IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 29 March 2023 11:59 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BF7FC15EB2E for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 04:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EV42_pHiFdTB for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 04:59:29 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60D87C13AE22 for <dmarc@ietf.org>; Wed, 29 Mar 2023 04:59:29 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 20so15825634lju.0 for <dmarc@ietf.org>; Wed, 29 Mar 2023 04:59:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680091167; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XpIBip/PVPStzkOHFbO1GDcqVxZ2fJRwH1xKrhpO4zQ=; b=CmjY3yhFzpCjGenrHrUsOOT2bgv6Ao7xu4cHVfjfkENhJRO4oalpu8QIp8TVpw+fU1 rZxByQ9/F9uLBYPIsvYRwP3y3MaqChgqwTE6RB3q08RGVbO2XEix9b7kvqaxGo977eIJ 1HEiC4XwE2dLugZFr8MWGang/hnnOsnNTlRTvk1XJRELEAIXK8w0nGgW+vTry5ygCrsi KbdxcsJTGYmu+Od7ptwBsWr22Cwe4qUt2vFdUkAnCGp/Jp6I9bID/o0g4E443kkmKF1G mXe7el+LSW7zdhhSvmDrPPCMqKwiFchmTmuDGGtGmhCPRuHFe7WTTYKCVGAjqdwwuFjX NkrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680091167; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XpIBip/PVPStzkOHFbO1GDcqVxZ2fJRwH1xKrhpO4zQ=; b=VhVMv/jbdtxEx5nZXEMIQCa26HDE7gDvUXN6AONS5vFjW3rOcPyNj+BPypRl+MO5Lr cYrImDguqNGevc2SBFB9RZaFGvbm/MTlD1mDOzRgkag+faNUFFBU0tojNOk8B6A8xwgO OZR3oLmj3aO1EY8P9QRGprjGGTSZxtl+2xV5ri8Se8qX0h9u+SVV9aCVbqHJuOYJU2ol GgLKOOdefWdtYwGSFGNtKp/4HL6Wq/Br0yT/b97f65YgySzn9LiuXNATEEiPAoy2dPz4 TI30VrAGVpY9aBSipVa0zkJoxS7kCcIyJbihfK9NOq82GETYoqeG6aeTzfS29JhahfF5 wxJA==
X-Gm-Message-State: AAQBX9f4wP3FEYBkk3rixDT8MsxoNACD8SpNNbozuAeUvU4GTUtZktx8 7kFkVyXCCgL/yUl4XuEymLRdcZl/e+U4SW2DA8H3Azuk
X-Google-Smtp-Source: AKy350ahXodZm9Xh5UoLhfv6dXMJk3Do+H7p1J9Xh5oWC6zIXUmAwLA2pF/N/50L8IhvMy4VkOQWhqe2NW6ASxO5ylE=
X-Received: by 2002:a05:651c:21a:b0:2a5:fa58:cac2 with SMTP id y26-20020a05651c021a00b002a5fa58cac2mr2989852ljn.1.1680091166519; Wed, 29 Mar 2023 04:59:26 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <d02bfc46-efd1-28db-c14a-5c1365aefcbb@tana.it>
In-Reply-To: <d02bfc46-efd1-28db-c14a-5c1365aefcbb@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 29 Mar 2023 07:59:15 -0400
Message-ID: <CAH48ZfwhLE0bhG9aqUjkqBpGLTXj2NmdDR2F8aMeBGvOXVX7vw@mail.gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002bb2dd05f808b5a6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7QRWf5X30lOSHB2t9wRg7Jmn7n0>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 11:59:33 -0000

MUST seems to take us back to the unfinished debate of 3 years ago, where
some asserted that DMARC did more harm than good and should only be used
for transactional mail, which seemed to mean PayPal and not much else.

On Wed, Mar 29, 2023, 6:18 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Tue 28/Mar/2023 10:15:04 +0200 Barry Leiba wrote:
> > I raised this issue in the DMARC session in Vienna, and have let it
> > sit for a while so as not to derail other discussion.  As we're pretty
> > close to finished with the DMARCbis document, I'd like to raise it
> > again, this time with specific proposed text for us to discuss.
> >
> > And so:
> >
> > OLD
> >
> >     5.5.6.  Decide If and When to Update DMARC Policy
> >
> >     Once the Domain Owner is satisfied that it is properly authenticating
> >     all of its mail, then it is time to decide if it is appropriate to
> >     change the p= value in its DMARC record to p=quarantine or p=reject.
> >     Depending on its cadence for sending mail, it may take many months of
> >     consuming DMARC aggregate reports before a Domain Owner reaches the
> >     point where it is sure that it is properly authenticating all of its
> >     mail, and the decision on which p= value to use will depend on its
> >     needs.
> >
> > NEW
> >
> >     5.5.6.  Decide If and When to Update DMARC Policy
> >
> >     Once the Domain Owner is satisfied that it is properly authenticating
> >     all of its mail, then it is time to decide if it is appropriate to
> >     change the p= value in its DMARC record to p=quarantine or p=reject.
> >     Depending on its cadence for sending mail, it may take many months of
> >     consuming DMARC aggregate reports before a Domain Owner reaches the
> >     point where it is sure that it is properly authenticating all of its
> >     mail, and the decision on which p= value to use will depend on its
> >     needs.
> >
> >     It is important to understand that many domains may never use
> >     policies of “quarantine” or “reject”, and that these policies are
> >     intended not as goals, but as policies available for use when they
> >     are appropriate.  In particular, “reject” is not intended for
> >     deployment in domains with users who send routine email, and its
> >     deployment in such domains can disrupt indirect mail flows and cause
> >     damage to operation of mailing lists and other forwarding services.
> >     This is discussed in [RFC7960] and in Section 5.8, below.  The
> >     “reject” policy is best reserved for domains that send only
> >     transactional email that is not intended to be posted to mailing
> >     lists.
> >
> >     To be explicitly clear: domains used for general-purpose email MUST
> >     NOT deploy a DMARC policy of p=reject.
> >
> > END
> >
> > I'm well aware that the MUST will *not* be followed by everyone, and
> > that some domain owners will feel that they need to use p=reject,
> > regardless.  I think that's fine: the standard should specify what's
> > right for interoperability, and I believe that improper use of
> > p=reject is extremely harmful to interoperability... so "MUST" is
> > correct here.  And no one will be arrested or fined for choosing not
> > to follow it.  We should still say it, nonetheless.
>
>
> I think I grasped Pete's point that MUST is appropriate here even if some
> domain owners do otherwise.  If we wanted to say "MUST unless" then we
> ought to
> say SHOULD, but this is not the case.
>
> General purpose domains, and some well known freemail providers, should
> never
> have set strict policies.  Yet, they did.  No clear wording is going to be
> able
> to correct that practice.  Cannot push the genius back into the bottle.
>
> I'd mention indirect mail flows explicitly, rather than referring to
> generic
> interoperability problems.  But several mailing list adopted expedients in
> order to overcome those problems.  Furthermore, there are experimental
> protocols that address the issue maintaining the end-to-end nature of
> existing
> identifier fields, and more are going to come.  It is possible that a
> future
> ecosystem will support strict DMARC policies for everyone.  Thus it is a
> "MUST
> until" rather than unless.  Is that compliant with RFC 2119?
>
>
> Best
> Ale
> --
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email