IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Jesse Thompson <zjt@fastmail.com> Sun, 09 April 2023 13:33 UTC

Return-Path: <zjt@fastmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81EA6C15154C for <dmarc@ietfa.amsl.com>; Sun, 9 Apr 2023 06:33:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="p63/5I5d"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="gLL4qMz3"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u391u17RN4HH for <dmarc@ietfa.amsl.com>; Sun, 9 Apr 2023 06:33:15 -0700 (PDT)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3CB3C151538 for <dmarc@ietf.org>; Sun, 9 Apr 2023 06:33:15 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 2EE553200035 for <dmarc@ietf.org>; Sun, 9 Apr 2023 09:33:13 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Sun, 09 Apr 2023 09:33:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1681047192; x=1681133592; bh=gO BzYWEuM6zkVil7HVweZj//mYosqDO6i9TcLuwRyzM=; b=p63/5I5d5YNkkfE/yb GweX4VNV1g8PwsQSoD3qZJKx4LUGEG4we+zhMix/25lsvreqaPtUKSTr6V9hCDSg 7Oih7jUE01v5FrmTOyw5g0XL29nUc3Poixe0OmquQ2mo4UAN29p4+2K4yGLtMuya RvB5oHKKNrXFUFLdcX7H02X27Rh9nJxpDzfIZPUat7ZyO1TvfGmxmXKyp85+zuKe vqA/RzH+Sjo4Dadwdy+XeYgARH7GGH6bCifk0IP4uA2irSeIALuGxetH9RGyqDAY OsBJiIU8qBLQmtsStjZjh84s8g32/+/uMKQ/dM7B8Df+GZ4QqkVkgat+aKhbyPeU qX8Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1681047192; x=1681133592; bh=gOBzYWEuM6zkV il7HVweZj//mYosqDO6i9TcLuwRyzM=; b=gLL4qMz3P/Jrnznd0G0GmT/PAj9OY te2XpiLobtv8YNc8CnnbJHhjDQmqGR27WzsmG4sZj76xybjBmzhV9jsRX7WbSA04 LZfC1SVvTHmQ1S6hOeO8f8Y4X1SENxzwFuelsIIIBE9CzQBaeERBYCfHF+FFE8JM U4l1i9RU1ndv+xAiIWgNQx+6SAjMQTB9sVazUnI0xbtrxRIBDMd5uM1rNHx1ngUW MFESC+MRm8XsFQbED/JlkaKkIZdHu4rxjcY8IluDD4Fu4+8NTJ8vjpHl/213dTN4 ghoc9uPHslyZiNfUbdxQIJWvz7TsxYe3ztZxLt0YF5G8yKCPfK0z+V3Xg==
X-ME-Sender: <xms:mL4yZGmKKqlh9SyUS5iXNbl-24y_O4p17d_RnTrotZ0TSp8st7hkRg> <xme:mL4yZN1gOS7h2CFvVsUsFcst2ijfeTNB1dKltcg4pGzYKZaZ3NCFn5voauOJfwRgB nTM73kWsjKm_QalRf0>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdektddgieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedflfgvshhsvgcuvfhhohhmphhsohhnfdcuoeiijhhtsehf rghsthhmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepgeeulefhfedtheeguedvud evkeduveelffevueehuddutdduhfejfeegleffieegnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepiihjthesfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:mL4yZEokkSTLSnkY3V4hABYLD0S_RUl3by1BDvwFt3Sr3EJuYM_2zQ> <xmx:mL4yZKlbgt3aLnAuy1JQoB01wacU1Me0rNv--BObsGoIr8cso92VTw> <xmx:mL4yZE2h6rjph2_BWms-znRNZzkisfXk8WGMyVi0Z5auYx4tKlP5og> <xmx:mL4yZFB58P6Qs8uqAeu5D0_TKhEwU-tqq3x1u5NPooQk1328otbI5A>
Feedback-ID: i1a614672:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7FF4FBC0083; Sun, 9 Apr 2023 09:33:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-334-g8c072af647-fm-20230330.001-g8c072af6
Mime-Version: 1.0
Message-Id: <7b599a98-922a-44db-af91-2f8aa0f74181@app.fastmail.com>
In-Reply-To: <4a0dba74-3e25-b9cb-dd64-20bf04ae76ba@tekmarc.com>
References: <20230409005207.DCA8BBD1CC17@ary.qy> <4a0dba74-3e25-b9cb-dd64-20bf04ae76ba@tekmarc.com>
Date: Sun, 09 Apr 2023 08:32:37 -0500
From: Jesse Thompson <zjt@fastmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="de6cc8e89a3b41fc89f144297896cf1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7gCnZy0WEQ7Gan5dRQHS5tbozrU>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 13:33:20 -0000

On Sat, Apr 8, 2023, at 8:17 PM, Mark Alley wrote:
> Personally, I prefer the latter of the two, quoted below.
> 
> "to preserve interoperability, domains SHOULD NOT publish p=reject unless they are [not general purpose]* domains"
> 
> "Publishing DMARC records with restrictive policies does cause interoperability problems for some normal email usage patterns. Potential impacts MUST be considered before any domain publishes a restrictive policy."

I like the latter, as well. I was going to suggest something similar.

As Todd previously stated, my preference is for language that acknowledges the primacy of the domain owner over interoperability. CISOs have been sold (arguably, by the DMARC deployment companies' marketing) on the idea that there are security benefits. Maybe oversold, but there are benefits and the motivation will not change. Let's not also overlook the primary benefit of _the process of deploying DMARC_ gives to an organization: increased management and governance (enabled by the observability from the reports). In any case, the domain owner is motivated to deploy DMARC and gain the perceived benefits. If we are going to tell these motivated domain owners to MUST do something, at least make it something they might consider doing.

"Before a general purpose domain publishes p=reject|quarantine, the domain owner MUST emit mail from, or provide to their stakeholders/end-users, an alternative domain or subdomain with a p=none policy for any email that needs to traverse a non-DMARC-mitigating MLM or (more generally) from any 3rd party that cannot be authorized by SPF or DKIM alignment."

That, combined with Mark's language, I think would resonate with domain owners more than MUST NOT p=reject.

Jesse

v2.23.0 | Report a Bug | By Email