IETF Logo Mail Archive

Re: [dmarc-ietf] Mandatory Sender Authentication

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 03 June 2019 14:29 UTC

Return-Path: <btv1==0578190657c==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 364C4120226 for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 07:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qAJITAhhYoCw for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 07:29:56 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66B31120252 for <dmarc@ietf.org>; Mon, 3 Jun 2019 07:29:56 -0700 (PDT)
X-ASG-Debug-ID: 1559572195-11fa3116c82bc2c0001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id aNqRqUtCiHA8yqCG (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Mon, 03 Jun 2019 10:29:55 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=from:to:subject; bh=JCdcZgcO6F2R3bVXDn6EjxBBG5tW9MobwwhvoE4OYNA=; b=GKR4RldgO+ua0sjfvOO975LbwqI3c/LEWLmiDgbZstXC5gS8lzFeeXtn7XIVyORMz hTYhs3B4MQh/8lMj8YjZHbJtH4SSkJZrPR+n70An2hlXrc5jMcjT2la11o/u4kL8d 7A+izuEfCshH25prixzkKYnY4yLO5sMhswpuh/+Eo=
SavedFromEmail: fosterd@bayviewphysicians.com
Date: Mon, 03 Jun 2019 10:29:44 -0400
Importance: normal
X-ASG-Orig-Subj: Re: [dmarc-ietf] Mandatory Sender Authentication
To: dmarc@ietf.org
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.samsung.android.email_672018228493450"
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1559572195
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 4576
X-Barracuda-BRTS-Status: 1
Message-Id: <20190603142956.66B31120252@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7_8DfPSyAsSDs-TXq2gpgrD0SLU>
Subject: Re: [dmarc-ietf] Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 14:29:58 -0000

-------- Original message --------From: "Douglas E. Foster" <fosterd@bayviewphysicians.com> Date: 6/3/19  9:59 AM  (GMT-05:00) To: dmarc@ietf.org Subject: [dmarc-ietf] Mandatory Sender Authentication Our real goal needs to be mandatory sender authentication.    Any secure email gateway must go through these steps:


	Source Analysis:  Filter message from unwanted sources
	Sender Authentication:  Filter messages that are attempting impersonation
	Content Analysis:  Filter messages with unwanted content


Content filtering always requires exceptions, and those exceptions are granted based on the sender.   Such exceptions are only safe and appropriate if the sender is verifiable.    If the exception is applied to an unverified sender, it is possible for a spamming impersonator to gain the elevated trust and reduced filtering which was only intended for the trusted sender.

 

So Sender Authentication needs to become mandatory:


	Senders MUST implement SPF or DKIM,  and SHOULD implement both.  Although the MX list becomes a default SPF list for those who do not publiish a policy.
	MTAs MUST ensure that DKIM signatures remain verifiable.  If they are unwilling or uinable to do so, they should reject the message with a PermError.
	Forwarders MUST either forward with breaking DKIM signatures, rewrite messages under their own identity, refuse the message, or discard the message as spam.
	IETF MUST provide a way for intermediate systems (both spam filters and list fowarders) to insert content under their own signature, without breaking original signatures.    This will have implications for MUAs..


Sure it will be hard, but has this not been what you have been trying to achieve for 15 years?  SPF and DKIM provided the enabling technology, but they were deployed as sender options.

 

Doug Foster

 

 

 

 

 

v2.23.0 | Report a Bug | By Email