Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC

Ken O'Driscoll <ken@wemonitoremail.com> Mon, 14 June 2021 18:39 UTC

Return-Path: <ken@wemonitoremail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE3413A2DC2 for <dmarc@ietfa.amsl.com>; Mon, 14 Jun 2021 11:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=wemonitoremail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 61woi8_13CcS for <dmarc@ietfa.amsl.com>; Mon, 14 Jun 2021 11:39:41 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70093.outbound.protection.outlook.com [40.107.7.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A7063A2DC0 for <dmarc@ietf.org>; Mon, 14 Jun 2021 11:39:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iYAPS0qetbCbMw4P+OP978F3B15GoXhw/raMfI+K30ljV5U8o0gyHe/r4MDuffd8tptul1tE6svJ3b9fB6x3YwhCd2T/I+J/EQ3fC2cGJfrIBdOUW8Q1eijqDTIgvcktwsaW7/tv0CAmmBIM3yaziXOQDgrHvG84gAKS9pWbNNQ+2msLWhAZfzG6YYEsU5GHhF14J01TWjmk18EHiK1ygMaVrdP07yVqlCTS2Q9DLwLGa8e5GgXfErFa+n9MBTttkP+XMGpGuXOj6YIr2cC+URlOy+rfNK/refun2Pt/U0VPu1kbrFN+0ZQBqgGPdkCLrQUj8BVDCojr6OYXHybL9g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=plPy5e8h55YHLuFKrweN2KgbsmRVCkljki1BgQg5PXw=; b=M1kzJhDNS+vGhfhEM6xpqRuKjLwlMMWpxreMPkEgQwelkwW4C4Eg6vikX5X2VSEeiRjW160jRMM+FCz5IK2cCVgAPeUy9wwlR5FO6qfPU6oL5ofIkd0SkgvnZwUfQmyqQfpbRCOanQAOcOO7piC06MTZN6u+Mf+npU1g/ikR/umOp2/ejbtmMdScegNDeldvndsgFDfL4XEYL4JFbtIK3rvgteavh0qXmYOM61G3XqpOORA3enU3VH17FfZag0g4ddjxA3pfJ6lMMBlItGTdr/U94OAomwaXsW0ww/ogDqLCfDSxbu4V9CObjj4hbQFzyD3WIl8bMnGUb8c55JvUmA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wemonitoremail.com; dmarc=pass action=none header.from=wemonitoremail.com; dkim=pass header.d=wemonitoremail.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wemonitoremail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=plPy5e8h55YHLuFKrweN2KgbsmRVCkljki1BgQg5PXw=; b=nFc3H6PJ/4Gbh7Pi2Jd9HA1pWWwnWX28aSbwxGO9rlh4Y1VdkTbkHVUL88nXR786974x0K8m0zM+IBqsL+aMyzhy+DovZY5oq25yQ0r14m6OEu5mN6UKuRnfzSokwRglxbHfyccoExy/w2VrJJQfedKZ19VNTsXkz+MZHHqhaQeyiuTQ/auPgbjRsW0J9zWvEFt/vtptFkoLc1RcDoM57TRB1p09uASKh/FYDfaE5Qjc9YS9gRTb35INrbqKeLZ+2QUt57xVQ/kVoTCovnAAHDsW04dII/U1y4wDii/3naao3CgKyVVIylVw3izuE+wMNWuoUcMhOGxOVMZWGAtEDg==
Received: from DBAPR01MB7048.eurprd01.prod.exchangelabs.com (2603:10a6:10:17d::6) by DB8PR01MB6326.eurprd01.prod.exchangelabs.com (2603:10a6:10:159::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.21; Mon, 14 Jun 2021 18:39:36 +0000
Received: from DBAPR01MB7048.eurprd01.prod.exchangelabs.com ([fe80::e4bd:eff:a8e7:d4a2]) by DBAPR01MB7048.eurprd01.prod.exchangelabs.com ([fe80::e4bd:eff:a8e7:d4a2%7]) with mapi id 15.20.4219.025; Mon, 14 Jun 2021 18:39:36 +0000
From: Ken O'Driscoll <ken@wemonitoremail.com>
To: "Brotman, Alex" <Alex_Brotman=40comcast.com@dmarc.ietf.org>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: Sender-supplied decision matrix for passing DMARC
Thread-Index: AddhPDwbCzQ9bLtKT5O2BtOM1Kt/JwADpzx3
Date: Mon, 14 Jun 2021 18:39:36 +0000
Message-ID: <DBAPR01MB7048EBC9777FED3934872FFEC7319@DBAPR01MB7048.eurprd01.prod.exchangelabs.com>
References: <MN2PR11MB4351C05DCCFD04F0C7B3F766F7319@MN2PR11MB4351.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB4351C05DCCFD04F0C7B3F766F7319@MN2PR11MB4351.namprd11.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=wemonitoremail.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8674277c-a0ad-4f98-cc78-08d92f63c2ee
x-ms-traffictypediagnostic: DB8PR01MB6326:
