Re: [dmarc-ietf] DMARC ATPS Interop Note
Douglas Otis <doug.mtview@gmail.com> Wed, 13 May 2015 00:42 UTC
Return-Path: <doug.mtview@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9541E1A88AF for <dmarc@ietfa.amsl.com>; Tue, 12 May 2015 17:42:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23LgFrpOuRk1 for <dmarc@ietfa.amsl.com>; Tue, 12 May 2015 17:42:41 -0700 (PDT)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 906C31A8881 for <dmarc@ietf.org>; Tue, 12 May 2015 17:42:41 -0700 (PDT)
Received: by pacwv17 with SMTP id wv17so31819228pac.0 for <dmarc@ietf.org>; Tue, 12 May 2015 17:42:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=+cr8xeMkEgoTHAPaDI5UsXLHoZ/QXas4opox1Lnj6aw=; b=QpU47esPHLVwq5Zi51pn6hP12VavCE+OlupevV1VE24xmUqJDtARxDxZzK5h/+LO8T Wmr/mSnqB21PI+FGqbzZ1tV3YTnbRCEvjcJllt7FPtyhxYuwB/h999NHKGx29q1SpSw5 v2Yfy8FZN0zB95ofYwRYpk6Vy2SMUwsffFpJWXPAH7WhuY7n8zHXTNEw4H0291o5Xt29 h67Z3Y1OcdJ0zI/aLx6hYc9oo0HQv+vEtakMT1Bl2a47j+NwVoT0n/KP9I88sH7q6/FW 9hw7ki2FHm2OSihR97C09ghZM6AHsmqZolBYq3N5TZcAVtoxBVoEm2QnLOM1RyNjcgvq jkuA==
X-Received: by 10.68.246.38 with SMTP id xt6mr32232656pbc.20.1431477761171; Tue, 12 May 2015 17:42:41 -0700 (PDT)
Received: from US-DOUGO-MAC.local (107-0-5-6-ip-static.hfc.comcastbusiness.net. [107.0.5.6]) by mx.google.com with ESMTPSA id wt1sm17377326pbc.4.2015.05.12.17.42.37 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 May 2015 17:42:39 -0700 (PDT)
Message-ID: <55529DFB.3010704@gmail.com>
Date: Tue, 12 May 2015 17:42:35 -0700
From: Douglas Otis <doug.mtview@gmail.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: dmarc@ietf.org
References: <554BC30F.1020107@isdg.net> <4087F3E9-540E-45C7-9AE1-2B71FC90CB5F@kitterman.com> <CAL0qLwbZo1=xg_AWNT550H25M64Hj9Bg+5WPsNhd4SFV4j1xnQ@mail.gmail.com> <554BE12A.7010606@isdg.net> <26011.1431106173@vindemiatrix.encs.concordia.ca> <554D3D1E.9050509@isdg.net> <27522.1431236028@vindemiatrix.encs.concordia.ca> <CAL0qLwYeWuovoCnK-Fo9PMajmAgRsxjpXav=ZuDL2A7jm2YLuw@mail.gmail.com> <14447.1431266709@vindemiatrix.encs.concordia.ca> <CAL0qLwbE_30cYWyRXCXkFbw4EMjwX-cy=48+o+c4qyrJY4LeLA@mail.gmail.com> <CAL0qLwbH6qTWhWVjpFAKmYU_fTdx8Hyy1PrE0ztLvG=3xmP_TA@mail.gmail.com> <554FEBB4.5050805@gmail.com> <CAL0qLwaVJY8eecoXV_Ctsxu5D5k+K6sg0dsQZtxafA22s4N1Vg@mail.gmail.com> <5550FB6C.7050802@gmail.com> <55518F96.8040708@isdg.net>
In-Reply-To: <55518F96.8040708@isdg.net>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/6Jj24SBmw0ciRDW811wuXKkhHDU>
Subject: Re: [dmarc-ietf] DMARC ATPS Interop Note
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 May 2015 00:42:43 -0000
On 5/11/15 10:28 PM, Hector Santos wrote: > On 5/11/2015 2:56 PM, Douglas Otis wrote: >> >> On 5/10/15 10:08 PM, Murray S. Kucherawy wrote: >>> On Sun, May 10, 2015 at 4:37 PM, Douglas Otis >>> <doug.mtview@gmail.com> wrote: >>>> ATPS included an onerous task for any third-party service >>>> likely used on a gratis basis. Each third-party was >>>> expected >>>> to learn specific hash algorithms of each From domain. A >>>> difficult process on top of changing their structure of >>>> DKIM >>>> signatures repeated tens of thousands of times for each >>>> different first party domain. In addition, reputations >>>> based >>>> on the third-party relationship could not be leveraged >>>> because of the optional hashing. >>> I continue to find this repeated claim specious at best. >>> >> Unlike TPA-Label that required NO third-party authentication >> method change, ATPS imposed two significant changes onto >> third-parties: >> >> 1) A need for a new DKIM signature unique for _every_ Author >> domain seen by the mediator. > > It should be off the DMARC record now. Dear Hector, Yes. DMARC uses SMTP outbound registration confirmation to mitigate DKIM failure. Sender header fields indicate the domain responsible for issuing a message when present. DMARC failed to accommodate the Sender header field for those domains handling normal email exchange. Ignoring the Sender header field is appropriate only when just direct or transactional messages are issued by a domain asserting restrictive DMARC policy. In these cases, there would be little chance either DKIM or outbound registration would be negatively affected. DMARC being unable to assert the domain handles normal email exchanges likely to affect both DKIM and SMTP outbound registration makes its resulting policy requests unreliable and incompatible with RFC5322. Restrictive DMARC policy necessitate special handling of third-party services to retain defined roles of From header fields per RFC5322. Rather than assisting other domains mitigate misapplied policy, domains abusing DMARC are causing munged From header fields and