Re: [dmarc-ietf] Overall last-call comments on DMARC
Alessandro Vesely <vesely@tana.it> Thu, 04 April 2024 15:50 UTC
Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D206C14F5FB for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 08:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaFVMtrPwYDT for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 08:50:20 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B758C16940B for <dmarc@ietf.org>; Thu, 4 Apr 2024 08:49:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1712245739; bh=/tP6QjYMIx6CTAMfkLwWmOAwojyopPPMcMD73VD35Y0=; h=Date:Subject:To:References:From:In-Reply-To; b=APNIrzGepYmDpoeRZGloav68KbqphVDghGVg+QJS190qtz8zUH1ZHX3jmXM8nzgWL AhsE9SA2cFioObc0FvFoN5bf3v0rNvFcClNFYYjFrvY/nlsRmo1nfytRUBVgldP3/R JqaSKaRbZD6mZqMB6fKa2QhgnZFQU3bNM2J3yv/7E0qepNFDgAOH+va9rOAtt
Original-Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [::ffff:172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0EB.00000000660ECBEA.000027E0; Thu, 04 Apr 2024 17:48:58 +0200
Message-ID: <ebf343ed-ee60-47b0-a02f-8518a8369bb0@tana.it>
Date: Thu, 04 Apr 2024 17:48:58 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dmarc@ietf.org
References: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net> <5208da1b-ecfb-4d41-8506-a734a27ab3a0@tana.it> <CAL0qLwbnSe77Wdt+M8bi2pBmZFCZjDUQc6je9bjCzP5TQ0N6XA@mail.gmail.com> <49859572-18a4-483b-bb99-62c1c231896e@tana.it> <CAL0qLwZc6idmMra11pVx2bbtk2Em9-vy6+962M7jDWOMnP+UHQ@mail.gmail.com> <1ee6df39-a622-4060-83db-bcc9a7a835d4@tana.it> <CAL0qLwYX_D7S_-Vn9RwwRzwyNO=8=3UVqbP8rz3SCWG4dvGZig@mail.gmail.com> <f5f55a39-127d-4a84-a66b-950379ecb013@tana.it> <CAL0qLwZzfnDA=7bwCu26S1SJPEE3hBq929674hH6naKXWuyh5g@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
Content-Language: en-US, it-IT
In-Reply-To: <CAL0qLwZzfnDA=7bwCu26S1SJPEE3hBq929674hH6naKXWuyh5g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/6Dnzjo52QFy3HvHAaahALSUVv3Y>
Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 15:50:26 -0000
On Wed 03/Apr/2024 18:49:50 +0200 Murray S. Kucherawy wrote: > On Wed, Apr 3, 2024 at 4:16 AM Alessandro Vesely <vesely@tana.it> wrote: > >> Some sort of contract or agreement between sender and receiver seems to me >> to be unavoidable if we want to leverage ARC without having a global domain >> reputation system. We don't have a precise method to do that. We need to >> experiment and standardize something to that extent, which I hope this WG >> can do after publishing -bis. > > I know what "contract" means abstractly, but what does this actually look > like to someone that's looking for specific guidance? The text you have > here, by itself, is vague and I don't think many operators will know what > to do with it. A file in each user's home directory listing allowed pairs of ARC's d= domain and the list-id identifier of a List-Id: field? Whatever. What do Google use to determine if an ARC seal is trusted? We don't have much concrete experience on how to set up a contract, though. >> Meanwhile, we can mention ARC, in Section 5.8 (minimal text proposed in >> another thread[*]). How much can we expand that? For example, can we >> whisper something about the need to trust specific sealers for specific >> streams? > > If you really need ARC to make all of this work and interoperate with > lists, then I think we need to start talking about how we want to move ARC > out of "Experimental" first so it can become a normative reference. Back to timing here. DMARCbis I-Ds seem to be mature enough to go out, even if there are not yet a practical solutions to the ML problem. Further delaying them until we find one is inadvisable. Yes, we need ARC, but we also need a method to convey agreements based on it. We couldn't spell out a solution even if ARC were standard track already. We can just hint at it. Parts of the Doug's text sound good for that. Here's a variation on it, mixed with the 2nd paragraph of Section 5.8: Mail Receivers MAY choose to accept email that fails the DMARC mechanism check even if the published Domain Owner Assessment Policy is "reject". Some legitimate messages are forwarded on behalf of an individual account, based on an established relationship between the sender and the account owner, but without domain owner involvement, These messages are legitimate in the sense that the RFC5322.From address represents the true author, but the messages do not produce DMARC "pass" on the last hop because the DKIM signature was broken (mailing list) or because authentication at the previous hop was based solely on SPF (non-mutant forwarding). In either case, such messages can be characterized as belonging to a very specific mail stream. An emerging protocol to help handling these cases is [ARC]. Besides providing an assertion of responsibility equivalent to DKIM, it also demonstrates the 'chain-of-custody' of a message by certifying what the Authentication-Results were when the message entered the forwarding organization(s). How to establish the recognition of the relationship between a given mail streams and the domain responsible for feeding it is outside the scope of this document. However, because of the considerations discussed in [RFC7960] and in Section 8.6 of this document, it is important that Mail Receivers not reject messages solely because of a published policy of "reject", but that they apply other knowledge to avoid situations such as rejection of legitimate messages. Best Ale --
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- [dmarc-ietf] Overall last-call comments on DMARC Jim Fenton
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Standards Track? Yes or No. Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… John R. Levine
- Re: [dmarc-ietf] Standards Track? Yes or No. Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Dotzero
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Jim Fenton
- Re: [dmarc-ietf] Overall last-call comments on DM… Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Tero Kivinen
- Re: [dmarc-ietf] There is no pony, Overall last-c… John R. Levine
- Re: [dmarc-ietf] There is no pony, Overall last-c… Jim Fenton
- Re: [dmarc-ietf] There is no pony, Overall last-c… John R. Levine
- Re: [dmarc-ietf] There is no pony, Overall last-c… Hector Santos
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Neil Anuskiewicz