[dmarc-ietf] DMARC and ARC
Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 05 December 2020 03:58 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DA683A0962 for <dmarc@ietfa.amsl.com>; Fri, 4 Dec 2020 19:58:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TfyBzj7rYBRW for <dmarc@ietfa.amsl.com>; Fri, 4 Dec 2020 19:58:41 -0800 (PST)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B91683A095F for <dmarc@ietf.org>; Fri, 4 Dec 2020 19:58:41 -0800 (PST)
Received: by mail-vk1-xa33.google.com with SMTP id v185so1769888vkf.8 for <dmarc@ietf.org>; Fri, 04 Dec 2020 19:58:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=965ONkz/m8iGzCXrj4yfegq/N+72AkAX92ukM8F/sfo=; b=M2ngiWnn03CehFyOER5By9d+ZPdEIIx/wjMhNTNplJC9w96ZySYhcv3bbVo1LHMaNc FvbUxjuQTGVcBce+OjRQmYWxNuqNY8q1cPUhibqgAtur2byrRFJo3MQfZNoXMwkcorc9 SrbcT9GzErlcvOkXw9yfwYZQ4Yg9dLpr85TUj80So34AhFrI8utB+g9T6QH3S9tayTQ1 kOOutLbtQ1Aa7QT8G7PiH5bZUb5iPYLQgyUQ2Je1gZBI57S2FwxIWR8y85piLVavKSrx O0PUM1nWNrsZPgsvkIudZdzysQmz0NquidUnCVVOAUiyK97IOY6g/o3RHI90VJKkzmGa qAEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=965ONkz/m8iGzCXrj4yfegq/N+72AkAX92ukM8F/sfo=; b=CqJ+NiNR5h8hsqm0+r07PhGyS/Hl79Oe3hOOESm2gZ0CuUhVOW5erpzgvHtrlWVBIF R9x++lde4z7SRQbT1pgP/AG5SUgRmLBt7XyFTNSVh62jDvy0oJgJpH+GGfThfgyN7VOI P3oLpEnWBs/a4OpQNbuIpC98T2tyWT0SoFQdaWNXvag0EooWOESd+CT43owRJrFt5b3Y ebPYzOLKSQbYPDyfr/Cb/hlhHnUFM/5SdrMKKlROl1kplm32JBpav9g7l6MFS5/WZk2l 3SEjt3sLl+mL3AWRJTdPweq+OKm3qy69DzFdQlLfpC5IrIXR1/bf++rLnDDBDFLFTy7j p5Og==
X-Gm-Message-State: AOAM531bO/M2oK0Nv2KT6OJ26KCEKtcoAzG4rTFWGOzDvfH9e65njHdu SGmAtOuxwVwUadtNbh9774hV4pm/pNbmHye+Eu8h/upiyJE=
X-Google-Smtp-Source: ABdhPJxGb74atHFBG/+aCiKoJg5JY3XVLu1peSqM+tjVj4Ks0+ENBNC2ZOt1grt46dKeTCAL1snhdawbGPOzaohHHVk=
X-Received: by 2002:a1f:9f04:: with SMTP id i4mr7486366vke.7.1607140720522; Fri, 04 Dec 2020 19:58:40 -0800 (PST)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 04 Dec 2020 22:58:30 -0500
Message-ID: <CAH48Zfx1gL-rnqWWaJODi72Sgp6F70Bm_kAYL5rwSmVmopQ9qg@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c03c6805b5af9b59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1BC7qQoZ21wAyvu0GkWq4pEapHI>
Subject: [dmarc-ietf] DMARC and ARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 03:58:44 -0000
Michael Thomas has asked some questions which have stimulated my thinking about how to describe the big-picture questions here. I suggest that too much attention has been focused on solving the “mailing list” problem, and too little on the “message receiver” problem. Forwarded email creates big problems for message receivers. First, lets begin with the obvious: malicious messages come from enterprises that are in the malicious message business. They rarely send just one message, and their content changes continually. Therefore, my priority is to block malicious sources. Messages that are correctly blocked on content, rather than source, are the canary-in-the-mine which warns me that my sender blocks need to be tightened. I currently use 5 identifiers to apply a reputation, and therefore a disposition, to a message source: Source IP, HELO name, ReverseDNS name, SMTP Address, and From Address. These identifiers are combined with the available verification methods: Forward-confirming the two DNS names to the source IP, SPF PASS, and DMARC-compliant. On any specific message, some of this information is not required to assign a reputation and disposition, but across a day’s messages, each of these identifiers and attributes are needed at some point. If a message is not forwarded, every organization involved in its delivery is assumed to have a relationship to the sender and therefore a shared responsibility for the final product. DMARC, SPF, and many spam filters assume that the adjacent MTA is the only source that needs to be evaluated. Forwarding introduces an intermediary organization which presumably operates on behalf of the recipient, rather than the sender. It is not involved in the creation of the message and has no economic relationship with most of the message sources. More importantly, because it will be forwarding messages from sources with a variety of reputations, the forwarder will be perceived as having a very unreliable reputation – sending both very much unwanted content and very much wanted content from the same or overlapping identifiers. SPF and DMARC force the forwarder to reliably identify itself, but in this process, they force the forwarder to hide information that the receiving MTA needs for proper message filtering. This aggravates any effort to filter based on original-source identity. Consequently, both the recipient MTA and the forwarding MTA need for the recipient MTA to evaluate a message based on the true source, the entity (or entities) prior to the forwarder. Unfortunately, we have no reliable way to know if a message has been forwarded, although some guessing strategies are available. Even when forwarding is presumed, reconstructing the 5-identifier / 4 verification dataset is nearly impossible due to data loss. Any attempt to evaluate prior sources requires evaluating the entire Received chain, and the supporting data, including ARC, which goes with it. ARC begins to give us a way to trust parts of the Received chain, and this moves us toward the possibility of evaluating the Received chain effectively. But it does not meet my needs, because it does not ensure that I can use any specific ARC Set to reconstruct the 5 identifier / 4 verifications dataset needed to evaluate the source correctly. Additionally, evaluating the Received chain is a huge increase in complexity, for both the code to implement an algorithm and the run-time processing needed to execute the algorithm. Processing power and coding sophistication keeps getting better, so perhaps the main problem is getting the data set right.
- [dmarc-ietf] DMARC and ARC Douglas Foster
- Re: [dmarc-ietf] DMARC and ARC Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC and ARC Dotzero
- Re: [dmarc-ietf] DMARC and ARC Douglas Foster