IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

"Murray S. Kucherawy" <superuser@gmail.com> Mon, 18 March 2024 03:15 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8AAC14F6AE for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 20:15:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id airblt16AAib for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 20:15:57 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32059C14F695 for <dmarc@ietf.org>; Sun, 17 Mar 2024 20:15:57 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id 38308e7fff4ca-2cd3aea2621so11189181fa.1 for <dmarc@ietf.org>; Sun, 17 Mar 2024 20:15:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710731755; x=1711336555; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7d4SjTEr1GPJEMye3iNM30QRn8CCmi9U1UG6tFtd+s4=; b=AA6+YU4ICPR9ZyaJ57eHKDpKDKUXCw97rN84pAo2+DqupN9vQvYIOe9ZBV1t3S4eJB i/CzXlN1U94NGIoLyv5/tiE1cNz3nUIMr4eD03w4CcLGL+96h57quWYamt80RUukHsaX Lp19dMcRI4JzL9XKNce80oU1LOFnsUULs+9xLNsjjCA7+/YJW5CDsoLKhC4jDaiAyf5D Lp6x4OLzNigPgauMBKxlCCxiA+ZK1DB/cpZbqLmyHYpZUFIgwfNY0DKUvwUWPHc8vDtP zg6PdGN4ce6ran/6X79Xupt8MtlGiIKlgZ/eGje0MQitGuCfVlGsjgWAEWsd5tmaSLr4 zv/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710731755; x=1711336555; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7d4SjTEr1GPJEMye3iNM30QRn8CCmi9U1UG6tFtd+s4=; b=dHaEp1U6yL7fcAHep7lSdgFbMvcXj7MGkR3I3jEh2XF2p4ln3YUS5BNe/Fuw4wHIQ7 G+UwEXS6HGBweSJNncb09WZBh2BPnj9D6DuFpI7lkMZapZ2N3mUVaT6L9JQpxnsQ0378 B55sUehbdJDPvkLHwW3+Tgm6PI8oXvuxralJbWgNVW/MaZUeabdZnzLh7w8lS4VtAqDm 536biPaJ3ievJPJ4hEvvANckVCOI+y9KMyNhaf8esEa0bNN9xmSh+yzNfZV58UqF40i0 nVoV9hiki74BfJMM0mqzchx7sWKjiEAtnamsVfbLGBAa7pg81xo46VYlHvInQUWupzCu uBUQ==
X-Forwarded-Encrypted: i=1; AJvYcCVQWzu5q3PspP2G4Gpkeb819KXFm16R763/oxM5F75zzlPLQaGdy0BQF0hWuG4ngAPyh3v2FzlQbtd96Pd4og==
X-Gm-Message-State: AOJu0YwaERSKkoUyH5Qm+ryPkKJQ5kfYAZmoHrxuaKJwrLo/yiE+n+iu SQfVHA6f55PIwIVguPphE5zDDFr8nESWxFxzhWED9pRP3HQ6F4UoVP5dnCBBiEMhhejNccwhGEa tdL2ITPzzf5aUh+ECDdnbkrvJTtw++WAwbpI=
X-Google-Smtp-Source: AGHT+IEWB34oizO7gadUrKqyNZFbfQQ6jHwhskK5HMcvyUIDOcF/XbNsBwUSOy4vRHLmXdW4EggatHxJ0781r7pRowk=
X-Received: by 2002:a2e:9816:0:b0:2d4:4b6c:3312 with SMTP id a22-20020a2e9816000000b002d44b6c3312mr6318064ljj.2.1710731755191; Sun, 17 Mar 2024 20:15:55 -0700 (PDT)
MIME-Version: 1.0
References: <2068150.yCtiIVWOOC@zini-1880> <20240318013630.455118593233@ary.qy> <CAJ4XoYcoJFqYoAt_jq6jfsSjqtjaifiUzaqY-zkg7R3o5Bio0A@mail.gmail.com>
In-Reply-To: <CAJ4XoYcoJFqYoAt_jq6jfsSjqtjaifiUzaqY-zkg7R3o5Bio0A@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Mon, 18 Mar 2024 13:15:42 +1000
Message-ID: <CAL0qLwYMQ4pg9fEHkAcGLCDRCK0QiAW_hzrn2ksofqTbHavvbg@mail.gmail.com>
To: Dotzero <dotzero@gmail.com>
Cc: John Levine <johnl@taugh.com>, dmarc@ietf.org, sklist@kitterman.com
Content-Type: multipart/alternative; boundary="0000000000009308450613e6c60d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/2TTckMaQpoNSjWEYgr2io6_oY8c>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 03:15:57 -0000

On Mon, Mar 18, 2024 at 1:08 PM Dotzero <dotzero@gmail.com> wrote:

>
> Add this to 11.1 Authentication Methods
>>
>>
>> Both of the email authentication methods that underlie DMARC provide
>> some assurance that an email was transmitted by an MTA which is
>> authorized to do so. SPF policies map domain names to sets of
>> authorized MTAs [ref to RFC 7208, section 11.4]. Verified DKIM
>> signatures indicate that an email was transmitted by an MTA with
>> access to a private key that matches the published DKIM key record.
>>
>> Whenever mail is sent, there is a risk that an overly permissive source
>> may send mail which will receive a DMARC pass result that was not, in
>> fact, authorized by the Domain Owner. These false positives may lead
>> to issues when systems interpret DMARC pass results to indicate
>> a message is in some way authentic. They also allow such unauthorized
>> senders to evade the Domain Owner's requested message handling for
>> authentication failures.
>>
>
> I have a problem with this 2nd paragraph and believe it is factually
> incorrect. The Domain Owner has in fact authorized the message(s) as a
> result of an overly permissive approach. I would suggest that in fact any
> resulting DMARC pass is technically NOT a false positive because it is
> authorized by the overly permissive approach..
>
>
It's a false positive in the sense that the result is not what the Domain
Owner probably wanted to have happen.

It is not a false positive in that the technology did exactly what it was
supposed to do; i.e., this is not a bug.

We should just be clear about this.

-MSK, p11g

v2.23.0 | Report a Bug | By Email