IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

David I <David.I@ncsc.gov.uk> Thu, 20 August 2020 16:45 UTC

Return-Path: <David.I@ncsc.gov.uk>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFB913A0975; Thu, 20 Aug 2020 09:45:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FROM_GOV_DKIM_AU=-0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ncsc.gov.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dyFLqgpOJZ03; Thu, 20 Aug 2020 09:45:33 -0700 (PDT)
Received: from GBR01-CWL-obe.outbound.protection.outlook.com (mail-eopbgr110115.outbound.protection.outlook.com [40.107.11.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753BA3A0969; Thu, 20 Aug 2020 09:45:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MtjeUq0Ez9LYfwbpqd9rB/Kdl+2m5k/ZoVyrc1SB9r2YtSSCIuqiLgyLYLdGjSenljrZvJRsmdWkGlsty/pu54Mt+R9OZpQAIF2/3gwN7+Qz2tELOJVtlUGhB0jTJ4lTFv7s6fwAb0aecg+T4gjDWNsF87aPkI4oSVIzGSFFvxbde1Scpek55Ouy9LpPNFpqhtg4fQnTbKFw/LWwqEaTgGsiqfqWDFi94Nn27ImwBSLy7uakj0TtlCg4Qley2hj9/RFE6semdaGn6x7YxmjJX4vWiafWSvLnRO7X8F7FqNQyfRuzYg3FUwgTNluPmZP1BqnvY6Srdf6vfQV6mn9LQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XC4Vnyw0wUtu5J+7Gev7ukk2Chg8/G90ERr4RHEpEvc=; b=kfgIokn7ELu3ueXyyHulyFuzS/68QE+lsxlvn2Dxd7WFmJO67D+IVVg85bjB6hgbmuILG3300KlX/HHISQHqH0ameSBD6fJoQ2CtmRmnpAKL6f2h+C6y1wonWIq/xperTh6am7n5/tzIMaWSXbtg4FH90mLDLrBOX70gF/THG81sxS1Y8ajVD8yXoEOecyPCDH7Qua04RFLvi9UomigijO/SD3cFQFB56Rsb6iFJpUR7OJt32Kgn6OYR1yMLUFcOvEAerQJA/sVbueuzvGD6Y5ZD6YlRdY9XSEs6xb3MCnCuUrP+a5FbnBDU2+oBADEEEPs2xeXbYxy/CRoDENK6hQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ncsc.gov.uk; dmarc=pass action=none header.from=ncsc.gov.uk; dkim=pass header.d=ncsc.gov.uk; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XC4Vnyw0wUtu5J+7Gev7ukk2Chg8/G90ERr4RHEpEvc=; b=smci+9KQYIOdMDwIQdQmqNB0zct7aPB8u0FuYS+Os6qeT1IJJHN98Fb5L9Cjhf956t/xe8YvDw5oQWcEzAcHUO203eKMihneYzm4O8TtsfKLaM6s21IN/a7jlhq1yvxBeYuWTezTjEDbSvH0xR5Jfipr9sMUzB6h3YdX5yegyXD6+RGDghmVRQPRBJmjN7IiH2UmU7BMk0NoKm8DrtX15I5ZLS3FcE1FwsE0doPHtrrVNa8OHSDRTP69xeKm28CtVmFWhgNOpQ/ONQSBO3NNEcr9SqaIpQul7/c2kY8ugG+um2DDQyPPGtzA27TZ/o7oE8jYocm44ru1k3DvUmNVVg==
Received: from LO3P123MB3244.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:fc::16) by LO2P123MB3823.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:129::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.24; Thu, 20 Aug 2020 16:45:30 +0000
Received: from LO3P123MB3244.GBRP123.PROD.OUTLOOK.COM ([fe80::61bf:80ca:2aa:8769]) by LO3P123MB3244.GBRP123.PROD.OUTLOOK.COM ([fe80::61bf:80ca:2aa:8769%8]) with mapi id 15.20.3305.024; Thu, 20 Aug 2020 16:45:30 +0000
From: David I <David.I@ncsc.gov.uk>
To: Tim Wicinski <tjw.ietf@gmail.com>, IETF DMARC WG <dmarc@ietf.org>
CC: "dmarc-chairs@ietf.org" <dmarc-chairs@ietf.org>
Thread-Topic: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
Thread-Index: AQHWb0kvAfXW9rCfQUm/Y0kSmNhkE6lBQapg
Date: Thu, 20 Aug 2020 16:45:30 +0000
Message-ID: <LO3P123MB32440698FD99F58AD45D6A55BE5A0@LO3P123MB3244.GBRP123.PROD.OUTLOOK.COM>
References: <CADyWQ+H4D9+ELpsjxggEWwzg+WwUZs9mXzy8iNnLZCTfGORACA@mail.gmail.com>
In-Reply-To: <CADyWQ+H4D9+ELpsjxggEWwzg+WwUZs9mXzy8iNnLZCTfGORACA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ncsc.gov.uk;
x-originating-ip: [51.141.26.231]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 489513c5-4de0-46a8-befc-08d84528735e
x-ms-traffictypediagnostic: LO2P123MB3823:
x-microsoft-antispam-prvs: <LO2P123MB3823978EAB80EBE6366197C4BE5A0@LO2P123MB3823.GBRP123.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: GGtCisll7L1bBiYWqCFWflYiEE271cDvXjyhzkj0Sw35JF/WipVKcrLcsliVovzX88L/TOvD2BxlbGRDZ+d2q+tiASBL2A4gR2x0rYi+ZBZ9a6BQOX0jUST7LqmEwEHhl0AU6o384t3W/x+qchWZYYClP4e3K4rn25tMWPvmKg4kfhnGhVT+o1nlRtPQFhs5VV8VLNxPbiP3wUArcvI94eEIouwUpCj4fcaO8bUdrYpUwWYbl3c97GnODPbkX+Rq/HwmQQpSuTJamw+3JnyEZi4/CE5h0N8WlxSYxiRGOj22z1/6ZCjpdMg5MYgO3d2MEUtSgXKYXWx93VOqruU9UrZcqYvyquXGjkhjjnoqup+ZUx6eSCHpLJKzo62GsTkTP56BaSuhIb+rWWXiIzadCQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LO3P123MB3244.GBRP123.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(39850400004)(366004)(396003)(136003)(376002)(346002)(8936002)(9686003)(55016002)(966005)(2906002)(110136005)(186003)(7696005)(6506007)(4326008)(33656002)(86362001)(26005)(166002)(8676002)(5660300002)(66946007)(66556008)(64756008)(76116006)(66476007)(66446008)(478600001)(71200400001)(316002)(83380400001)(55236004)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: ra0RvLN8iAbEpGQY7lCeEqucPDtNH2Yv43ZrlV/a9m1kV4gGW/91HSlufSnwcooURbawOWA4bmFH02lGaSiAI9/Z/nypkh7az5bx7olRkPHuM8cZBK68kvZThg53wryN63pLNVVHC6v8HZpuew+liOprOvSmSJ5ljm6TEI6JcqhhBxJWjF2QfQpWEif4ISlGQEARcaVVadN4CUsw32n2RQ5v2vfSGp/hCbYIbPuzv6xe0KeHNFK2JxQKMRyE8bTAoqbtZCFt+fwu6Dka7B5DffJ5eHYORs1FI8gvGqqVERccEySwvNnqLF55f24pCbGj3peou5nvYhrhwa/PM6qCHLaJKjcR3cq/I5S66X35Kbd+Ehw6cfCnVRohiXiD6AVTHB2i/VpbD72riBuNI1lRLXUXjmqsq9wXe3XnRUWyA74dKlZimtUxXxyD/Dj30WekiGD4OdfcCHhM1ZvtAT27qbup9viELhdNXlSUZDA0sFM3kK+5NKIwx6OPAy2Sotnj/aNLJWLKFkdKkG6juLzXfd2m8itlYNl4LS3c3DKCfp687+jBIQo4wX1J8vjVmeFDUemOi4RFzojykMHKENvKATsoicv5mawMEq6gE8N93YxlsvxAVf/fchbs+H5tinNwAu+eGTfzYGnO+mScfaSipg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_LO3P123MB32440698FD99F58AD45D6A55BE5A0LO3P123MB3244GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: ncsc.gov.uk
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO3P123MB3244.GBRP123.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 489513c5-4de0-46a8-befc-08d84528735e
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2020 16:45:30.9064 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: GknrHHXE+k4WlSVZkapenpXlVVXzOc6+86ppKDYl6TlIZ2tVgDeRItjCsVfritvgqVsxd+A4Gc+mzOAOEh55gw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LO2P123MB3823
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/LrFFN95DZgbH8ANyAUUlaJ_ZUt0>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 16:45:36 -0000

During IETF 108, the chairs realized that there was interest in Dave's
RFC5322.Sender draft.

This starts a Call for Adoption for draft-crocker-dmarc-sender

The draft is available here: https://datatracker.ietf.org/doc/draft-crocker-dmarc-sender/<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-crocker-dmarc-sender%2F&data=02%7C01%7Cdavid.i%40ncsc.gov.uk%7C8b6f69bd79a0456b083a08d83d605162%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C637326831179930300&sdata=essow9o1nmqARNXCr%2BUFkBhUwomyBq0E0dpxzzK7q9E%3D&reserved=0>

Currently, the draft is marked as "Standards Track".  The chairs feel if the
working group does adopt this, it should begin as "Experimental".  If we start
to see adoption of this work, this can be changed back to "Standards Track" before
Working Group Last Call.  Of course, we welcome input from the working group on this.

Please review this draft to see if you think it is suitable for adoption, and
send any comments to the list, clearly stating your view.

There's some good thinking in the document, that however leads me to a different solution space. There are also some bits which aren't clear enough for me to fully analyse the security impact, and some places where I think it's lacking.

In a little more detail:
- The reflection that mediators are going to have to implement approaches like From-rewriting for at least a while leads me to think that standardising From rewriting is a better way to go. Standardising would allow recipient systems to undo the From-rewriting if they trust the intermediary and the email is authenticated (perhaps simple DKIM, perhaps something ARC-related). This has the benefit that the intermediary doesn't need to worry about whether it's trusted by the recipient, or whether the recipient has implemented <insert new system here>. I agree with everyone who thinks it's somewhat distasteful, but seems least-worse to me given today's email environment.
- It's not clear to me in the doc which domain is being referred to in various places. eg assuming From: test@from.example<mailto:test@from.example>, Sender: test@sender.example<mailto:test@sender.example>, which domain's DMARC policy should have the snd tag? If I never add the snd tag to _dmarc.from.example, do I get to keep today's behaviour?
- It turns a fact based check 'did the DMARC checks pass for the From domain' to a fuzzier reputation based one. This *may* be similarly effective at scale against volume spam, though I'm sceptical. I don't believe it's true for low-volume spear-phishing where 'a few getting through while the reputation system trains itself' isn't good enough.
- Comparing this to ARC, there's no passing of information about what authentication checks an intermediary did, nor a statement that an intermediary should be doing strict DMARC authentication and not passing on things which fail. That makes the 'trust' decision at a receiver much harder as you don't know if any authentication has taken place.
- As a reputation/trust based mechanism, it shares weaknesses with ARC - difficulty of bootstrapping, and favouring large and existing players. So I don't think it's expanding the solution space much, and risks distracting from ARC and then running into similar issues.
- The absence of a mechanism to get away from From-rewriting or similar (even in the long term), means this would be additional complexity with little, if any practical upside.

Given the above, I don't think this is a fruitful path, so I don't support adoption at this time.

Regards,
David

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk. All material is UK Crown Copyright ©

v2.23.0 | Report a Bug | By Email