IETF Logo Mail Archive

Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows

Scott Kitterman <sklist@kitterman.com> Wed, 26 April 2023 22:48 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72F0FC15155C for <dmarc@ietfa.amsl.com>; Wed, 26 Apr 2023 15:48:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="I4BQ8Viq"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="hFlfZ7dw"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HSh47ygMkbLv for <dmarc@ietfa.amsl.com>; Wed, 26 Apr 2023 15:48:21 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9E58C14CF18 for <dmarc@ietf.org>; Wed, 26 Apr 2023 15:48:20 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id AE563F802E7; Wed, 26 Apr 2023 18:48:10 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1682549275; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=2LqDVeWGt09jKKNouLFZm/7kEk4vwXMxqtPWVO1502U=; b=I4BQ8ViqPjQI6Avqoyq/nIyPvvorwdcrqvjomF/i5jcGCuMdzNEWZ2fRO1RJ1HD76zNHj 4zJjudovY6ci3LsDQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1682549275; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=2LqDVeWGt09jKKNouLFZm/7kEk4vwXMxqtPWVO1502U=; b=hFlfZ7dw+hco3wb9v4xHL8lKFzHYbnc7CMSk+ghMB7vBvfFJ/mqeh1SnZZQJ+uTqtlRCT lkMEGtZ4syaj/UuB5VlBJ3CmVD3QHHac6K6ao5+3932LQj149weTYDC1aJXoX2lxWQXeick l4fvQ+rnzJD0hgzLCEyb2AtzVd5mYMW/ny6bOj1bbDGBxYZ7uCQwlKZuLBN15tHKvHYDcsn CEyMpd2K0YnMeUmKhFoAlPUzDGCInXTJewwr1Weg9VtQqw+qvz7CC+FbaaejU3XU+YOlf/v GMMu32Q4UYAIqmixhonP6hjp74eZcN+A6fN+zk5QCS3q4Zvd+bozvIOcjG/g==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 24CD5F8014A; Wed, 26 Apr 2023 18:47:55 -0400 (EDT)
Date: Wed, 26 Apr 2023 22:47:51 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <a267d504-beb9-4082-82b1-f5076a83b4fd@app.fastmail.com>
References: <20230426160609.8532BC586620@ary.qy> <a267d504-beb9-4082-82b1-f5076a83b4fd@app.fastmail.com>
Message-ID: <4F204215-A97B-4496-9649-91F9D51C8910@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/55ta0odKgWZVuPXoJJdkiDqSpr4>
Subject: Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2023 22:48:25 -0000


On April 26, 2023 9:39:08 PM UTC, Jesse Thompson <zjt@fastmail.com> wrote:
>On Wed, Apr 26, 2023, at 11:06 AM, John Levine wrote:
>> It appears that Scott Kitterman  <sklist@kitterman.com> said:
>> >>Domains owners who have users who individually request 3rd parties to emit mail as an address within the domain MUST NOT publish a
>> >restrictive DMARC policy if they wish to support their users' usage of any potential 3rd party. Examples of 3rd parties include
>> >mailing lists and email service providers. These 3rd parties are not always aware of, or willing to work around, DMARC. Domain owners
>> >implementing DMARC as a means for governance by restricting the unauthorized usage of the domain MUST be aware that not all of the
>> >3rd parties will make changes to work around DMARC, resulting in interoperability issues for their users' usage of the 3rd parties.
>> >Domain owners SHOULD provide an alternative address for these users within a cousin domain or subdomain that is not directly
>> >associated with the organization's brand-associated domain that is used for marketing and transactional email that needs the security
>> >benefits of DMARC. These users MUST use an address within a domain that does not have a restrictive DMARC policy.
>> >>
>> >>(Not a troll. Not directly aware of humming (sorry, it's on my bucket list). Hopefully, didn't touch the 3rd rail. Honestly, in good
>> >faith, representing the perspective of an extremely large domain owner, users within said policy-restricted domain, and as a 3rd
>> >party commonly used by these, and similar, users.)
>> > ...
>> >I can see what you're attempting here and I see the logic.  I think the normative part would need to be about 90% shorter.
>> 
>> I was going to say the same thing.
>
>I agree it is too lengthy, but wished to convey the logic.
>
>
>> 
>> >I think it misses the impact on innocent bystanders.
>> 
>> It seems to me there are two somewhat different kinds of DMARC damange
>> that we might separate. One is what happens on discussion lists, where
>> messages get lost and in the process unrelated recipients get
>> unsubscribed. The other is simple forwarding and send-to-a-friend
>> which gets lost but is less likely to cause problems for the
>> recipients beyond not getting the mail they want.
>
>I know you don't like talking about ESP concerns, but for the sake of fitting into the categorizations you state, I think that usage of ESPs falls into the send-to-a-friend category. Is there a better term than "send-to-a-friend" that is more aligned to the vast variety of use cases and types of customers that ESPs have grown to support? The term sounds a bit pejorative. Think about use cases like: digital receipts sent from point of sale systems via an ESP on behalf of small businesses who don't have the ability to delegate authorization to the entire domain (e.g. local-flower-shop@yahoo.com)
>
>And for the record, the ESP can either have unhappy customers due to rejected email, or they can do something like this (but not call it "rewriting") https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail#Replace_address_with_a_generic_one
>

I don't think the categorization is specific to ESPs.

Broadly, I think the failure modes are:

1.  Starts authorized, breaks in transit (e.g. mailing lists)

2.  Starts as unauthorized 3rd party and stays that way (e.g. send to a friend)

I don't think there is anything ESP specific in the failure modes.

Scott K

v2.23.0 | Report a Bug | By Email