x-microsoft-antispam-prvs: <DB8PR01MB6326C3C1B7A73118C8EB4248C7319@DB8PR01MB6326.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 8jjJoo/sR8N3F+yz2asUa1Ctqzc3ipN/rwa+1npML0PgVkXz24WLil75PYSYLWAb2Wfha8qc84NsVdKfsbRZSCRSuXZuRSLGpP0/eP/YEhkn+4WNDqpaExxj84QgLP3kesyR1IU4PzgPtjHFuTjC0jbHesOIl11br49DJy8AuK21zeU3URhG/7pO2pjFHwOk0mSA5cwy8NmBzVNb4V3htwYTv4x2CmUDpLdPM4W26uNwSm06dVJ2zGq9grzZJAeazdXqE4C0+oyNb7+/sWMKAesgAFcBQm1cgGzxR6eGH4tgSM3yDGnfHsQZexoyfSGRRNlwBLOqhTklXw1yU8EaQjbnyGTingiLzBtQnWDwc9oSvR4eE2PjIc1xQIjZ+LESHepLji6tW6+Xt+ouCAMJOoCG+e1pgHDicW1TDW3Opz+cn+c80uPNwc2+hBo6xIdyQ6NlMBqnQNGg7qMSTk9wU7xixLmtdLajru2llnuuCrGlo1U/rhjVKogW3Rt9no7atqLwbyvllykT7u2gqUn+dkgItqWZpLzpo//qdIscnQ6ppuPyH2xT1L4ZYz5KvQpBvqT06aHiwV+wgtA5nr1uBdz1eBmqMY6iotki//IIO47Wqq2HpO/X0KmqcNyBBKOIzHHcS8+sK72pyTzSfkme/5F5yjRUPTphIpNKqmlPJWbwhUfmnpTeGS7+44jNn95SPNrImDX0QOoQ6jI09xPNfA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DBAPR01MB7048.eurprd01.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(346002)(366004)(5660300002)(8676002)(966005)(9686003)(86362001)(71200400001)(8936002)(33656002)(2906002)(66476007)(64756008)(66556008)(76116006)(66446008)(91956017)(66946007)(52536014)(55016002)(83380400001)(38100700002)(166002)(122000001)(186003)(53546011)(6506007)(7696005)(26005)(478600001)(316002)(110136005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?DaiTLwj+icGEAczZaVD0RCKO3C+pRSqQs1lZNL3VPZ+t1+vFDl6zBSN8WUYq?= =?us-ascii?Q?eN7j7sGR1w7iAV5JUvtDJfc0Rz+Kt81UKZ3PMWUri4p2WuKi12gEWAqB6TZX?= =?us-ascii?Q?bxVPnwTxatTuuW5iuf5OO7ZQciyB3BrhZDftUEuRq5uS+/8GWMZrxclIYnnE?= =?us-ascii?Q?qj6JrvnqEs+6twsxB3I4mhEobgTh3ylYLlRao4Bp8R8vj859S0Cq3LGrCxsR?= =?us-ascii?Q?LpC+Ytl6G8b9FiSM06k7dt0mOSkgMSN7NwgJbLRbiWtKeVQFFBUAAojOUzr3?= =?us-ascii?Q?dAOngijaZNqESlWOnFbRsDV7DJljJz3Tb6UGQwHjKL/X9FCfpwckDsd1OHNC?= =?us-ascii?Q?XKKXEcuD57stk8zm0Zc4dbx1JmQjG08Vwi5ukiORXehS0EtURO2C5IO+zQh/?= =?us-ascii?Q?gOvbyR7jR8EUM6mEiaMPRDw+U6AkeBYghxE+V/sV4bglYqB9lcKJygs0yICR?= =?us-ascii?Q?vS8q8QnebmTHCRaZpth8iFfyhb6B/bzqV966zKsyQDjbKZU8emxKEuVNpc8G?= =?us-ascii?Q?6pTjNKTqddIFXW1Vi1Fp611T5+PuvCdcB7JWKCrQ8gPv5kMJsAQpsbgCntMb?= =?us-ascii?Q?w5k3/fXjIBLP/mFGXhkbQjPCQz/oo5Pp1/f5VJ62nvllsd2CM3SKvxwK1gR+?= =?us-ascii?Q?6qo8TXjefnCBecaqM3V/F3Q6cloKVIg6rd07MliSnzvUBJgSvrT4oFLsU+Fi?= =?us-ascii?Q?FU1g/L39p1UmO5qoeJVyECPSzeYqjscUiN+TCV15g9AuSLC4vh1k4pGgiSjV?= =?us-ascii?Q?OYMMsIR30FOTkHTSZhNzGg/vOH4V+e+ldd+P4ZTlKkUX3sJoBDcGC5PaVdyz?= =?us-ascii?Q?V8TlbUktCMi5YUDB5wcnlyEbQifiSQFkjtZo3tssXF2WAB7pnmBBXOJeDbNY?= =?us-ascii?Q?j0ahDG9iJv1dYTfn8s/lEfY+iTDHNZMP4KeVJRIEDj54Er22g4NiBkCpd7+Y?= =?us-ascii?Q?84gHMXcyyStHHAMmjgcTWvM+PTPwOSBvkqz7E1KaRTV8VwJnGEeasxab3Hmb?= =?us-ascii?Q?intwHtCCkBqGvaUB1sqybjQUVWslwZHC3cQpn1gAFzfEgT7rMwLpIXr2g4h1?= =?us-ascii?Q?dv5KuVlt8vEjxGFeogx7nxVtgw67iHlIORBfMiBh/h4losdpICMqHqeqWe8F?= =?us-ascii?Q?v4BHy/oVXBeJfi+9brTQD3Ud7eqxdvnJypPDFIugQdlkWVTTYuKmOBxy10xM?= =?us-ascii?Q?eAM5GUzPmRX1DkQ6FFEdGKTYduNN7NXMLmo0twFjPz0FvDx5rGwBO/IZDWL9?= =?us-ascii?Q?j4b9QaW6NG2dma2ewI13ncr9vog4fUB+beSFBWPM5l2KhgW53Dm3SQQj42rZ?= =?us-ascii?Q?YHEDnrIkkBN6gvbsytSQm1PU?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DBAPR01MB7048EBC9777FED3934872FFEC7319DBAPR01MB7048eurp_"
MIME-Version: 1.0
X-OriginatorOrg: wemonitoremail.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DBAPR01MB7048.eurprd01.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8674277c-a0ad-4f98-cc78-08d92f63c2ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2021 18:39:36.7576 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a2b1d6fe-fc8b-4b7c-b9f1-d7b1ab3d23b3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kGNi7mS+FGNFuzAjtGsc7UfjzJtWKD7l7/9W/SAJBMQRpEPTkQBoISbcssZWiHUStTKjsvNYgRSHGz7dsjPFag==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR01MB6326
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2LNUUTAxFowPX7dC1oo9KPNo1gw>
Subject: Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 18:39:47 -0000

