IETF Logo Mail Archive

Re: [dmarc-ietf] Endless Loops with DKIM reports

Dave Crocker <dhc@dcrocker.net> Tue, 04 June 2019 13:46 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEE2412004E for <dmarc@ietfa.amsl.com>; Tue, 4 Jun 2019 06:46:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.401
X-Spam-Level:
X-Spam-Status: No, score=-2.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=dcrocker.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQyX4mB0xRBH for <dmarc@ietfa.amsl.com>; Tue, 4 Jun 2019 06:46:00 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337A6120033 for <dmarc@ietf.org>; Tue, 4 Jun 2019 06:46:00 -0700 (PDT)
Received: from [172.16.22.211] (80-64-77-66.static.acetelecom.hu [80.64.77.66]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x54DdpX4016948 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 4 Jun 2019 06:39:57 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dcrocker.net; s=default; t=1559655600; bh=wSClbNImV++Au08YbW9kcra6HcRzoeAy9WAU0iHX+Gg=; h=Subject:To:Cc:References:From:Reply-To:Date:In-Reply-To:From; b=ZtDRvcoZLrMGGNKs947aOpsCbtA3EKNGpPgso0lmFCc5LrRCFSx7xJOJ/aYmgbwuc Ss3CWd676Qxr/r1u3eoimwkn0yVmgCY0xYR7zmefbnWGJvZrQuFvM99IXvJNfY7oVm BqsCtEuEPWERJPzn/mKIk/q0Wuz9AJhSZlyuUqNQ=
To: Vladimir Dubrovin <dubrovin@corp.mail.ru>, Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <26D82EA6-8E39-4AED-BB9D-E2F53E7548C4@aegee.org> <adeaa778-5025-6fa2-0fe4-d10e2ea984c4@dcrocker.net> <eed31056-7f51-ee2a-5367-8fca5f6770aa@corp.mail.ru> <2a93577c-ee69-5edf-c347-dff46f568189@dcrocker.net> <90ae3a6d-f6bf-f079-2844-bb30245b3bbd@corp.mail.ru>
From: Dave Crocker <dhc@dcrocker.net>
Reply-To: dcrocker@bbiw.net
Message-ID: <29174612-a051-8066-9dde-2afaf181ca0e@dcrocker.net>
Date: Tue, 04 Jun 2019 15:37:44 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <90ae3a6d-f6bf-f079-2844-bb30245b3bbd@corp.mail.ru>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/8IKCeMaoK93h5X2NFYfiTUHf3Mc>
Subject: Re: [dmarc-ietf] Endless Loops with DKIM reports
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jun 2019 13:46:02 -0000

>> My comment was meant about the DMARC report being sent without a 
>> return (envelope from) address, the same as is already true for other 
>> email infrastructure control messages.
> 
> DMARC reports are triggered based on the domain in RFC5322.From address 
> and are sent to DMARC reporting address from DMARC record for 
> RFC5322.From address. If one DMARC reports triggers another DMARC 
> reports, the second report will be sent to DMARC reporting address, not 
> to return-path.

That's an issue only if the report is sent from an address that has a 
DMARC record.  Which might be a good reason NOT to send from such an 
address.

The high-level point I'm trying to make is that control messages -- such 
as DMARC reports -- need to be handled in a fashion that works 
automatically and at scale.  Since looping is a well-known problem for 
such messages, they need to be generated and handled in a way that 
prevents the problem.


>>> in this case SPF is checked against HELO and, in practice, many seders
>>> do not have SPF configured for HELO name and SPF failure can trigger a
>>> report.
>>
>> I don't understand how the HELO domain name is relevant to this 
>> discussion, since it isn't a full email address.
> 
> 
> DMARC reporting can report and SPF or SPF alignment failure (RFC 7598 
> sections 4.2, 6.3) . According to section 2.4 of RFC 7208 (SPF)

Yes, but how is that relevant to the problem of DMARC report looping? 
It's merely one of the causes of a DMARC failure, but sources of failure 
isn't the issue with respect to report looping.


d/

-- 
-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email