Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
Scott Kitterman <sklist@kitterman.com> Mon, 18 March 2024 03:32 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73CD3C14F6AF for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 20:32:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="GXjqWQ5g"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="O+mND4q+"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Toze8nwemMqx for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 20:32:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E701C14F6AE for <dmarc@ietf.org>; Sun, 17 Mar 2024 20:32:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 2C8F6F80270; Sun, 17 Mar 2024 23:31:57 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710732701; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=GvhgjknDfAuCMCnJRv+ywHezhLEPPQj8+y6gD0YiRg0=; b=GXjqWQ5gS3mmPOXtspoM7+HbrMXIr/F0smvA4lsCM1vQNetz3WefJDEbVWgkXE1/Up5+M TjaAr/RMTv0/lfhCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710732701; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=GvhgjknDfAuCMCnJRv+ywHezhLEPPQj8+y6gD0YiRg0=; b=O+mND4q++4LCiWQ+jaZIySKeE5VW1glOer3LBm4BoLyGfYZn+tSehuS4oZ6fhKNXhYdoT OQxCfn/9GlHbP8sp2K6dXqkryF9+lqvX2D9KJzhLLbKXq4JyItx4o7vTH8nb8TjFaVMRC7O 4hLmfwa0xMd+EVpezg5m9oLcN+ASK8UoOiemQLYbWAb4FWiJ2Gr/UgfjlyodlNKCDvt+oqs cZGKogxncohLhrWy/QeKLMR6uZEenFYndvQRvn16ouJgMiAEy5Kt8zmnE0f/hhEzPHL2GDW e/jEr6sd3g6av+sF/3uJ2Qw1VVqA/BFMcQne9O7XD0yby9VXXqYd+T58OFvg==
Received: from [127.0.0.1] (unknown [24.248.18.5]) by interserver.kitterman.com (Postfix) with ESMTPSA id 9704FF801AA; Sun, 17 Mar 2024 23:31:41 -0400 (EDT)
Date: Mon, 18 Mar 2024 03:31:32 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAL0qLwYMQ4pg9fEHkAcGLCDRCK0QiAW_hzrn2ksofqTbHavvbg@mail.gmail.com>
References: <2068150.yCtiIVWOOC@zini-1880> <20240318013630.455118593233@ary.qy> <CAJ4XoYcoJFqYoAt_jq6jfsSjqtjaifiUzaqY-zkg7R3o5Bio0A@mail.gmail.com> <CAL0qLwYMQ4pg9fEHkAcGLCDRCK0QiAW_hzrn2ksofqTbHavvbg@mail.gmail.com>
Message-ID: <212643C0-4BB6-4F5B-8005-B4423A7F8E1D@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/3ETBORpO8e_r-pyXCwkT0b4F8sM>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 03:32:14 -0000
On March 18, 2024 3:15:42 AM UTC, "Murray S. Kucherawy" <superuser@gmail.com> wrote: >On Mon, Mar 18, 2024 at 1:08 PM Dotzero <dotzero@gmail.com> wrote: > >> >> Add this to 11.1 Authentication Methods >>> >>> >>> Both of the email authentication methods that underlie DMARC provide >>> some assurance that an email was transmitted by an MTA which is >>> authorized to do so. SPF policies map domain names to sets of >>> authorized MTAs [ref to RFC 7208, section 11.4]. Verified DKIM >>> signatures indicate that an email was transmitted by an MTA with >>> access to a private key that matches the published DKIM key record. >>> >>> Whenever mail is sent, there is a risk that an overly permissive source >>> may send mail which will receive a DMARC pass result that was not, in >>> fact, authorized by the Domain Owner. These false positives may lead >>> to issues when systems interpret DMARC pass results to indicate >>> a message is in some way authentic. They also allow such unauthorized >>> senders to evade the Domain Owner's requested message handling for >>> authentication failures. >>> >> >> I have a problem with this 2nd paragraph and believe it is factually >> incorrect. The Domain Owner has in fact authorized the message(s) as a >> result of an overly permissive approach. I would suggest that in fact any >> resulting DMARC pass is technically NOT a false positive because it is >> authorized by the overly permissive approach.. >> >> >It's a false positive in the sense that the result is not what the Domain >Owner probably wanted to have happen. > >It is not a false positive in that the technology did exactly what it was >supposed to do; i.e., this is not a bug. > >We should just be clear about this. > >-MSK, p11g I agree. I think John's proposed text is appropriate for this. Scott K
- [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Douglas Foster
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… John Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… John Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Dotzero
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Murray S. Kucherawy
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Benny Pedersen
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… John R Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Dotzero
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… John R Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… John R Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What… Alessandro Vesely