Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
Scott Kitterman <sklist@kitterman.com> Thu, 14 March 2024 14:22 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B62C14E513 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 07:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.407
X-Spam-Level:
X-Spam-Status: No, score=-4.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="m06LSBTm"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="C7lhnHK7"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBMVPg9aMW4i for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 07:22:32 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12025C14F5E4 for <dmarc@ietf.org>; Thu, 14 Mar 2024 07:22:31 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id CD5F2F80245 for <dmarc@ietf.org>; Thu, 14 Mar 2024 10:22:21 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710426126; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=R1+2X+CO3ntRLPzMxxfzB73feuPfrJHFmvSm3k4/hVU=; b=m06LSBTmxyxVwEPaSUJBVvEHWDC7o4CE+qmZyX8K+3OIOBBUUwPu/XFPK/0NPtRDCXgPE G7vmJf87Qml8njYDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710426126; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=R1+2X+CO3ntRLPzMxxfzB73feuPfrJHFmvSm3k4/hVU=; b=C7lhnHK7WK4L+D0+slDjduGkJeft0Jz29kL+QPl60xeBcD7T6frgLFE8IEfKEAGHjwbZ7 o6fXrlpsLYa1i2CKUYgpjU2EAufqFsPQAmBMFbsQs4zzIFxeJcHBHegHPeEHa5NJN16LRCA BWP/HzZtOjhdMFZEmWUAkJoL21/TP6fH6R7kbb/1zxfRG1X9d5DQBq0vALxprvo8LCQShf9 cVrfbSUu2n65zsBlUMh4RFpMblw+wZ988PoygOnVlpllLwekFEyasQuKif15WBOpM+916Id azjBg2X4Bc8RGfE6vWW8v1LjyFBwC5kJbLjpHZebBTERT6klsWgvqPD5y7fA==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id C872DF80211 for <dmarc@ietf.org>; Thu, 14 Mar 2024 10:22:06 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Thu, 14 Mar 2024 10:22:01 -0400
Message-ID: <2150966.ihIA7YduRg@zini-1880>
In-Reply-To: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com>
References: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/82NQsNIq-AE3mn4iYZwYaev7FWg>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 14:22:36 -0000
On Thursday, March 14, 2024 10:09:37 AM EDT Todd Herr wrote: > Colleagues, > > After reviewing the "Another point SPF advice" thread and Murray's separate > post re: SHOULD vs. MUST, I have opened issue 132 on the topic: > > The current text of section 5.5.1, Publish and SPF Policy for an Aligned > Domain, reads: > > ================================================== > Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376]], in order to > take full advantage of DMARC, a Domain Owner SHOULD first ensure that SPF > and DKIM authentication are properly configured. As a first step, the > Domain Owner SHOULD choose a domain to use as the RFC5321.MailFrom domain > (i.e., the Return-Path domain) for its mail, one that aligns with the > Author Domain, and then publish an SPF policy in DNS for that domain. The > SPF record SHOULD be constructed at a minimum to ensure an SPF pass verdict > for all known sources of mail for the RFC5321.MailFrom domain` > ================================================== > > In the ticket, I propose the following replacement text: > > ================================================== > Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to > take full advantage of DMARC, a Domain Owner MUST first ensure that either > SPF or DKIM authentication are properly configured, and SHOULD ensure that > both are. > > To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as > the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail > that aligns with the Author Domain, and then publish an SPF policy in DNS > for that domain. The SPF record MUST be constructed at a minimum to ensure > an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom > domain. > ================================================== > > In addition, the last paragraph in section 5.5.2, Configure Sending System > for DKIM Signing Using an Aligned Domain, reads: > > ================================================== > The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= domain > in the DKIM-Signature header) that aligns with the Author Domain. > ================================================== > > In the ticket, I propose the following new text: > > ================================================== > To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing > domain (i.e., the d= domain in the DKIM-Signature header) that aligns with > the Author Domain. > ================================================== > > Further notes on the threads that gave rise to this ticket: > > - I do not believe that recommending the use of the ? modifier in an SPF > record configured for DMARC is appropriate, since as I understand the ? > modifier, the result produced is not "pass", but rather "neutral", which > is the same as "none". Therefore, an SPF record using ? would not produce > an aligned pass to be used with DMARC. I am willing to be convinced that > I'm wrong here. > - That said, I think there is room for discussion of too-permissive SPF > records and the cross-user forgery discussed in RFC 7208 Section 11.4, > and I will open a separate issue for that to expand on section 8.1 I think MUST do SPF or DKIM, SHOULD do SPF, to do SPF MUST do xxx, SHOULD do DKIM, to do DKIM MUST do yyy is reasonable (that's how I parsed your proposed changes, is that right?). I think it's an improvement and assuming I am reading it correctly, I support the change. Relative to the further notes section: I think we need to do something about this. For SPF, there's a trade off available when including third parties in your SPF record that allows you to have them not fail SPF, but not be aligned for DMARC purposes (the ? qualifier). It's a trade off and that trade off should be described. Third parties are always a risk. If you set up DKIM signing for a third party and they sign mail from your domain that you didn't send, you'll get the exact same issue. It's fundamentally the same problem. Just because we aren't seeing scads of this at the moment, doesn't mean we should ignore it. I'll leave this just as a thought for now, since we should discuss it in the other issue, but I think this discussion probably belongs in security considerations. Scott K
- [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … John Levine
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Hector Santos
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Hector Santos
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely