IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Dotzero <dotzero@gmail.com> Sat, 22 October 2022 16:26 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18EE4C14CE26 for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 09:26:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TvsEg0jthxzJ for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 09:26:06 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26B7CC14CF0F for <dmarc@ietf.org>; Sat, 22 Oct 2022 09:26:06 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id p6so4940363plr.7 for <dmarc@ietf.org>; Sat, 22 Oct 2022 09:26:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Jqh/4D0Gas0CQVj4nui3exkMZUNxRTQWqm40jzXR+LQ=; b=Eqb160nHZxHbMCbh/kLyL6KCZr1UDZYd43daXRJe/Hh4BJ99RApFsCG4A7gr6CfJPC bnskZ+jktLkMRGo0icUXjusZAHTAiYoDtflEsfOJ+w9lhaBFFuqgYRouxQbD76tEd6ek XGgvFuHYHx3Um4rGTP8yl6DbI+SGVk8G6lQOBHTfCWx+beMFRmODa9ZPuy8Z9ZDdVSB0 Nggwh7OgDGsmAmrMPY68g8wkYo7b8gt/VL6uEc+hBHp0bt6CjDqa0nNDs8tM7nW3bF5p rVGa2xRLFF8Ox63u5nsnNIkouZ6f7nkBSuU7NrKSyGhY/jV+iN1ZB8QY8LfKp75il+an PLYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jqh/4D0Gas0CQVj4nui3exkMZUNxRTQWqm40jzXR+LQ=; b=gvEo8mP5GDg83giQKsZH4s8sMxyuQs9nXoYneb0ze1XulxMHeT5iN8qg0Wc06nWhqm fBFCHHRjnP5GbTewSvynYCEzzDcu5Pjo5kTkl2qxBaPeGFXlFyUhzl/5rycJ5pdi+61k tM4JfdbSs4u2/NqvxfO0Kq5RAQuk8bkPYVwOVy6CQBhA2B+LvUF/fdYl2ISbOMXt3mNK nYeXKovZ1Dge7saTKo+34iDTxDzZG5XNBmNjaLy+5767VIRodMGCOR46aN0xC8h6YvW9 sAiA+Kkwp0/ENtza6RK4QYqrG/RGOptkWhjdQzNWLTvI1F0k+uEMtQeIzRigrsDvRQTm 0RTw==
X-Gm-Message-State: ACrzQf1zCgyaL/V659UbVHZvwuIvt90fHgh/65xgnJLZLJgRY27sWK/7 hs0ZRiSuA6n98rpHgqTtmPu6P7IlnezAESBn0AY=
X-Google-Smtp-Source: AMsMyM7Xqccx+PDVvi92zmJglxksRE3zB0SS3DbjN5SF3+CJcP2LLnG+vNIsulAmiYD800dBXiB8/5ybbmV9sNI0LK8=
X-Received: by 2002:a17:903:1110:b0:178:9f67:b543 with SMTP id n16-20020a170903111000b001789f67b543mr24718211plh.131.1666455965280; Sat, 22 Oct 2022 09:26:05 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com> <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com> <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com>
In-Reply-To: <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Sat, 22 Oct 2022 12:25:55 -0400
Message-ID: <CAJ4XoYe+s7BmFcvtNPaWu1i4kv_j=CtqA1DbkusfGk9s4rDYeA@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d82c7405eba203d2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/81vmQHGjXSCzJtMLOsg0aB1HhLg>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 16:26:07 -0000

Unaligned signatures are orthogonal/irrelevant to DMARC. They may be useful
in other contexts. In the DKIM standard, signatures mean that the signer is
asserting some (unspecified) responsibility for the signed message. That
may be useful for some reputation systems.

