IETF Logo Mail Archive

Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows

Jesse Thompson <zjt@fastmail.com> Thu, 27 April 2023 02:00 UTC

Return-Path: <zjt@fastmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 64EAAC151B0C for <dmarc@ietfa.amsl.com>; Wed, 26 Apr 2023 19:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.096
X-Spam-Level:
X-Spam-Status: No, score=-1.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="meWiolD9"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="Aq3kIfME"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ab_KKyqGxI4Q for <dmarc@ietfa.amsl.com>; Wed, 26 Apr 2023 19:00:51 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE21C151989 for <dmarc@ietf.org>; Wed, 26 Apr 2023 19:00:51 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 8A5515C0159 for <dmarc@ietf.org>; Wed, 26 Apr 2023 22:00:50 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Wed, 26 Apr 2023 22:00:50 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1682560850; x=1682647250; bh=uW SjSu6G11Pxk82Jm0tng4p+VSy2EsQsMRRW6J66ZhE=; b=meWiolD92zavCr/6nk J4GR/dbN8s2c9kVK0Yw2iB1+xBAM8YjYeK03IHcMQwg/DKBEieSmuK3NQqQ6Oud5 3NYOIB8GdixxhLvrJjY2hVA4HwXPPz8Qkbr0VOfyYCuMcPR/oanPt2OL3J8UzdbS XDY74YNmtXlb1EbWZdMmBnvUFnGU65XqcMKpKXZExpNh44Nbl38g7sepy4Lvlnhw FP95/ojWEAyoiE0C4zOBFz0IKTPd/I+fc8y2nUEXmN9mIvjQ7m0/RvmjIvFHeqyg RkSHAx49lc8gx3JzNQI1Y48JV3Dr7f9NYhnAO/OW55DNxuX/uac73zaxftjeOq2T t41w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1682560850; x=1682647250; bh=uWSjSu6G11Pxk 82Jm0tng4p+VSy2EsQsMRRW6J66ZhE=; b=Aq3kIfMEOUUZzLgzyUizgAch1Gcr1 9WcOVd7PQfNCyINp943qAHSpgCbN+EVkSb+3BwfrFajO3t60jSX/CuCqoWpOxDcj S5gGYeiBjTR1VSADcXDKsMg2pRPmfi5TPYu1Upfi5cst8o+zZ/cXQhw4Gh1qlWwu xdvK8KAY4udp91UrzZPm48PSfiYXVKhD8gCy+tO62PaGCySxky/ogKHUNXEa3xMD jukT030AOFH3bcPyWiVApRK8Swe9o1XFzuDR1bNXX5AifeEOiSe3/vR8Si3pQ1il dT1jsESTsDc/jBtYxXR1vp+2HnGRCOr+RuqS5mz38T+gPU2lwsdLLt8Gg==
X-ME-Sender: <xms:UtdJZAAOwfFjbsv-IPMY5E8GPA7sCgn40iXHYVSRrHj5Gzn1RyEllg> <xme:UtdJZCgSvZFoD0MRNmG6KXbFwWeSso9QaJRvTJBrEof0euYWmRsJyYTSQoaj8jIFG bAdovxtAg_YYKrrPy4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfeduhedgheefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedflfgvshhsvgcuvfhhohhmphhsohhnfdcuoeiijhhtsehf rghsthhmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepuedtveekhfeuheekvdfhhf ffudfhgeelkedutdeuffeiveeiheeuhfefvedvlefgnecuffhomhgrihhnpehsphdrrghm necuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepiihjth esfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:UtdJZDkDEVAH8luUdUd3QrCtOp_kPG-XW8NUztEzsC24Qi0imOh5uA> <xmx:UtdJZGwBkwu4l8MXldGvJeorcYlIcDyDRHL3aep1EJRG45Z6F9vwaQ> <xmx:UtdJZFRnsjQxUPqTooR8-qh1-Hcip_qEIUvxZAQB-o-GkZT33UTyAg> <xmx:UtdJZMc45aNfRJLXmpvmpFbD_RHavCPzhKiqJzhPs2oq0dflOEGDig>
Feedback-ID: i1a614672:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 41CF5BC0078; Wed, 26 Apr 2023 22:00:50 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-374-g72c94f7a42-fm-20230417.001-g72c94f7a
Mime-Version: 1.0
Message-Id: <176783f2-f067-4e67-9909-e883a43661b0@app.fastmail.com>
In-Reply-To: <4F204215-A97B-4496-9649-91F9D51C8910@kitterman.com>
References: <20230426160609.8532BC586620@ary.qy> <a267d504-beb9-4082-82b1-f5076a83b4fd@app.fastmail.com> <4F204215-A97B-4496-9649-91F9D51C8910@kitterman.com>
Date: Wed, 26 Apr 2023 21:00:29 -0500
From: Jesse Thompson <zjt@fastmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="12a75ede8fc44b6685026005427eece7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/04dhzVygZvpq55nWKIR2LZoeJRI>
Subject: Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2023 02:00:56 -0000

