IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 24 October 2022 11:00 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 188A2C14CF0D for <dmarc@ietfa.amsl.com>; Mon, 24 Oct 2022 04:00:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cyp05sn0ZvGr for <dmarc@ietfa.amsl.com>; Mon, 24 Oct 2022 04:00:28 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29697C14F692 for <dmarc@ietf.org>; Mon, 24 Oct 2022 04:00:28 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id j4so16172180lfk.0 for <dmarc@ietf.org>; Mon, 24 Oct 2022 04:00:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=3+7GSRUEErq1IJXSVZeN3NTwN4P269OG47T2myJ8SQA=; b=o7LbqfsfaEUR4E1X/PJXq7gUmDXrTOzmvERXd4fNxE/O9wg9xPDzkh5NNH1ZneUM5o yeKbRaPVQRNMBhE/GZYmdpcOqMN6bfq370WS8zLMqqlUVkcBQ2Ac1cTEAueiVK3KQ4mn nBF5OjfEcWejZilod7ivbRqKDSX/XOtzfy1XhBB/wI9snsoOjGyVfXpJT2OpnzeCxTO6 dzzGJvM//swYfv/+CFKLQHkDcuNLzrFySoUvpRWrHSy8V0ilwd5sITJwltyTGsjguW7z uMxmgUO8a3Uf4hfAN3pWdzZvWx7mZCqs8XAYmh2/xh8H79WoXiFSo0gRb847zTnJXRU2 z5kQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3+7GSRUEErq1IJXSVZeN3NTwN4P269OG47T2myJ8SQA=; b=0tsDho5ZhVqZf9VZs24CxOyQbu2uEep/oRmyt2nVNTPwGPQOIkPK2sCUiJYoiaAXdk d1OWxj3k9ejnj06tFyAFLBDVDCDwDlvoaA1C8JNVlxyZst5YUeb9twfIqPeOGKIPmhxc bNYt5REmnYHVvMxqIRuRl41cKcOeS7zZAgLFF5kbydu18ydEATgY++YYvT0UhVLRgeUN aYPgM7eszX1RU6fO3kXpMcpYerShze/UhRcPcRr0e7qF16hNp4/Rg2rCWj7deTSuqolR uG6mKqsk8OTJiOaq9G5SPo0ZaZjtaK2qSlNmlKX2vRmbBdxn1Z+Fc6b4xUZs9qoziutv C2fA==
X-Gm-Message-State: ACrzQf0426gWVeaQMWoIEPWKPh/sokSFnng5Ryi21jx7ksMUF7HESlpn LkLfhg8aD2/1SYSKSSqdjcacNeF4gIkdfE82zHCnBF6wx5A=
X-Google-Smtp-Source: AMsMyM5XZeWhje9A2C4Ol5wK32zafZv8gT4el02HbHPUMAZ0HjSyUjyhier9lQwNQkBS1OjwNfiFWEE4Ag23cHSeQA4=
X-Received: by 2002:ac2:5dc8:0:b0:4aa:26a2:bd94 with SMTP id x8-20020ac25dc8000000b004aa26a2bd94mr2665419lfq.60.1666609225373; Mon, 24 Oct 2022 04:00:25 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com> <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com> <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com> <CAJ4XoYe+s7BmFcvtNPaWu1i4kv_j=CtqA1DbkusfGk9s4rDYeA@mail.gmail.com> <560ccd88-2217-9e47-f690-6bc413c67ffa@tana.it> <CAJ4XoYdbPzf5ib6TX1s4tASANUj0FdrHb1uuJy52KdQayj8y3Q@mail.gmail.com> <bcdac862-95d3-94b3-9876-1a7b62a231e6@tana.it>
In-Reply-To: <bcdac862-95d3-94b3-9876-1a7b62a231e6@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 24 Oct 2022 07:00:13 -0400
Message-ID: <CAH48ZfxFZ=CVnvH7c8=n8f1W14_sxA9w_7cmhvG7fVBt2P5v6A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000db9fa205ebc5b22a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/13PVTV_JnoOSvKD9-GkgehEsWt0>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 11:00:32 -0000

I continue to object to the notion that unaligned domains are relevant to
DMARC reporting, even on a "conditionally useful" basis.

This has become a scope issue:  what does DMARC do for domain owners?   My
answer:

DMARC defines an approach to proxy verification of the FROM address, using
SPF-verified MailFrom and verified DKIM domains as the proxy agent.

DMARC Aggregate reports help domain owners inventory their legitimate
senders to ensure that all messages originate with dual authentication.
This requires reports to include the server identity, the MailFrom
identity, and the evaluation result.   Disposition results are not needed,
but having information about message rejection volumes will help a domain
owner prioritize his efforts.