Michael Hammer

On Sat, Oct 22, 2022 at 9:50 AM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> Yes, it could have multiple causes.
>
>   I was just trying to elucidate a reason why unaligned signatures are
> needed.
>
> Instead I conclude that one best aligned signature is all that is needed
> for reporting.  Not 100, not 10, just 1.
>
> Doug
>
> On Sat, Oct 22, 2022, 7:43 AM Dotzero <dotzero@gmail.com> wrote:
>
>> " 3) A signature has been compromised and an unauthorized source is
>> sending authenticated mail.  SPF FAIL with DMARC PASS provides the alarm
>> trigger."
>>
>> This is incorrect. SPF FAIL with DMARC PASS can simply be an indirect
>> mail flow. It might also be an incorrectly configured SPF record.
>>
>> Michael Hammer
>>
>> On Fri, Oct 21, 2022 at 5:57 PM Douglas Foster <
>> dougfoster.emailstandards@gmail.com> wrote:
>>
>>> I remain unconvinced.   Mail is nearly free to the sender, but expensive
>>> and risky for the recipient and his organization.   Anything unwanted
>>> message that gets through the spam filter consumes a person's time, which
>>> is a non-trivial opportunity cost.   Asking me to accept extra cost to
>>> provide "nice to have" data is too much.
>>>
>>> Your first scenario is mostly about what an evaluator can do.  I think
>>> there is an opportunity and need to discuss all the ways that an evaluator
>>> can obtain acceptable authentication on a message that fails SPF or DKIM,
>>> but the chairs have been clear that doing so is "not DMARC" and out of
>>> scope.    I don't see is how the aggregate report contents facilitate or
>>> hinder your un-munging algorithm.
>>>
>>> I am not a mass mailer with a complicated identity structure, so I am
>>> willing to be educated about the wonderful things that can be learned from
>>> aggregate reports.   Based on my current knowledge, the use cases seem few,
>>> and do not need unaligned results.
>>>
>>> 1) A server is sending legitimate mail and is correctly configured with
>>> both SPF and DKIM.   The feedback from non-forwarded recipients confirms
>>> this fact.
>>>
>>> 2) A server is sending legitimate mail on behalf of the domain owner,
>>> but has a configuration error:  no signature, invalid signature, or using a
>>> server not in SPF record.    SPF results from non-forwarded recipients will
>>> identify the problem so that it can be corrected.
>>>
>>> 3) A signature has been compromised and an unauthorized source is
>>> sending authenticated mail.  SPF FAIL with DMARC PASS provides the alarm
>>> trigger.
>>>
>>> 4) A server is using a delegated signature for an unauthorized purpose.
>>>  Nothing in the reports is likely to indicate this problem.   If it is
>>> detected from other sources, the correction involves revoking the public
>>> key and terminating the offending organization.
>>>
>>> 5) Some mail is failing authentication after forwarding without MailFrom
>>> rewrite or forwarding with changes.    The IP address and MailFrom address
>>> help to identify the problem but the domain owner has no ability to correct
>>> the problem.   He can use p=none to limit the consequences.
>>>
>>> 6) Some mail is failing authentication because it originates from an
>>> illegitimate source.      The IP address and MailFrom address help to
>>> identify the problem but the domain owner has no ability to correct the
>>> problem.   He can use p=reject to limit the consequences.
>>>
>>> Case 5 and Case 6 are distinguishable only by the reputation of the
>>> server or Mail>From address.   Malicious senders are unlikely to add a
>>> signature to prove their identity, so perhaps a signature suggests case 5
>>> rather than case 6.   But a competent forwarder will be doing MailFrom
>>> rewrite, so the forwarder identity will be present whether a signature is
>>> added or not.
>>>
>>> These use cases do not deal with authentication failures after multiple
>>> forwards.   An abundance of signature data might allow the domain owner to
>>> reconstruct the forwarding path, but is that something he needs to do,?   I
>>> don't think so.
>>>
>>> As for the duplicate signature issue, my rule would detect support for
>>> the new signature algorithm if it appears first.
>>>
>>> I would be happy to hear a case summary which indicates how a real
>>> problem was solved, and was only solvable using non-aligned results.
>>>
>>> Doug Foster
>>>
>>>
>>>
>>> On Fri, Oct 21, 2022 at 4:11 AM Alessandro Vesely <vesely@tana.it>
>>> wrote:
>>>
>>>> On Fri 21/Oct/2022 00:53:56 +0200 Douglas Foster wrote:
>>>> >
>>>> > Aligned DKIM PASS
>>>> > When an aligned DKIM result is PASS, I don't see that the domain
>>>> owner needs
>>>> > any more data collection performed.   The verifiable DKIM scope ID
>>>> should tell
>>>> > him where the message originated, and the source IP and HELO name
>>>> tell the last
>>>> > place it landed before delivery.    I cannot see why a domain owner
>>>> would spend
>>>> > a lot of time trying to analyze success results, unless his interests
>>>> have
>>>> > transitioned from assuring identity to analyzing marketing impacts.
>>>>  We are
>>>> > not trying to provide marketing data, and any successful use of DMARC
>>>> for that
>>>> > purpose seems like an encroachment on the privacy concerns that we
>>>> want to
>>>> > minimize.
>>>>
>>>>
>>>> Non-aligned signatures can be meaningful for various reasons.  In that
>>>> case,
>>>> the result of their evaluation is also meaningful.  For an example, the
>>>> original author's domain signature, before From: was munged, is
>>>> meaningful.  If
>>>> it fails, it can be retried after undoing MLM transformation, possibly
>>>> leading
>>>> to secure recognition of the true author.  Is that worth its carbon
>>>> footprint?
>>>>
>>>> And for scope, one may wonder whether the recognized, or failed to be
>>>> securely
>>>> recognized original author's domain deserves a copy of the report.
>>>> People
>>>> prone to set p=quarantine; pct=0 in order to avoid receiving "errors"
>>>> would
>>>> clearly dislike a copy of the report.  Others may want it, in order to
>>>> tune
>>>> their DKIM signing configuration.
>>>>
>>>>
>>>> > Duplicates:
>>>> > If an aligned domain has multiple DKIM signatures and one passes, I
>>>> suggest
>>>> > that the PASS is the only one that needs to be reported.  If an
>>>> aligned domain
>>>> > has multiple DKIM signatures and none pass, I suggest that the first
>>>> one found
>>>> > (from the top) is the most important, because it is the last one
>>>> applied.   If
>>>> > duplicates are reported, disaggregation is increased, so why report
>>>> data that
>>>> > is not useful?
>>>>
>>>>
>>>> Currently, putting 2 signatures, one rsa and one ed25519, is the way to
>>>> monitor
>>>> who supports the latter.
>>>>
>>>>
>>>> Best
>>>> Ale
>>>> --
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> dmarc mailing list
>>>> dmarc@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>>
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>

v2.23.0 | Report a Bug | By Email