IETF Logo Mail Archive

Re: [Bimi] MUA Evaluation of BIMI (Marcel Bokhorst)

Trent Adams <tadams@proofpoint.com> Tue, 22 March 2022 17:11 UTC

Return-Path: <tadams@proofpoint.com>
X-Original-To: bimi@ietfa.amsl.com
Delivered-To: bimi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA01B3A0C9E; Tue, 22 Mar 2022 10:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=proofpoint.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74MHEKdwOicI; Tue, 22 Mar 2022 10:11:01 -0700 (PDT)
Received: from mx0a-00148503.pphosted.com (mx0a-00148503.pphosted.com [148.163.157.21]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B24D33A0C87; Tue, 22 Mar 2022 10:10:56 -0700 (PDT)
Received: from pps.filterd (m0162103.ppops.net [127.0.0.1]) by mx0a-00148503.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 22MGpBso023024; Tue, 22 Mar 2022 10:10:56 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=proofpoint.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=corp-2019-08-07; bh=U94lOGtoSmz9k1+lGB6GsVd79ZbTYUiM40TTVRZp7qE=; b=OsFqaH15DZGnnwHpZdmRv5ftFdkeseaZ+5J0hy514WUYzcefUCnL7iEuAdSI9BdeAuSN 4cZkvrSSPugYFj8S3Wd6oBSlS7szS86KOFAtv0ns907V+PTV1APs/KLq2idbD7bCTjCE Mjq/EvFVxaMRu1fPM+yzWA4x7RI2TdXPuj1D0I1rpievR7Ef7p6Uhih9pUoKrPC7NwxL UMbG8GAxr4oUkuuUTR87Iyu9Tns44mmJ95sO48o/rB6MDjWoFKg+WNFbCmsj0I8DSmLn x69FD3Gk33ZuYfG9l7lWd3Z0SYBFHqHgLxu/hwHLSj2e+ENzNEshvGAfFtrjWamP8xuZ tw==
Received: from lv-exch04.corp.proofpoint.com ([136.179.16.100]) by mx0a-00148503.pphosted.com (PPS) with ESMTPS id 3eweres5yv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 22 Mar 2022 10:10:55 -0700
Received: from lv-exch01.corp.proofpoint.com (10.94.30.37) by lv-exch04.corp.proofpoint.com (10.19.10.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2308.21; Tue, 22 Mar 2022 10:10:55 -0700
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (10.19.16.20) by lv-exch01.corp.proofpoint.com (10.94.30.37) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.2308.21 via Frontend Transport; Tue, 22 Mar 2022 10:10:55 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=AhFWgkYEavHZCLfA8ifqwXGUp+bgLMc3tw9kukZkB6Ijva2ia6zGscrVukFToe8LnHJA5PUyPyNJ9fFjJuFMpFzcMVq5W9M0Nmpeum2dhL/7u8eNRpGqNp9SYnIoRy7riQEnlv5LaBoTdWtpJgo1Co+xJobKOII97OkX26KSq4DHO8eBcPYAyqlzQhSrbVMfcCwuqm8XQw4TNdfBXlHRzfE5xyVVzOIw9n3x7wN0FymaTQs/nvC0sXrSNde6MtiTOUzvMa+xTrEE2UI4mnonPOVN6+v39KKqUg1Ol5kF3pi54iebQyiCktW2WQ3hugihM3VDx11vd1EXcO61ly9yKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lN/sYspHiClrr7QVuYAjNlFrcz85jP4SUCJQkCoR6E4=; b=SfpBbovXMH/GG6I0E7A+IvxGDzjxpdaLmVx3hTxrp8Tg6+7Y4gkHFS86aJT+Ow3VXSA9H8MP1FRmkX7PQjo09HnaiHe8f/d8m9Is3hKzmx0HNvMoOj91m9GDJp7c6uRl00lhnqNQy44krJ6exPxnikHwXujSGJaPp+A+q0Yk9CUUk16ZbhoofZbcOjHZ4NHn9NfVvbxEBub17ndMUawT0pF+zYSOxnyjSFlWKjXyCiUB5tMjiJAR6SQbeNMsZTBIOwnFNeVnXvPMhzlIPwecrNX/SrAcvGbCPMetT5mXmvyELaXR4yVZBIlkyoobhX0nQMjCCaD7cTZM5GVmo/UR7w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=proofpoint.com; dmarc=pass action=none header.from=proofpoint.com; dkim=pass header.d=proofpoint.com; arc=none