DMARC policy allows a domain owner to announce to recipient evaluators that
all of his legitimate outbound mail originates with dual-authentication.
 This is expected to influence how recipient evaluators handle
unauthenticated messages.

DMARC Aggregate reports identify unauthenticated messages that are
delivered by servers outside the domain owner's control.  In some cases,
this may help identify servers and server organizations that are candidates
for takedown efforts by law enforcement.   This requires reports to include
the server identity, the MailFrom identity, and the evaluation result.
 Disposition results may be useful to help law enforcement prioritize their
efforts against the biggest offenders,

The domain owner cannot control message flow after it leaves his
organization, and the domain owner cannot fix a forwarding operation that
causes a message to arrive without verification.

It is the recipient evaluator's problem to determine whether an
unauthenticated message is an acceptable forward, an acceptable
impersonation, or an unacceptable malicious impersonation.   ARC is a way
for a forwarder to attempt validation with the recipient evaluator.   The
domain owner can neither trigger this process nor  influence its
results, so he is irrelevant.   An aggregate report can document that ARC
validation was accepted by the evaluator, to gauge the extent of ARC
support.  It can also identify a particular forwarder as non-malicious, and
therefore not a candidate for law enforcement, based on the judgement of a
particular evaluator.

Nothing in this list uses knowledge about unaligned signatures, and
therefore any craving for unaligned signature data must come from a
non-DMARC direction.

DMARC is complex.   Reporting unaligned signatures to domain owners is an
unnecessary complexity, and one that also seems inappropriate.

Doug


On Mon, Oct 24, 2022 at 5:48 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Sun 23/Oct/2022 14:16:30 +0200 Dotzero wrote:
> > On Sun, Oct 23, 2022 at 6:29 AM Alessandro Vesely <vesely@tana.it>
> wrote:
> >> On Sat 22/Oct/2022 18:25:55 +0200 Dotzero wrote:
> >>> Unaligned signatures are orthogonal/irrelevant to DMARC. They may be
> useful in
> >>> other contexts. In the DKIM standard, signatures mean that the signer
> is
> >>> asserting some (unspecified) responsibility for the signed message.
> That may be
> >>> useful for some reputation systems.
> >>
> >> Somewhat skewed w.r.t. orthogonality, actually.  Indirect flows are
> >> explicitly mentioned in the I-D as a reason to override DMARC
> dispositions:
> >
> > DMARC only gives a pass if either SPF or DKIM passes. Unaligned DKIM
> > signatures will NEVER give a DMARC pass.
>
>
> How about dmarc=redeemed?
>
>
> >>     There MAY be an element for reason, meant to include any notes the
> >>     reporter might want to include as to why the disposition policy does
> >>     not match the policy_published, such as a Local Policy override
> >>     (possible values listed in Appendix A).
> >
> > Local Policy is just that. When a Receiver invokes Local Policy it is
> > saying "I don't care what DMARC says, I'm choosing to ignore DMARC
> Policy
> > and do something else".
>
>
> It is a local decision to trust an ARC seal or an unaligned signature,
> depending on the signing domains.  Yet, the decision can be made by the
> same
> filter which looked up the From: domain policy.
>
>
> >> ARC too is a kind of unaligned signature, albeit with a bunch of
> >> additions. The extra information it carries, designed to bestow enough
> >> trust in the chain of custody to outweigh the self-referential reliance
> of
> >> aligned From:, doesn't substantially change the semantic of DKIM
> >> signatures.  And we should say how to report it, sooner or later.
> > > ARC != DMARC. It is a separate RFC that gives participants an
> alternative
> > means of evaluating mail flows when DKIM signatures are broken. Nothing
> > more and nothing less.
>
>
> Conflicting protocols?  ARC was devised by the DMARC WG, during the phase
> of
> "improving the identification of legitimate sources that do not currently
> conform to DMARC requirements."  So, yes, on the one hand, since unaligned
> signatures don't conform to DMARC requirements, they're not DMARC.  On the
> other hand, as a fusion of deterministic authentication techniques and
> domain
> policies, DMARC is intrinsically extensible.  For aggregate reporting in
> particular, we explicitly provide for extensions.
>
>
> >> I'm not proposing to mandate the evaluation of any evaluable item.
> >> However, I'd neither discourage it.  Perhaps technology will provide us
> >> with ecological sources of energy.
> >
> > There is nothing wrong with using whatever data points you have
> available.
> > That doesn't necessarily mean that such evaluations and choices are
> DMARC.
>
>
> If ARC were a separate thing, it'd make no sense to include its data in
> DMARC
> aggregate reports.
>
> I think what we could do is to identify some criteria that a report
> generator
> may follow, such as doing everything, reporting up to X signatures, or
> doing
> SPF only.  Such meta data could be useful to report consumers, along with
> the
> generator's software/version.
>
>
> Best
> Ale
> --
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email