8251640DFB148944proofpointcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR12MB5001.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 03d12426-7d33-470a-8fea-08da06b4a23e
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2022 18:50:11.1454 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46785c73-1c32-414b-86bc-fae0377cab01
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dho1+pa+JeCfd820JyrivyQ27KUvNmXxuribvEKt/OXv2GPAEgC2loTEMvquSqIWlSR+byZNz9Mk5Y/2TQdeGQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR12MB5065
X-OriginatorOrg: proofpoint.com
X-PassedThroughOnPremises: Yes
X-Proofpoint-GUID: 4ufKpCn_S7qdmMC-IsleUMJbRQAseumX
X-Proofpoint-ORIG-GUID: 4ufKpCn_S7qdmMC-IsleUMJbRQAseumX
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-15_09,2022-03-15_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 adultscore=0 spamscore=0 clxscore=1011 malwarescore=0 impostorscore=0 priorityscore=1501 mlxscore=0 phishscore=0 suspectscore=0 lowpriorityscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203150110
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/E3AgF2G8WngLqzgyb4nw8a8hU1c>
Subject: Re: [Bimi] MUA Evaluation of BIMI
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2022 18:50:32 -0000

Right… and if I understand correctly, FairMail is using hard-coded heuristics to determine the AuthN-Results based on known formatting (e.g. it knows what the header looks like in Gmail and uses it… otherwise, it's ignored).

Am I right about that? … or is Marcel doing something more clever?

Curious,
Trent


From: bimi <bimi-bounces@ietf.org> on behalf of Jakub Olexa <jakub=40mailkit.com@dmarc.ietf.org>
Organization: Mailkit
Date: Tuesday, March 15, 2022 at 12:46 PM
To: "bimi@ietf.org" <bimi@ietf.org>
Subject: Re: [Bimi] MUA Evaluation of BIMI

Hi Trent, my concern with this approach is that it would essentially prevent MUAs from implementing BIMI support. a) ARC would essentially become a requirement for BIMI outside the BIMI standard itself ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍


Hi Trent,

my concern with this approach is that it would essentially prevent MUAs from implementing BIMI support.

a) ARC would essentially become a requirement for BIMI outside the BIMI standard itself
b) MBPs would have to implement ARC, which would result in reduced support for BIMI
c) MUAs would have to do way more complex checks then they do at the moment... involving DNS lookups, signature validation etc. - this could be a problem when logos are displayed in the message list

For example when using Fairmail on our mailserver via IMAP I'm getting all the info about authentication from the headers added by our MTA and FairMail will display BIMI where available. We haven't had to do any changes to our MTA to get BIMI working. This will most likely apply to a large number of mail servers. Having an ARC requirement would break it... and for what good?

Jakub Olexa
Founder & CEO
E-mail: jakub@mailkit.com<mailto:jakub@mailkit.com>
Tel: +420 778 535 877<tel:+420778535877>

Mailkit - Closing the circle between Deliverability and Engagement<https://urldefense.com/v3/__https:/www.mailkit.com__;!!ORgEfCBsr282Fw!vHS66phTBR4sfDK7OTpaYnHLf44Jx5761830ySlAeeozI6Dl_Zx-C7nZko8cxEahGMs_D8dr6GH8Qox7x4RHzIAFSoCmrL__$>
On 15.03.2022 16:14, Trent Adams wrote:

OK… what if we start from the premise that an MUA *MAY* evaluate BIMI, but in order to do is it *MUST* be able to trust the Authentication-Results header supplied by the mailbox provider (read: it there's no trusted A-R header, the MUA *MUST NOT* display the BIMI logo)…

Given that… What if the specification calls for the mailbox provider performing BIMI validation to ARC sign the messages they receive?  Would that be a useful way to preserve the A-R results such that the MUA can verify them?

Curious,
Trent


From: "Brotman, Alex" <Alex_Brotman=40comcast.com@dmarc.ietf.org><mailto:Alex_Brotman=40comcast.com@dmarc.ietf.org>
Date: Monday, March 14, 2022 at 2:56 PM
To: Ken O'Driscoll <ken@wemonitoremail.com><mailto:ken@wemonitoremail.com>, Trent Adams <tadams@proofpoint.com><mailto:tadams@proofpoint.com>
Cc: "bimi@ietf.org"<mailto:bimi@ietf.org> <bimi@ietf.org><mailto:bimi@ietf.org>
Subject: RE: MUA Evaluation of BIMI

> It’s really up to the user of the MUA to determine whether or not to trust upstream authentication headers. There are already plugins for the likes Roundcube and Thunderbird that are parsing the current AR headers. ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍ ‍
> It’s really up to the user of the MUA to determine whether or not to trust upstream authentication headers. There are already plugins for the likes Roundcube and Thunderbird that are parsing the current AR headers.

I feel like an item that needs to be considered is that if you’re to rely on these headers, you need to have a reasonable assurance they came from the MBP for which the message was intended.  Do we need notes to describe how it is that the MUA is meant to evaluate that header and its origin?  Or is that beyond our scope?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast