IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Sat, 08 August 2020 18:05 UTC

Return-Path: <btv1==489bd5c4679==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 945D03A0C3C for <dmarc@ietfa.amsl.com>; Sat, 8 Aug 2020 11:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FQebsOZTJ951 for <dmarc@ietfa.amsl.com>; Sat, 8 Aug 2020 11:05:21 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FCC73A0C3A for <dmarc@ietf.org>; Sat, 8 Aug 2020 11:05:21 -0700 (PDT)
X-ASG-Debug-ID: 1596909917-11fa311da649710001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id aYOR1lgM2q2sn1eC (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sat, 08 Aug 2020 14:05:17 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=sZqnAfqGDDGNJBdzsiYKkfqRpS5YgzXIVM1u9P1WYt8=; b=eC33wvryhDMJe8YKEZz9VLYbUFN1FeN/i5sXh91yUtWdBpBR0CLzYm9zHIyrnQyXO P0HCZPPtnhimRJguvFcgkXQ9OLoIylBtHSRValSh3lqQ7QJQnHEpMz6WjpaKLtXxc Qp7ohY3Ma1gMYaDY0SKFUYYevTvXNcy8YUV0cd1fk=
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Date: Sat, 08 Aug 2020 18:05:08 +0000
X-ASG-Orig-Subj: Re: [dmarc-ietf] non-mailing list use case for differing header domains
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <0ad0a6b93ff74648b2620e81c7ddaa13@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="758c87a8c8a74e8e969489d62682140d"
In-Reply-To: <ecf1bb40-0abf-f93a-77c4-65e75b58f4db@tana.it>
References: <20200808022743.216921E60BFF@ary.qy> <ecf1bb40-0abf-f93a-77c4-65e75b58f4db@tana.it>
X-Exim-Id: 0ad0a6b93ff74648b2620e81c7ddaa13
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1596909917
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 10839
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.83780 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/5ULF3Uw1nEPVYuYDfpPClsCuimc>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Aug 2020 18:05:25 -0000


The unifying principle is that we need a third-party authentication method, a need which is not adequately satisfied with SPF and DKIM.   The standard can support multiple options, such as the following

send3="method=ATPS,p=reject,sp=quarantine;  method=reputation,p=quarantine,dns=uri; method=RHSWL, sp=reject"

where:
"method=ATPS" means RFC 6541 third-party signatures, as suggested by Hector"method=reputation" means a trust service like trusted-forwarders.org, as suggested by John"method=RHSWL" means the whitelist system suggested by Alessandro
Usage:
If multiple methods are specified, the receiver checks all of the methods that it is willing and able to use.If p= is missing, the third-party authentication method is not supported for primary domains.If sp= is missing, the third-party verification method is not supported for subdomainsIf any method passes, the message passes.   No other checks need to be performed.   If all methods fail, the strictest policy is the recommendation action.If any third-party authorization method is supported, the DMARC policies should be p=none and sp=none, to avoid false positives by entities that do not know how to check the third-party method.
A domain could optionally advertise which third-party methods it is willing to check using a similar keyword structure:
verify3="method ATPS;  method=reputation; dns=uri; method=RHSWL".  
This would allow senders to limit third-party impersonation to those recipients that will accept the impersonation as legitimate.

It would be desirable for DMARC feedback reports to indicate which third-party methods were checked.   Updating the reporting specification might be more complex than specifying the verification method itself.

Do we move forward with an approach like this?

----------------------------------------
From: Alessandro Vesely <vesely@tana.it>
Sent: 8/8/20 5:52 AM
To: dmarc@ietf.org
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
On 2020-08-08 4:27 a.m., John Levine wrote:
>
> Some years back people kept asking Spamhaus to set up a whitelist, so
> they hired me to do it. Technically it worked fine, but it soon became
> apparent that the only people who were interested weren't people who
> we'd want to whitelist. The good quality senders get their mail
> delivered already, the terrible ones didn't bother, and all we heard
> from were people who sometimes sent some spam along with the good mail
> but assured us they were nice people.

I'm not clear why that failed. Personally, I was puzzled by the .com
suffix, which somehow sounded like pay for being whitelisted.

> I think you'll find that all of the existing whitelist like things
> are a sideshow to the company's real business of deliverability
> consulting.

Of course whitelisting can easily become ESPs combat zone.

> For DMARC, it would be nice if there were a shared list of credible
> forwarders, not to automatically accept their mail, but just to say
> they're good enough that you can believe what's in their ARC seals
> when you're doing the usual spam filtering.

Trusted-forwarder.org still exists...[*]

Automatically accept is not the same as override DMARC policy. The
latter can cure some of MLM and non-MLM problems.

I proposed snd=rhswl.zone.example. The difference w.r.t.
trusted-forwarder.org is that some sites can start building their own
right hand side whitelists (RHSWL). Specifying the zone in the
protocol makes it visible, so lazy admins can help themselves to
quickly build their not-so-strict DMARC policy by using someone else's
RHSWL.

Combining lists could also become possible, once there is a decent
amount of them. There is already An Architecture for Reputation
Reporting, RFC 7070/3, which could support exchanging entries among
similarly scoped RHSWLs.

> You can't just let people sign themselves up for a list like that,
> since every dodgy bulk mailer will figure this will get them an
> extra 2% delivery, and we've never gotten past a vague hope that we
> could canvass people we know to make a combined set of mailing
> lists hosts we know.

Seeking how to make that hope less vague should be a highly commended
task.

Best
Ale
--

[*] http://multirbl.valli.org/detail/wl.trusted-forwarder.org.html

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email