Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
Hector Santos <hsantos@isdg.net> Tue, 11 June 2019 18:50 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7867912009C for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 11:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 11.949
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=10, URIBL_CSS=0.1, URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=knLK0o5b; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=juNMR9HT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id In0TPIY4fkcB for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 11:50:30 -0700 (PDT)
Received: from mail.winserver.com (listserv.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 253A61200B8 for <dmarc@ietf.org>; Tue, 11 Jun 2019 11:50:28 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4894; t=1560279019; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=hAueQuD3QXLi/6RoQN96R2B3EGw=; b=knLK0o5bdUNXPueLQBbmRQVdyGPL5J0Ca0+nuESjslh2y10mpsMPAyiIp1lHfl uVoACDeldD0j8ygnxOfd/QYWBwJNta59C3Op3m6M7uxKPWzMyB+RjLjriS++bgEz Y55c9CtVA7Nn/NMPMNI5LL9z7R5yittIB8zXgqIqjGDtk=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 11 Jun 2019 14:50:19 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1071459078.1.4760; Tue, 11 Jun 2019 14:50:19 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4894; t=1560278819; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=40OHBcE ABcJzJRTfDm6h4wFjT+pp1QO80reoMTKiqC8=; b=juNMR9HTG3OtA2/jOLNQLNS mE8OiD1aAFuMiNWzBP/2TMtBTGSWHM5inLpdqKguKdZDRmRxLbJB7mAfu1xtccRK LgpGjETsHb+MaVicy4XoOPRl3j0Xa4vZOYgxvsN2W9ky4YlkBiHvVuJvySJpLleO F2XjHCwoK2ASMFVbH2us=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 11 Jun 2019 14:46:59 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 2643674941.9.213752; Tue, 11 Jun 2019 14:46:59 -0400
Message-ID: <5CFFF7A5.6050204@isdg.net>
Date: Tue, 11 Jun 2019 14:49:09 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net> <941abdbf28684283b972f69f25876220@bayviewphysicians.com> <5524dbb3-27ff-4aa8-aaf0-fc3a3fc23418@dcrocker.net> <1df2cc6b-c169-59ca-08f6-dadc06a702c6@tana.it> <1e096404-6b00-8896-0b79-841c243cacec@dcrocker.net> <7f8692bb-6b80-455e-f030-731f3ae36b58@tana.it> <b290ef43f3f0a27b136189966693528b4b7ef333.camel@aegee.org>
In-Reply-To: <b290ef43f3f0a27b136189966693528b4b7ef333.camel@aegee.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9IT6zWiSrekH8SS4gSPK3pPripc>
Subject: Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 18:50:33 -0000
On 6/11/2019 1:01 PM, Дилян Палаузов wrote: > Hello Alessandro, > >> I'd propose bullets like the following for Section 12.4: >> o The authentication status of the message should be visible. >> > > For DMARC policy reject, the failed status will not be visible in the MUA, because the mail will not reach the > recipient. Likewise for the policy quarantine, because this policy means “do not deliver” (and do not reject, but do > something different). Like move to "spam/junk box" which potentially exposes the failed transaction to the user's eyeballs. > So if the DMARC evaluation status for policies Quarantine or Reject is shown, it will be PASS. I agree with you, a reject policy should not expose the user to the message at any level and if followed by the hosting server, the MUA will never see a FAIL but a PASS status. However, there is also a school of thought where the written "rejection" semantics was not to be taken literally because in their opinion, no big guy rejects mail. It was proven incorrect, but the philosophy is such in always letting the user decide, which means, all suspect mail goes into a "spam box." This is part of the local policy concept how a receiver hands this at the system wide level and/or per user level. SPF had a similar problem too especially now when it is combined with DMARC. SPF -ALL Hard Policies allows for instant rejection before the DATA (payload) is transferred. For DKIM, the DATA is needed in order to do DKIM processing. If no DATA, no DKIM, therefore no DKIM POLICY concept can be processed. However, for the sake of DMARC, some believe SPF -ALL should not reject before DMARC can be processed. So if the DMARC policy is p=none and SPF policy is -ALL, this is, imo, a conflict in protocol design unless DMARC has it explicitly stated that it policies overrides SPF. I don't think it does but I believe there is new breed and school of thought among DMARC administration that believe that is the case. DMARC is always processed which means it is already received and SPF never rejects until DMARC is known. Back when SPF and SenderID were "invented," SenderID was a Payload version of SPF. So it basically did the same thing as SPF but it required the DATA because it wanted to get the SPF policy by extracting the 5322.From address called the PRA "Purported Responsible Address." See https://tools.ietf.org/html/rfc4407 In general, the PRA domain will equal the Return Path Domain for private 1 to 1 mail, but differ for list mail. This is what we have today with DKIM and List Messages causing all the issues we are having -- why we are still here 13+ years later. With PRA, the SMTP client can sent the Author's address as part of the MAIL FROM command. See https://tools.ietf.org/html/rfc4405 It used the ESMTP key word SUBMITTER: C: MAIL FROM:<return-path> SUBMITTER=pra If your receiver supported this ESMTP extension, you will definitely have some clients use it. An example in today's log: C: MAIL FROM:<xxxxxxxxxxxxxxxx@mail.aeropency.us> SUBMITTER=curehemorrhoid@aeropency.us So what the client is saying, you can use the return-path domain "mail.areopency.us" for SPF lookup and/or the submitter domain "aeropency.us" for SenderID lookups. The PRA protocol served as an optimization because you could avoid receiving the payload data if the SPF policy failed. But you can also use the PRA domain to look up too if the SPF record did not exist. You would not need to get the DATA just to read the From: address. In my opinion, this is what is needed now with DMARC. An SMTP receiver having the "Author domain" passed via the MAIL FROM would do a lot for optimization. You can see if there a DMARC policy at the SMTP level and go from there. We are always comparing to two anyway. More can done to reduce major overhead by using filters at SMTP before DATA is transferred. SenderID and SUBMITTER was recently marked as historic. I have proposed the idea to use SUBMITTER keyword to leverage the existing implementation for DMARC purposes. > For policy None, I doubt that showing the authentication status has added value. There is also DKIM verification which can VALID or INVALID where INVALID can be promoted to NONE (view invalid as no signature). That can have value. POLICY is just how failure should be handled. So a MUA seeing status: DKIM=FAIL, POLICY=NONE can tell the user not to trust the message over just seeing the promoted label. DKIM=NONE, POLICY=NONE I say "promoted" because the concept took something clearly invalid to appear as it never existed, which logically is a "better" unknown position to be in. Anyway, I agree with you, I would not want to pass failed messages with a domain policy p=reject|quarantine getting to user's eyeballs. -- HLS
- [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Seth Blank
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication John R. Levine
- Re: [dmarc-ietf] Mandatory Sender Authentication Hector Santos
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Dotzero
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- [dmarc-ietf] Display address, was Mandatory Sende… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Дилян Палаузов
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Stan Kalisch
- Re: [dmarc-ietf] Display address, was Mandatory S… Dotzero
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Kurt Andersen (b)
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely