IETF Logo Mail Archive

Re: [dmarc-ietf] THIS IS A DISTRACTION (it might be)

Alessandro Vesely <vesely@tana.it> Sat, 08 April 2023 15:52 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA27AC15152C for <dmarc@ietfa.amsl.com>; Sat, 8 Apr 2023 08:52:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="gtA+jQmH"; dkim=pass (1152-bit key) header.d=tana.it header.b="DDzJ4O8L"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zwWKwyKBeabn for <dmarc@ietfa.amsl.com>; Sat, 8 Apr 2023 08:51:59 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A7BCC14CF1F for <dmarc@ietf.org>; Sat, 8 Apr 2023 08:51:55 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1680969112; bh=+O03T1lvlF6pnTesTtqc5ZkDrGt8MhOXDwvsZokpqZY=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=gtA+jQmHjtgMmxamiAEiV1OredmJxZuyJv5jF+0yVNvf4fT927fWkTL5SEaLH7tbR WPu+StEotub2Bp4SnWuAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1680969112; bh=+O03T1lvlF6pnTesTtqc5ZkDrGt8MhOXDwvsZokpqZY=; h=Date:Subject:To:References:From:In-Reply-To; b=DDzJ4O8LMIZJLJ6hsIz+D2gyAUs+t95FhkHGC10bnKnybmW8crLB2VcLHdZn4/Kbx mybcxUurUYk2HLy/TkGDKZ9z99wjtjmhPBx6YdhcCjNKqVpKlqalYPlzS6cHWYE6Ew A8mZmScQESyLDb+t3r+S8v2BuR0D6lcCTae+IhwpPVTuFrHeVxB3tGFB6GO6c
Original-Subject: Re: [dmarc-ietf] THIS IS A DISTRACTION (it might be)
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0CE.0000000064318D98.00006205; Sat, 08 Apr 2023 17:51:52 +0200
Message-ID: <ed15d04f-8e97-c9d8-a3a1-2fd137fbf593@tana.it>
Date: Sat, 08 Apr 2023 17:51:51 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <20230408142409.62369BC8826E@ary.qy> <561021830.3aAxWTVh18@localhost>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <561021830.3aAxWTVh18@localhost>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/3Mav5uAIjE0AiOpFw8Ag3kDhL5s>
Subject: Re: [dmarc-ietf] THIS IS A DISTRACTION (it might be)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2023 15:52:03 -0000

On Sat 08/Apr/2023 16:27:35 +0200 Scott Kitterman wrote:
> On Saturday, April 8, 2023 10:24:09 AM EDT John Levine wrote:
>> It appears that Scott Kitterman  <sklist@kitterman.com> said:
>>>I think you have gotten yourself side tracked.
>>>
>>>The problem with DMARC and mailing lists is that receivers doing DMARC 
>>>checks can't (absent a list of mailing lists) reliably distinguish DMARC 
>>>fail due to normal mailing list processing and DMARC fail due to abusive 
>>>behavior.
>> Even a list of mailing lists won't do it. One of the reasons ARC is 
>> useful is that it lets recipients look back through the list manager 
>> and recognize mail that was abusive before it hit the mailing list.
>
> OK.  A list is necessary, but not sufficient.  ARC still needs some external 
> mechanism to determine when to apply it.  It can't be used to override DMARC 
> results for all mail flows, only the ones that you have sufficient trust in not 
> to lie in their ARC header fields (e.g. well behaved mailing list operators).


ARC or non ARC, it is enough to have From: rewriting be a subscription option. 
When your MX is able to recognize the mailing list and override DMARC results, 
you can switch the option off.

How a receiver becomes aware that some of its users are subscribed to which 
lists is out of the scope of dmarcbis.  I think we should state this 
explicitly, so as to imply that mechanisms of that kind have to be adopted.

ARC is good as it testifies dmarc=pass on entry.  Indeed, it'd be embarrassing 
to find dmarc=fail in AAR, when it is too late to reject or quarantine.  MLs 
and forwarders should comply with DMARC policies even more than final 
receivers.  It has to be some kind of a special case for DMARC, because 
spreading failures amplifies their effect.  Most importantly, we cannot ask MLs 
to comply with DMARC and at the same time forbid subscribers from publishing 
strict policies.

Disrupting MLs we have already done.  Now let's try and better them.


Best
Ale
--

v2.23.0 | Report a Bug | By Email