Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed language

Alessandro Vesely <vesely@tana.it> Mon, 14 June 2021 11:12 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D15A3A207E for <dmarc@ietfa.amsl.com>; Mon, 14 Jun 2021 04:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lYRfxYVoWpe for <dmarc@ietfa.amsl.com>; Mon, 14 Jun 2021 04:12:07 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 373B93A207A for <dmarc@ietf.org>; Mon, 14 Jun 2021 04:12:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1623669122; bh=m0kgNG3k/FtI8PHvVoUpQr2zIMZqKXTqFDag1+sU2gY=; l=4568; h=To:References:From:Date:In-Reply-To; b=CEs+4JMBJ4xG9cWWyxj6TXng1a6Q+iJAojF3bKPGdylqN/JDFkUtIr11R0k0x7oVn 8Gj5rQ4I1bBfe3C7pPeJ87EGJQRNCU700Ts9UhJVUulda+OI+QyT7z4JIYFktsRvUC Fvex/6RyDDqRS7F22TubJTWKW1TbfuqBqEmVUqYg4y3Eoz/c1bJJrnlYR+HSk
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC026.0000000060C73982.00001265; Mon, 14 Jun 2021 13:12:02 +0200
To: Douglas Foster <dougfoster.emailstandards@gmail.com>, IETF DMARC WG <dmarc@ietf.org>
References: <CAH48ZfzuM298fkmhoZtH1ZbK=9Ne9EYtyTYNV27PSsPBW=Gq-w@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <1a666b47-d556-e758-f4ce-05de79c449d1@tana.it>
Date: Mon, 14 Jun 2021 13:12:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <CAH48ZfzuM298fkmhoZtH1ZbK=9Ne9EYtyTYNV27PSsPBW=Gq-w@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1mYubgeHr3QfqDqyMFqEmh_4--E>
Subject: Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed language
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 11:12:13 -0000

Doug,

maybe it's me, but I have problems understanding your proposal.  Let me quote 
what seems to hamper my comprehension.

Besides, #11 in the Subject: is obviously a typo.


On Sat 12/Jun/2021 14:55:33 +0200 Douglas Foster wrote:
> ties the design directly to the mailing list problem.


I couldn't see where mailing lists are taken into account.


>    However,this authentication can be lost in transit if message modification 
> occurs in transit, as discussed in RFC 7960.  This possibility can make domain 
> owners reluctant to move beyond sp=none.


Why do you consider SP irrespective of P?  Actually, SP could be used by 
"simple" mail sites, those which make no use of subdomains for email.  In such 
cases, setting sp=reject can safely prevent generic abuses even for domains 
having p=none.  It sounds similar to null SPF records for non-mail hosts.


> x.1 Implement mail domains as DNS domains with domain-level DMARC policies.
> 
> Mail domains are often implemented as DNS domains, but this is not required.


Please, stick to well established jargon.  Tim made a good synthesis in section 
2.2 and ensuing ones.  A /DNS domain/ is defined by RFC 1034:

     A domain is identified by a domain name, and consists of that part of
     the domain name space that is at or below the domain name which
     specifies the domain.

In this sense, the concept of non-existing domain names that are legitimately 
used sounds like a contradiction in terms.


> Once all used mail domain names are configured as DNS domains, they can be
> configured with DMARC policies.

AFAICS, a /used mail domain name/ which is not a DNS name is a /non-existent 
domain/ found in some (forged) email addresses.  I agree that such practice 
should be discouraged.  Yet, that doesn't seem to be the point here...

BTW, are there organizations that use non-existent (sub) domains during the 
delivery of legitimate messages?  Years ago I saw sporadic mailing list authors 
forged like john.doe@NOSPAMexample.com.  Is that what you're talking about?


> - For mail domain names that are not used with SMTP, a new TXT record is 
> defined, with content "DMARCFROMv1".   The presence of this TXT record 
> indicates that the associated DNS domain, named DNS resource record, or 
> wildcard DNS record should be considered as potentially in use as an 
> RFC5322.From domain name.


Ok, that is clear, but, IMHO, won't work.  Working MXes or IP addresses are a 
necessary condition to receive mail.  Thus, a purist receiver has to accept 
such domains as valid.  Therefore traditionalist domain operators will not see 
a compelling need to define any auxiliary TXT records.  A new RR type of this 
kind would most probably be going to characterize mass mailers who hasten to 
adopt any new trick that seems to offer a chance to increase deliverability. 
Undoubtedly, someone would be tempted to discard senders based on that (as it 
happened to DKIM...)

An organization which wants to say sp=reject but does use some email subdomains 
had better define plain DMARC records for them.  Records can be easily 
duplicated by CNAMEs.  If we needed to vary some parts but not others, for 
example a different policy but the same aggregate reporting address, we should 
define something equivalent to SPF's include.


> - For used domain names that are not in DNS at all, a DMARCFROMv1 TXT record
> is needed to indicate that the name is used for mail.

Actually, /any/ record definition will turn a domain into an existing one. 
However, by Section 2.7 of PSD, which defines the MX/A/AAAA test, such domain 
would still be non-existing.  In that sense, DMARCFROMv1 conflicts with PSD.


> x,3 Implement SPF -ALL policies on unused names.
> 
> Organizations that have configured SPF to protect their valid RFC5321.MailFrom 
> domains may not have taken the extra measure of using SPF to obstruct names 
> that are not used for mail.  While not directly part of DMARC, an 
> authentication result of "DMARC=NONE SPF=FAIL" is a more meaningful result than 
> "DMARC=NONE, SPF=NONE".  Consequently, it is desirable to  ensure SPF=FAIL for 
> any names that are never used as RFC5321.MailFrom domain names.   Since SPF has 
> no inheritance, this requires many entries.


That's a well known SPF issue:
http://www.open-spf.org/FAQ/Common_mistakes/#all-domains

There used to circulate scripts to generate null SPF records.  It would help if 
DNS hosting services implemented a checkbox to carry out such task.  But this 
if far OT.


Best
Ale
--