misapplied policy having a dangerous outcome of legitimate messages being misplaced into Spam folders. As such, DMARC should signal when specific authorizations can be obtained by using a uniform reference to either a specific or a default domain or that the Sender header field may offer an optional alignment when likely visible to the recipient. >> 2) A need to determine an _unspecified_ hash unique for each >> Author domain seen by the mediator. > Do we really need a hash? I agree. This required new > tools (Hash calculators, wizard, command line tools, DNS > tools, etc) for DNS admin and sysops to be programmed. > Makes it harder to explore. Third-party authorizations should be uniform, small, and hard to explore. Even to the point of publishing a wildcard mitigating the generation of a large number of RRsets as seen with DNS-SD that even expects this type exploring behavior causing a real DDoS concern. >> Both of these unnecessary and difficult impositions do not >> align with those benefiting (the DMARC domain). Many have not realized double signing is wide open to abuse and will need similar DNS publishing techniques to adhere to a broken window theory. http://en.wikipedia.org/wiki/Broken_windows_theory Few things are more reprehensible than using DMARC to abuse legitimate uses of email just to continue ignoring compromised accounts. TPA-Label did not presume DKIM use, but draft-levine-dkim-conditional would allow a simpler TPA-Label listing scheme signaled using DMARC. Ignore all additional constraints in TPA-Label, since a combined strategy should safely handle a wider range of messages. It seems some have had some difficulty understanding the rate of message handling involved by larger ESPs which makes conditional handling fairly difficult to instrument. Here again, TPA-Label helps. Unlike SPF's high overhead of complex chained resource records, draft-levine-dkim-conditional together with TPA-Label would allow simple single resource record listings. Their retraction allows a quick abuse response. Restoration can be just as quick once abusive accounts have been disabled or disinfected. This represents a simple lightweight scheme that should significantly reduce the rate of abuse by keeping the Sending domains fully in the loop and easily instrumented. Regards, Douglas Otis
- [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Anne Bennett
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Terry Zink
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Anne Bennett
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Terry Zink
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Anne Bennett
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] double signing and what DMARC ac… John Levine
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] double signing and what DMARC ac… Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] double signing and what DMARC ac… John Levine
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] double signing and what DMARC ac… Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] double signing and what DMARC ac… John R Levine
- Re: [dmarc-ietf] double signing and what DMARC ac… Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Scott Kitterman
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Murray S. Kucherawy
- [dmarc-ietf] Simple authorization offers reasonab… Douglas Otis
- Re: [dmarc-ietf] Simple authorization offers reas… Terry Zink
- Re: [dmarc-ietf] Simple authorization offers reas… Murray S. Kucherawy
- Re: [dmarc-ietf] Simple authorization offers reas… Hector Santos
- Re: [dmarc-ietf] Simple authorization offers reas… MH Michael Hammer (5304)
- [dmarc-ietf] Sender: vs. From: (was Re: Simple au… Dave Crocker
- Re: [dmarc-ietf] Simple authorization offers reas… Hector Santos
- Re: [dmarc-ietf] Simple authorization offers reas… Hector Santos
- Re: [dmarc-ietf] Simple authorization offers reas… MH Michael Hammer (5304)
- Re: [dmarc-ietf] Sender: vs. From: (was Re: Simpl… Murray S. Kucherawy
- Re: [dmarc-ietf] Sender: vs. From: (was Re: Simpl… Dave Crocker
- Re: [dmarc-ietf] Sender: vs. From: (was Re: Simpl… Hector Santos
- Re: [dmarc-ietf] Sender: vs. From: (was Re: Simpl… Douglas Otis
- Re: [dmarc-ietf] DMARC ATPS Interop Note Franck Martin
- Re: [dmarc-ietf] DMARC ATPS Interop Note John Levine
- Re: [dmarc-ietf] DMARC ATPS Interop Note Franck Martin
- Re: [dmarc-ietf] DMARC ATPS Interop Note John R Levine
- Re: [dmarc-ietf] DMARC ATPS Interop Note Franck Martin
- Re: [dmarc-ietf] DMARC ATPS Interop Note John R Levine
- Re: [dmarc-ietf] DMARC ATPS Interop Note Stephen J. Turnbull
- Re: [dmarc-ietf] DMARC ATPS Interop Note Hector Santos