IETF Logo Mail Archive

Re: [dmarc-ietf] Overall last-call comments on DMARC

Alessandro Vesely <vesely@tana.it> Thu, 04 April 2024 15:50 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D206C14F5FB for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 08:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaFVMtrPwYDT for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 08:50:20 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B758C16940B for <dmarc@ietf.org>; Thu, 4 Apr 2024 08:49:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1712245739; bh=/tP6QjYMIx6CTAMfkLwWmOAwojyopPPMcMD73VD35Y0=; h=Date:Subject:To:References:From:In-Reply-To; b=APNIrzGepYmDpoeRZGloav68KbqphVDghGVg+QJS190qtz8zUH1ZHX3jmXM8nzgWL AhsE9SA2cFioObc0FvFoN5bf3v0rNvFcClNFYYjFrvY/nlsRmo1nfytRUBVgldP3/R JqaSKaRbZD6mZqMB6fKa2QhgnZFQU3bNM2J3yv/7E0qepNFDgAOH+va9rOAtt
Original-Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [::ffff:172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0EB.00000000660ECBEA.000027E0; Thu, 04 Apr 2024 17:48:58 +0200
Message-ID: <ebf343ed-ee60-47b0-a02f-8518a8369bb0@tana.it>
Date: Thu, 04 Apr 2024 17:48:58 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dmarc@ietf.org
References: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net> <5208da1b-ecfb-4d41-8506-a734a27ab3a0@tana.it> <CAL0qLwbnSe77Wdt+M8bi2pBmZFCZjDUQc6je9bjCzP5TQ0N6XA@mail.gmail.com> <49859572-18a4-483b-bb99-62c1c231896e@tana.it> <CAL0qLwZc6idmMra11pVx2bbtk2Em9-vy6+962M7jDWOMnP+UHQ@mail.gmail.com> <1ee6df39-a622-4060-83db-bcc9a7a835d4@tana.it> <CAL0qLwYX_D7S_-Vn9RwwRzwyNO=8=3UVqbP8rz3SCWG4dvGZig@mail.gmail.com> <f5f55a39-127d-4a84-a66b-950379ecb013@tana.it> <CAL0qLwZzfnDA=7bwCu26S1SJPEE3hBq929674hH6naKXWuyh5g@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
Content-Language: en-US, it-IT
In-Reply-To: <CAL0qLwZzfnDA=7bwCu26S1SJPEE3hBq929674hH6naKXWuyh5g@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/6Dnzjo52QFy3HvHAaahALSUVv3Y>
Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 15:50:26 -0000

On Wed 03/Apr/2024 18:49:50 +0200 Murray S. Kucherawy wrote:
> On Wed, Apr 3, 2024 at 4:16 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> Some sort of contract or agreement between sender and receiver seems to me 
>> to be unavoidable if we want to leverage ARC without having a global domain 
>> reputation system.  We don't have a precise method to do that.  We need to 
>> experiment and standardize something to that extent, which I hope this WG 
>> can do after publishing -bis.
>
> I know what "contract" means abstractly, but what does this actually look 
> like to someone that's looking for specific guidance?  The text you have 
> here, by itself, is vague and I don't think many operators will know what 
> to do with it.


A file in each user's home directory listing allowed pairs of ARC's d= domain 
and the list-id identifier of a List-Id: field?  Whatever.  What do Google use 
to determine if an ARC seal is trusted?

We don't have much concrete experience on how to set up a contract, though.


>> Meanwhile, we can mention ARC, in Section 5.8  (minimal text proposed in 
>> another thread[*]).  How much can we expand that?  For example, can we 
>> whisper something about the need to trust specific sealers for specific 
>> streams?
>
> If you really need ARC to make all of this work and interoperate with 
> lists, then I think we need to start talking about how we want to move ARC 
> out of "Experimental" first so it can become a normative reference.


Back to timing here.  DMARCbis I-Ds seem to be mature enough to go out, even if 
there are not yet a practical solutions to the ML problem.  Further delaying 
them until we find one is inadvisable.

Yes, we need ARC, but we also need a method to convey agreements based on it. 
We couldn't spell out a solution even if ARC were standard track already.

We can just hint at it.  Parts of the Doug's text sound good for that.  Here's 
a variation on it, mixed with the 2nd paragraph of Section 5.8:

     Mail Receivers MAY choose to accept email that fails the DMARC mechanism
     check even if the published Domain Owner Assessment Policy is "reject".
     Some legitimate messages are forwarded on behalf of an individual account,
     based on an established relationship between the sender and the account
     owner, but without domain owner involvement,  These messages are legitimate
     in the sense that the RFC5322.From address represents the true author, but
     the messages do not produce DMARC "pass" on the last hop because the DKIM
     signature was broken (mailing list) or because authentication at the
     previous hop was based solely on SPF (non-mutant forwarding).  In either
     case, such messages can be characterized as belonging to a very specific
     mail stream.

     An emerging protocol to help handling these cases is [ARC].  Besides
     providing an assertion of responsibility equivalent to DKIM, it also
     demonstrates the 'chain-of-custody' of a message by certifying what the
     Authentication-Results were when the message entered the forwarding
     organization(s).  How to establish the recognition of the relationship
     between a given mail streams and the domain responsible for feeding it is
     outside the scope of this document.  However, because of the considerations
     discussed in [RFC7960] and in Section 8.6 of this document, it is important
     that Mail Receivers not reject messages solely because of a published
     policy of "reject", but that they apply other knowledge to avoid situations
     such as rejection of legitimate messages.


Best
Ale
--

v2.23.0 | Report a Bug | By Email