Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99

[Todd Herr <todd.herr@valimail.com>]

On Fri, Jul 16, 2021 at 5:32 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Tue 13/Jul/2021 20:09:45 +0200 Todd Herr wrote:
> > On Tue, Jul 13, 2021 at 7:03 AM Douglas Foster wrote:
> >
> >
> > draft-ietf-dmarc-dmarcbis-02 instead starts with this text:
> >
> >     pct:  (plain-text integer between 0 and 100, inclusive; OPTIONAL;
> >        default is 100).  For the RFC5322.From domain to which the DMARC
> >        record applies, the "pct" tag is the percentage of messages
> >        producing a DMARC result of "fail" to which the Domain Owner
> >        wishes its preferred handling policy be applied.
> >
> > Since the concept of applying DMARC policy to messages that produce a
> DMARC
> > result of "pass" doesn't exist, it doesn't make sense to claim that "pct"
> > applies to the entire mailstream.
>
>
> Why not?  I'd say that a DMARC filter takes no action when dmarc=pass
> (except
> for setting Authentication-Results: and feedback data).  The policy
> requests
> noop on pass, and it is applied indeed.
>
>
I will continue to maintain that it makes no sense to talk about the
concept of applying DMARC policy to messages which pass DMARC validation
checks, especially in the context of the 'pct' tag.

In RFC 7489, the definitions of "quarantine" and "reject" both speak of
their application in terms of "email that fails the DMARC mechanism check".

So, for a DMARC record such as this:

_dmarc.foo.com IN TXT "v=DMARC1; p=quarantine; pct=X; rua=...."


I assert that the domain owner is requesting that X percent of the messages
that fail the DMARC mechanism check be subjected to the "quarantine"
policy.

To assert that the domain owner is instead asking only that DMARC
validation checks be performed on X percent of the messages runs the very
real risk of the pct mechanism being even less useful as a ratchet,
especially when X is small, because that X% of the total mailstream might
not contain any DMARC failures.

It occurs to me now that something like the following is considered a valid
DMARC record, and we should probably fix that:

_dmarc.foo.com IN TXT "v=DMARC1; p=none; pct=25; rua=...."


The fix would be to describe the 'pct' tag as only valid with p= quarantine
or reject, because "p=none, pct=X" is just a nonsensical way of writing
"p=none; pct=100", because you're going to get "none" on all failures
regardless.


> > Next, draft-ietf-dmarc-dmarcbis-02 contains a substantial rewrite of the
> > Message Sampling section (now section 6.7.4) that goes to great lengths
> to
> > attempt to show that the desired pct value really can't be counted on to
> be
> > applied as asked for, and what might actually happen could vary widely
> from
> > what's desired.
>
>
> I find that section excessively long and difficult.  It doesn't mention
> the key
> point that the percentage is more and more exact as the number of (failed)
> messages grows.  Indeed, pct=20 doesn't say that the policy should apply
> to one
> of /the first five/ messages.
>
>
Please suggest alternate text.

>
>
> The last paragraph of Section 6.7.4.2 seems to say that pct affects
> reporting:
>
>     *  "0" - A request that zero percent of messages producing a DMARC
>        "fail" result have the specified policy applied.  While this is
>        seemingly a non-sensical request, this value has been given
>        special meaning by some mailbox providers when combined with
>        certain "p=" values to alter DMARC processing and/or reporting for
>        the domain publishing such a policy.
>
> I'd remove "and/or reporting".
>
>
This section is an attempt to discuss the need for one to have a policy of
"p=quarantine; pct=0" to get accurate reporting from Google in the past,
and was mentioned during the last interim -
https://datatracker.ietf.org/doc/minutes-interim-2021-dmarc-01-202105270900/

Please suggest alternate text.

-- 

*Todd Herr* | Technical Director, Standards and Ecosystem
*e:* todd.herr@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.