On Wed, Apr 26, 2023, at 5:47 PM, Scott Kitterman wrote:
> On April 26, 2023 9:39:08 PM UTC, Jesse Thompson <zjt@fastmail.com> wrote:
> >On Wed, Apr 26, 2023, at 11:06 AM, John Levine wrote:
> >> It appears that Scott Kitterman  <sklist@kitterman.com> said:
> >> >>Domains owners who have users who individually request 3rd parties to emit mail as an address within the domain MUST NOT publish a
> >> >restrictive DMARC policy if they wish to support their users' usage of any potential 3rd party. Examples of 3rd parties include
> >> >mailing lists and email service providers. These 3rd parties are not always aware of, or willing to work around, DMARC. Domain owners
> >> >implementing DMARC as a means for governance by restricting the unauthorized usage of the domain MUST be aware that not all of the
> >> >3rd parties will make changes to work around DMARC, resulting in interoperability issues for their users' usage of the 3rd parties.
> >> >Domain owners SHOULD provide an alternative address for these users within a cousin domain or subdomain that is not directly
> >> >associated with the organization's brand-associated domain that is used for marketing and transactional email that needs the security
> >> >benefits of DMARC. These users MUST use an address within a domain that does not have a restrictive DMARC policy.
> >> >>
> >> >>(Not a troll. Not directly aware of humming (sorry, it's on my bucket list). Hopefully, didn't touch the 3rd rail. Honestly, in good
> >> >faith, representing the perspective of an extremely large domain owner, users within said policy-restricted domain, and as a 3rd
> >> >party commonly used by these, and similar, users.)
> >> > ...
> >> >I can see what you're attempting here and I see the logic.  I think the normative part would need to be about 90% shorter.
> >> 
> >> I was going to say the same thing.
> >
> >I agree it is too lengthy, but wished to convey the logic.
> >
> >
> >> 
> >> >I think it misses the impact on innocent bystanders.
> >> 
> >> It seems to me there are two somewhat different kinds of DMARC damange
> >> that we might separate. One is what happens on discussion lists, where
> >> messages get lost and in the process unrelated recipients get
> >> unsubscribed. The other is simple forwarding and send-to-a-friend
> >> which gets lost but is less likely to cause problems for the
> >> recipients beyond not getting the mail they want.
> >
> >I know you don't like talking about ESP concerns, but for the sake of fitting into the categorizations you state, I think that usage of ESPs falls into the send-to-a-friend category. Is there a better term than "send-to-a-friend" that is more aligned to the vast variety of use cases and types of customers that ESPs have grown to support? The term sounds a bit pejorative. Think about use cases like: digital receipts sent from point of sale systems via an ESP on behalf of small businesses who don't have the ability to delegate authorization to the entire domain (e.g. local-flower-shop@yahoo.com)
> >
> >And for the record, the ESP can either have unhappy customers due to rejected email, or they can do something like this (but not call it "rewriting") https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Replace_address_with_a_generic_one
> >
> 
> I don't think the categorization is specific to ESPs.
> 
> Broadly, I think the failure modes are:
> 
> 1.  Starts authorized, breaks in transit (e.g. mailing lists)
> 
> 2.  Starts as unauthorized 3rd party and stays that way (e.g. send to a friend)
> 
> I don't think there is anything ESP specific in the failure modes.

That assumes every mailing list authenticates its rfc5322.from authors and that every send-to-a-friend-er does not authenticate its rfc5322.from authors. This list does not. The send-to-a-friend-er I work for does. Maybe we don't want to trust the method the send-to-a-friend-er uses to authenticate its authors, and give a pass to the mailing list's method at the same time, but none of it matters since there's no way a mail receiving organization can determine if the message originated in an authorized context in either situation.

To be clear, I am not laying down on the tracks on the MUST NOT issue. Consider me "humming".

Yes, I'd prefer something less pejorative than "send to a friend". I'd prefer if any non-SPF/DKIM-authorized mail-emitting entity running into DMARC policies could find a nugget of advice in the spec. I'd prefer some of the other ideas I have constructively suggested in previous messages (granted, address-level authentication is wishful thinking and maybe that discussion needs a different forum). In the end, I will need to give this "how to mitigate" advice directly and I will need to explain why every domain owner is adopting DMARC for reasons other than the IETF is willing to condone. Having something to point to in the spec other than this "MUST NOT" would make that message a lot easier to convey, but doesn't change the fact that I will need to convey it.

Jesse

v2.23.0 | Report a Bug | By Email