Received: from CH2PR12MB5001.namprd12.prod.outlook.com (2603:10b6:610:61::18) by MWHPR1201MB2527.namprd12.prod.outlook.com (2603:10b6:300:df::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5081.14; Tue, 22 Mar 2022 17:10:51 +0000
Received: from CH2PR12MB5001.namprd12.prod.outlook.com ([fe80::4d89:e9d3:abef:5ebe]) by CH2PR12MB5001.namprd12.prod.outlook.com ([fe80::4d89:e9d3:abef:5ebe%7]) with mapi id 15.20.5102.016; Tue, 22 Mar 2022 17:10:50 +0000
From: Trent Adams <tadams@proofpoint.com>
To: Marcel Bokhorst <marcel=40faircode.eu@dmarc.ietf.org>, "bimi@ietf.org" <bimi@ietf.org>
Thread-Topic: [Bimi] MUA Evaluation of BIMI (Marcel Bokhorst)
Thread-Index: AQHYPgvT7jkUbf9xBU+8mSSk4DD4mazLPuIA
Date: Tue, 22 Mar 2022 17:10:50 +0000
Message-ID: <DAD61B46-4B49-4C57-93F1-6663B66BCACD@proofpoint.com>
References: <mailman.1239.1647966022.21334.bimi@ietf.org> <9350010a-8e17-4775-9ea0-23976b26842c@faircode.eu>
In-Reply-To: <9350010a-8e17-4775-9ea0-23976b26842c@faircode.eu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.59.22031300
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 163c7592-d7cd-4ba8-b271-08da0c26ea73
x-ms-traffictypediagnostic: MWHPR1201MB2527:EE_
x-microsoft-antispam-prvs: <MWHPR1201MB2527883998AD359BFFA51E02B3179@MWHPR1201MB2527.namprd12.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: E8r1aX2XWbSnK7QORJEebZeLwR2QInzv5vaUw4+IG+jxLO91Ure8Qgewax50AJEbNn5ucui85SvU+a3A1NR22nvRgpLf4H2MNkAo1ZDmitGCRYfBmMkogIKdLAQmpOuP0g38x20Y+tTHJDteqxDGpVncqO7PFru972TvR7KH75ZUs1VpMUShWmruoeK3J1ZsigHuQtGVPRvFD/P8J4czniD1C00oCHAisMtPnSm2nbOTvLopTcIxh1EpAQyu13LClny9KUlaiK9T4OReANA4BKFKuJJKWC0MLJYDf0tb19/5AnUkvK+dCSDDhYZhdUlSSa3dPMzYTd4Ew7RKLy6OPdVC6+lgMzmAV5NUCyQ6wZXQn0/RnK8jU4ylreU5JwiX2hqcq0kcEfle5ZOUn4+uwKoVgz1PqIrzUtKsGn6xJ7OEIMu4XswM724KKt7j87J1sZtgNF/WkL6kcZ04ha4OnLde3QTSBnixccAlZ+9efjhDZFVbigSqjpuSOhORE7nwoZ6308jAvfAW3JN5ZmTS5UkmjWD8O8v1L4I7jCTwR7w2ZnvXvuopSY5eMvBoBPd2Rfaj62s3PaP0NsA8IAc8UUekySGi0w/oAtwbUPtihyLGZbSysOKKfn0NvDBFCoaSoTVLd1Q48xmr6aNoP97kIoKlQ9OKTjPqCW2h4+g8ZMr/vuecfdRKTbH0k3lk9HRsiuGEeUQOqHHpOpyDWdDPSc7P+nxoEl4oKXq2+rH/gW7VNgajMpbV0Ph8Zr8fLA3AljeVdlN3GBlc8v3ipoKfAYsmBOjDygZmcysI46qCQRpBEV7qZG/SRF9j1shRFKsbFEWzDMwUco9ElDzibVMKs0HjzwQNIKsu6j0DuGuMXr4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR12MB5001.namprd12.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(6512007)(64756008)(66476007)(66556008)(2616005)(53546011)(66446008)(38070700005)(186003)(8936002)(36756003)(6506007)(33656002)(110136005)(316002)(8676002)(5660300002)(66946007)(6486002)(76116006)(91956017)(966005)(508600001)(2906002)(38100700002)(71200400001)(122000001)(86362001)(83380400001)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: f90eNEI13XZSfY4bK3bMJ8aBLE3SgyUfUT3D2TZd+itNveJwUDurVPeV6E2FepwyH9x7waW7Wl7TJwIT33EmzKe8Qu8fQUMDx7NLn0sE+7LsPZhO6IfRd6TCa8TlpL1Wr80vC72lhtOwaPSPnpl34+V7kR08TX+4l3aeFi5P9SGz2itCC8yjrgqLAAGwvO6THIxxPKvTFUfLalihWXxhQQhq93MTNZFTCnFyLbQzl2z86JF4ISa65euJAYvT7Z0oJhxo99GiohIfLmIYJaPlLDeooYpmTZQHhV3PA9o1VTC6Vp/3GwzuYu3Dtsd5rBBOlM24ICLyjBX7z5uGOo1us8RECCrLdo2oI8K1MmNNOvBnw2j5ywWCyhEsTRWkhmOG3Ey2vXr5YNTEyXk5AIIjwk/D9Fs+dGwLv8oSIxXR0PV+hUWejc/NhoLH2tlxeU1a/Sj2SIesOBKK92NYgoq2hkbt1U7gxOU4iZTz52Dyd1Wgv4Pg1GD7lLWQIxOEaNpyXIOV6U8dtjDzaJS+/KPUsBO7VVcFtrujpyil6mfKd5DaP3U5yKLLzmKSZmFoy5CKz/MjLqI/2cvnRMOsR8emWjGcPqSgpWRvn5Ylam4I3I820QSXN/0bDrXwgrmLSF27NFxyTj5Y1/L5K6D4BiiVCzWhZC8i5ny1HiK+0o3smFlYkTTg6ErXLu0fgnVZA6tCGb3uuM7bmz4eegifBUpI4jC7Qi0RAjuUSuGm9M8jHstBg58VNQqow8wq9te0fxm+w6L78inm9fd5GZMHEq6d6Xj2Pf53JDdzAZhWbHr3im7kHHPLVQbBoKL1MHBFj9qVUwdfB5B2KK+uutumpVeYoUEPtWe9bIlmL2JkiWUpJL485onSz+gw77A4zHsje2H9OOAKvMs7yXyOFxuiCvSdPjOpiYP33A3Omm9Wl1jm1S4vPNJ5TnIGWzzz8Rqhx/VFmq7/q8+6iVOBXdL2e54V1x3zSHJOz4rj+AVlTadPnMVTJt7c3USttmCvnen33R/zPh+NnLGKxXd4qTEwp13T6kP4M1GheOk1RmXgRW4cI/hTEBdMVQX8/3J7z7EVsZDMf8vdngxkMrNstgpPyCjFaN6ZX4cLyNk05aIG5HMsbxkopGlqP5fzGninNFkPX+nienBRTVxI6SpNDQwTI1UbB1d5gsbQHO99gsu8Rd8qWcn/gol5geTvz7e0vvZt843PQs+gHB4Y3WD6sYw1zCrLypHGds/bd6/3bkDzpUPnXgUSoB8Remv0eQQNs5LKRK4un/IZcz5VoKh2lg5Z1PsbbePdKwV6SRCqYatNr9PcyYZMJPsIHEoqlyoKIdzD6Ap6dmobHh+aukydZISUY60woA3xMFjZEamkFrvsFwuqDRguNNX8BzElUDphwzzaklnuWtImvBrhbLQMmoSzkWg9XABFCaAmgqM3Mqb4wfZtXcIx6comjUWcowDlYGeguo/3Uj0iXIWMezljnuIXcemiGQ55xYWBL9H2xcDsov6YtBlLbLbu5Q++I5UECpYPoivekWmm0xtRfKoeOAUtXrg0aQ==
Content-Type: multipart/alternative; boundary="_000_DAD61B464B494C5793F16663B66BCACDproofpointcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR12MB5001.namprd12.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 163c7592-d7cd-4ba8-b271-08da0c26ea73
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2022 17:10:50.7161 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46785c73-1c32-414b-86bc-fae0377cab01
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YWKoYEGxSLiiBvt7r1ZqSkkcOWv2oAF9qccqFzaDXCwblNlmohR6WbR70fn+xjceasODhaBhlyT4NKsYH0pK4w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1201MB2527
X-OriginatorOrg: proofpoint.com
X-PassedThroughOnPremises: Yes
X-Proofpoint-ORIG-GUID: zL6rzi656kNt1CSO6nGOH-WadsO7GaVk
X-Proofpoint-GUID: zL6rzi656kNt1CSO6nGOH-WadsO7GaVk
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-22_07,2022-03-22_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 spamscore=0 priorityscore=1501 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 phishscore=0 adultscore=0 suspectscore=0 clxscore=1011 bulkscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203220093
Archived-At: <https://mailarchive.ietf.org/arch/msg/bimi/FMi9KEZ6MG_ZAxC9WAVhnk6Ampo>
Subject: Re: [Bimi] MUA Evaluation of BIMI (Marcel Bokhorst)
X-BeenThere: bimi@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Brand Indicators for Message Identification <bimi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bimi>, <mailto:bimi-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bimi/>
List-Post: <mailto:bimi@ietf.org>
List-Help: <mailto:bimi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bimi>, <mailto:bimi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 17:11:07 -0000

Marcel -

Apologies if the code answers this… but how does FairEmail handle the situation where a domain publishes a BIMI record (which can be retrieved and validated), but a malicious actor sends an email impersonating the domain to an address at a mailbox provider that doesn't evaluate DMARC?

Unless the MUA can either authenticate the message on its own (e.g. via DKIM + DMARC alignment), or it can rely upon the MTA to perform the necessary evaluation of SPF, DKIM, and DMARC… then it seems possible the MUA can be tricked into displaying a BIMI logo.

… but perhaps you're doing something clever (that we might want to consider specifying).

- Trent

PS - Thanks, by the way, for helping us shine a light on how independent email clients can join the conversation!


From: bimi <bimi-bounces@ietf.org> on behalf of Marcel Bokhorst <marcel=40faircode.eu@dmarc.ietf.org>
Date: Tuesday, March 22, 2022 at 10:42 AM
To: "bimi@ietf.org" <bimi@ietf.org>
Subject: Re: [Bimi] MUA Evaluation of BIMI (Marcel Bokhorst)

What I am wondering is if it wouldn't be simpler to just verify the certificate the BIMI record refers to and skip DMARC altogether. What are the benefits of checking DMARC? As a reference, see here about how FairEmail verifies the BIMI certificate.


What I am wondering is if it wouldn't be simpler to just verify the certificate the BIMI record refers to and skip DMARC altogether. What are the benefits of checking DMARC?



As a reference, see here about how FairEmail verifies the BIMI certificate.



https://urldefense.com/v3/__https://github.com/M66B/FairEmail/blob/master/app/src/main/java/eu/faircode/email/Bimi.java*L155__;Iw!!ORgEfCBsr282Fw!rkmciHccuFw_iUGaYB120yc37Woosombf1nhpPPXpA4mRkUplQwGVg7ZX6PV3YeCYnDokRZwyXXur4Hs9Hj_LkfCIYNHZSzN$



Basically, the domain name of the email address is the start point. The connection needs to be secure (https, etc), the certificate needs to be valid (dates, etc), the certificate needs to match the domain name, and the purpose needs to be "BIMI", and finally the certificate needs to chain to an installed root certificate.



The app still checks the DMARC record, but is that really necessary? The certificate matches the email address already after all. What am I missing?



Mar 22, 2022 5:20:28 PM bimi-request@ietf.org:



> Send bimi mailing list submissions to

>     bimi@ietf.org

>

> To subscribe or unsubscribe via the World Wide Web, visit

>     https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bimi__;!!ORgEfCBsr282Fw!rkmciHccuFw_iUGaYB120yc37Woosombf1nhpPPXpA4mRkUplQwGVg7ZX6PV3YeCYnDokRZwyXXur4Hs9Hj_LkfCIQxwRY9l$

> or, via email, send a message with subject or body 'help' to

>     bimi-request@ietf.org

>

> You can reach the person managing the list at

>     bimi-owner@ietf.org

>

> When replying, please edit your Subject line so it is more specific

> than "Re: Contents of bimi digest..."

> Today's Topics:

>

>    1. Re: MUA Evaluation of BIMI (Trent Adams)

> bimi mailing list

> bimi@ietf.org

> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bimi__;!!ORgEfCBsr282Fw!rkmciHccuFw_iUGaYB120yc37Woosombf1nhpPPXpA4mRkUplQwGVg7ZX6PV3YeCYnDokRZwyXXur4Hs9Hj_LkfCIQxwRY9l$



--

bimi mailing list

bimi@ietf.org

https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/bimi__;!!ORgEfCBsr282Fw!rkmciHccuFw_iUGaYB120yc37Woosombf1nhpPPXpA4mRkUplQwGVg7ZX6PV3YeCYnDokRZwyXXur4Hs9Hj_LkfCIQxwRY9l$

v2.23.0 | Report a Bug | By Email