IETF Logo Mail Archive

Re: [dmarc-ietf] Fwd: New Version Notification for draft-fosterd-dmarc-spf-best-practices-00.txt

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 16 May 2023 01:58 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCDEBC1522C8 for <dmarc@ietfa.amsl.com>; Mon, 15 May 2023 18:58:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FolQ6Of4_JW1 for <dmarc@ietfa.amsl.com>; Mon, 15 May 2023 18:58:10 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EB4DC15106F for <dmarc@ietf.org>; Mon, 15 May 2023 18:58:10 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-4f37b860173so3157880e87.2 for <dmarc@ietf.org>; Mon, 15 May 2023 18:58:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684202287; x=1686794287; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=FpNHV3BVaXlqYsaIW3gnXm78hCbibySO0+333t0ggXk=; b=qYS0hcNacwPZRrAS0aIGyluPWJtbMxVvkGP7/UhQpbHKKTv23M+7DQqgrY6rh8B5os n5TBNbhOKb0+5h/JDv9wZ2AIwZ5VF3qQz9uckd2vViQTTKPFN0e4BqbLV8pKZLCyoAn5 5NyJ7JIOx7rVEf5qFfxASUWExqrl8Mw2h5Dv8JYxLA4h7GQr2Kzi/nLo6fRfOTd9jBZC j+LsgV+0qgsfQdX91H9Sb2MSy9wtc+jSCYN6+yU3QjZdUK9DWrlEtpjTLyGkPAGg9oVM D6Y/y30f2TibPjXLAOJCab2yGXvZUNC9UIrhKM89yt8UiYIh36ebyWXuNndirbhmxtAe QsQg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684202287; x=1686794287; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=FpNHV3BVaXlqYsaIW3gnXm78hCbibySO0+333t0ggXk=; b=YywIdY2BmkJ2Hh7DCRJtzFFWoUOKvaT7Y+nsyOYBDNvxxPNtNLqoDsZp7zF5H4UqMJ FSyPA9MIZlC+tSt1p4ygXC7780fFgDwOAYG1BT4r8bgI/lgG8+DRARjJmlc+EOR8p1/P Lco61w0Mnv1A/4mlYBhnqOUEzCyKNqO5s3i8F+kfkpNPIexpbu9OjFWfxAJ4wczTbBAD x6Vd8bFy4AItqPeovQ4szEQIWveVk1vwZWMmlAP1hCIe3GgHEqdzCEkmikR2rB7txt9k 9TkJ0sDR+xdLg74jIL+dmgRX4nv8I+V1J3uUleK7EiL7rHs/N65xGk/RNF+RYpKUxWjA gyCw==
X-Gm-Message-State: AC+VfDyS4bd8TaRwEdtf25FmTsmoRwPERP6HdaHX6eAJwNAoGZ1QqiYs QKi4MDeJenmXLFUoSdl05BA1T0u7JG2iPSNWWY2bWINh1s8=
X-Google-Smtp-Source: ACHHUZ7oMIdga3+MPBeOulLyFTUE9IbJ+cQ5e6EcKQUTGAu32NUnPDXGXCQBwl7HfbfoCe2CoX9kWS11pwvl72ef0S8=
X-Received: by 2002:ac2:428b:0:b0:4f1:37db:667 with SMTP id m11-20020ac2428b000000b004f137db0667mr5735675lfh.52.1684202287154; Mon, 15 May 2023 18:58:07 -0700 (PDT)
MIME-Version: 1.0
References: <168402769728.53698.12482791152259255661@ietfa.amsl.com> <CAH48ZfzsbYb40z31HM1fAh2_BxYOfFP+eQEg6RBnhCSWpsGfTA@mail.gmail.com> <3498d00d-adb1-e157-1c05-961879e08caf@tana.it>
In-Reply-To: <3498d00d-adb1-e157-1c05-961879e08caf@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 15 May 2023 21:57:56 -0400
Message-ID: <CAH48ZfzBWC3eyT6AKnmPjef4_V9FFMLcMQ+Da6czN6wAgRzuPQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000e4aa705fbc5e7de"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8ElpB1mKiTxQg99UZseHYcN3Hwk>
Subject: Re: [dmarc-ietf] Fwd: New Version Notification for draft-fosterd-dmarc-spf-best-practices-00.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2023 01:58:10 -0000

Ale, I am disappointed by your characterization of it as "might be useful",
but I appreciate that you engaged with the topic quickly.

I feel as much passion about exception management as the rest of the group
feels about mailing list damage.

Consider this simple and common authentication problem:

"Example.com has started using Outlook.com as their hosting service, but
they forgot to update their SPF record.  Now their messages are returning
SPF FAIL.  They don't have a DKIM signature or a DMARC policy, so there is
no SPF override."


The safe and SPF-equivalent exception will link the "Example.com" SMTP
domain to the "Outlook.com" server domain.  Creating a rule based on source
IPs is impractical, because the number of servers is large and unknowable.
 The necessary solution is to check that a host name ends with "
outbound.protection.outlook.com" and can be forward confirmed to the source
IP.  For Outlook.com, only the Reverse DNS is verifiable.  For most other
large hosting services, HELO is verifiable.

Every email filtering product should be able to provide this safe solution
to a common problem.   But you cannot buy a product that can do so.
Instead, you get these one of these two "solutions":

   - Lower-end filtering products solve this problem by whitelisting
   Example.com and hoping that it never gets impersonated.

   - Higher-end filtering products say that it is all handled perfectly by
   their Artificial Intelligence layer, which is too complicated to explain,
   but it is nothing to worry about.  Nonetheless, it is impossible to
   configure a rule like that manually.

Since product developers don't know how to handle this simple exception, I
blame the specification for failing to define an exception management
strategy.   Since the group seems unwilling to include exception management
in the specifications, I am hoping at minimum that we can document it in a
Best Practices document.,

Doug





On Mon, May 15, 2023 at 4:25 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Sun 14/May/2023 13:32:18 +0200 Douglas Foster wrote:
> >  From the document:
> >
> >     "Without exception management, Sender Authentication dies as soon as
> an
> >     exception is necessary. A poorly designed exception process may
> enable the
> >     very impersonations that Sender Authentication is intended to
> prevent."
> >
> >
> > It could also be subtitled, "How to use Sender Authentication without
> damaging
> > mailing lists."
>
>
> The I-D seems to be conceived like a postmaster manual.  In that respect,
> it
> might be useful, and an occasion to clarify the impact of email
> authentication
> over "traditional" filtering techniques.  However, it is not clarified
> what
> kind of mechanisms provide the evaluator feedback which allows continuous
> improvement.
>
> The parallel between DMARC and SPF needs to rule out layer violations,
> since
> SPF is one of the DMARC mechanisms.
>
> Use of SPF is not fully explained.  In particular, Section  2.5,
> Non-privileged
> Messages with Sender Authentication FAIL and Content Filtering PASS,
> doesn't
> take into account that SPF fail, -all, can imply rejection at MAIL or RCPT
> commands, whereby the message content won't be available.  (The topic is
> well
> described in Appendix D of RFC 7208.)
>
> DNS white lists could be mentioned as an example of alternate
> authentication.
>
>
> Best
> Ale
> --
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email