I think this is a bad idea as it adds unnecessary additional complexity. Currently, a domain owner can choose to only implement DKIM or SPF on a mail stream if they only wish one mechanism to be evaluated.

Further, if there is a (renewed?) desire to apply a policy layer to DKIM signed messages, then isn't that what ADSP (RFC 5617) was intended for?

Ken.

________________________________
From: dmarc <dmarc-bounces@ietf.org> on behalf of Brotman, Alex <Alex_Brotman=40comcast.com@dmarc.ietf.org>
Sent: Monday 14 June 2021, 18:10
To: dmarc@ietf.org
Subject: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC

Hello,

I was talking to some folks about DMARC, and a question came as to suggest as the domain holder that your messages should always pass DKIM.  Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I will *always* sign my messages with DKIM."  So the obvious answer may be "Just only use DKIM", but I'm not sure that completely answers the question.  While discussing with someone else, "Tell me when DKIM fails, but SPF is fully aligned".  There was recently an incident at a provider where they were allowing any sender to send as any domain (and I'm aware that's not specifically a DMARC issue).  We all know brands that have just dumped in a pile of "include" statements without fully understanding the implications.  In this case, other users could send as other domains, but perhaps they would not have been DKIM signed.  Should there be a method by which a domain holder can say "We want all message to have both, or be treated as a failure", or "We'll provide both, but DKI
 M is a must"?

>From a receiver side, it makes evaluation more complex.  From a sender side, it gives them more control over what is considered pass/fail.

How does this look in practice?  Maybe "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;"
(pm=Policy Matrix)

Does this make everyone cringe, or perhaps worth a larger discussion?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc