IETF Logo Mail Archive

Re: [dmarc-ietf] draft-crocker-dmarc-author-00 ?

Dotzero <dotzero@gmail.com> Thu, 13 August 2020 19:21 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A88183A106E for <dmarc@ietfa.amsl.com>; Thu, 13 Aug 2020 12:21:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4PtD9Pf5TnAw for <dmarc@ietfa.amsl.com>; Thu, 13 Aug 2020 12:20:59 -0700 (PDT)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5B133A1066 for <dmarc@ietf.org>; Thu, 13 Aug 2020 12:20:58 -0700 (PDT)
Received: by mail-wr1-x42c.google.com with SMTP id 88so6308085wrh.3 for <dmarc@ietf.org>; Thu, 13 Aug 2020 12:20:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=4pyMs+M8PiCw4k56kGmv5Z/gpW7p32TZS3fnBAMZeZ4=; b=p1PrtK85446JtzDwgEwm1dMBA9M81W4+y9IlVH6A10pR2D+9n+W4G1GXYXXYqa+M1/ xy74fjC0a//wffIf1JAXErVMjs3sdDZWfv2BLuIPlodoQMD0BDiEX7spwksDndzoOT7O 3OlaaH6+QatEl+Z7FTAPzmAUv/Ypdg5V5gJU6prBwLa1iJMpWvZO+RgnwL8PTL8I92cG FUtCe3JVh3t1tsio/7XxamTVpUFx6fGnhTJy4TpFq3z9tAiq3457UA9SQIMUOnkkts72 d4xUIa4QGtfxY8rWyH5Eow/NcuZWrxJejMvhxJ+YAFBBefxb25zNPfHxdrnaaeMvd/vs 9fJQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=4pyMs+M8PiCw4k56kGmv5Z/gpW7p32TZS3fnBAMZeZ4=; b=a9rfZBhJnyYMdtEfWHp+MSKgo529NwXt9rzXwqJU312qvgW3a3BTcSVROR7Vf7VPTE Cf2DGYsWpHHpT5MNHuyLtKLIrnm1ksqaStaRfQFWSJHZ+QMwDws6sRjj4mAUCSDJ+kO0 HKCUTZ9y31HVKnchNtPKxsooMM/r8C4jXcG3PNIJSxRd95aUIj96iME+KEVJLL28Lt3W O6yN1PQOzfzSySf368XCUlyZOUC0hoT78V0ykE+XTCSS1sPh6sdObMukYERcy+zwy/+6 AHHgvI2z+RxCVeJUPzycE59rWtbnZ2Xe0hWA/WG5Hc/LLl+W+eH5U9zJI4Izey1aL0kf V+cw==
X-Gm-Message-State: AOAM531y9dd+3vFCsoTQ9jMNYiO0RA0iydNcWPW1RRkw78ZWhLOeEV3/ 8rJ8dFO0nqPuaGz7PhJI29PCOfYkvVm92VcBmU+K1g==
X-Google-Smtp-Source: ABdhPJwW2IhtdJ8cjlW49bbk6h7UvAh8w24cuEacBADXNYRf8aTQSCqCxh2qhgFr8F8HiTnLc7n/vZI5NCS69c5JuN0=
X-Received: by 2002:adf:9526:: with SMTP id 35mr5676813wrs.326.1597346457168; Thu, 13 Aug 2020 12:20:57 -0700 (PDT)
MIME-Version: 1.0
References: <20200811034740.BA1831E7FDBF@ary.local> <0c8afc68-bc51-702a-c794-610b2d355836@dcrocker.net> <83a8e95f-d85d-634e-0c93-eb2ddab2c69d@wordtothewise.com> <99810a58-3809-bfd2-3571-bac54430f9e8@tana.it> <CAOPP4WHWoVkA+ZWZ+2AFnH8_nKBxO+t3Z4trz347JV0fsEy83Q@mail.gmail.com>
In-Reply-To: <CAOPP4WHWoVkA+ZWZ+2AFnH8_nKBxO+t3Z4trz347JV0fsEy83Q@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 13 Aug 2020 15:20:46 -0400
Message-ID: <CAJ4XoYd3zOB-VEBP_RQgPhjXeMJvuiqTfG=z4m_fv18J+xNHgQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000029adc905acc73450"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/3tfQDsmK4nAzqbUO1lS9tx4tf_E>
Subject: Re: [dmarc-ietf] draft-crocker-dmarc-author-00 ?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 19:21:01 -0000

On Thu, Aug 13, 2020 at 3:06 PM Neil Anuskiewicz <neil@marmot-tech.com>
wrote:

>
>
> Tunable! You said the magic word I have a client now getting spoofing.
> Tightening above p=none is a non starter as about 100% of MajorCRM emails
> fail SPF (foo.majorcrm is the RFC5321.from), 62% of MajorCRM mail fails
> DKIM, and 100% of MajorCRM Marketing * fails SPF (bar.some-esp.com). Oh,
> and some local office has a random MailChimp account not authenticated.
>
> We can't turn the knob on policy and MajorCRM support says you can't have
> your own mail from. Normally, with a client we would get on a screen share
> with Bob (the doer of all things) at a company or some other efficient
> arrangment to be able to make changes in applications, update DNS, test,
> monitor.
>
> Here, there's this dept with control of the CRM, another for marketing,
> another controls DNS, and a vendor says something isn't possible.
>
> So what you are saying is that you want an IETF working group to write a
standard that papers over poor self control on the part of your
organization.


> My point is that it sure would be nice to be able to tune so that BigCRM
> and BigCRM Marketing * mail would pass DMARC comfortably, and we could then
> turn the dial on policy to cut off the spoofers without breaking legit mail.
>
> Yes, I know that this isn't the mailing list issue but tuning could solve
> that problem, too.
>
>
The way you solve the problem described above is to get control of your
mail flows. I've worked with various "big CRM" vendors and they will gladly
accept a delegated subdomain (they control DNS and therefore SPF and DKIM
signing as well as publishing DMARC. There are other approaches as well.
Your post illustrates one of the problems with the discussion on this list.
People are conflating internal organizational issues with requirements for
interoperability. You could always publish 0.0.0.0 -all for your SPF record
and solve all your DMARC assertion issues very easily.

Michael Hammer

v2.23.0 | Report a Bug | By Email