IETF Logo Mail Archive

Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication

Hector Santos <hsantos@isdg.net> Tue, 11 June 2019 18:50 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7867912009C for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 11:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: YES
X-Spam-Score: 11.949
X-Spam-Level: ***********
X-Spam-Status: Yes, score=11.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_ABUSE_SURBL=1.25, URIBL_BLACK=10, URIBL_CSS=0.1, URIBL_CSS_A=0.1, URIBL_DBL_SPAM=2.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=knLK0o5b; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=juNMR9HT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id In0TPIY4fkcB for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 11:50:30 -0700 (PDT)
Received: from mail.winserver.com (listserv.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 253A61200B8 for <dmarc@ietf.org>; Tue, 11 Jun 2019 11:50:28 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4894; t=1560279019; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=hAueQuD3QXLi/6RoQN96R2B3EGw=; b=knLK0o5bdUNXPueLQBbmRQVdyGPL5J0Ca0+nuESjslh2y10mpsMPAyiIp1lHfl uVoACDeldD0j8ygnxOfd/QYWBwJNta59C3Op3m6M7uxKPWzMyB+RjLjriS++bgEz Y55c9CtVA7Nn/NMPMNI5LL9z7R5yittIB8zXgqIqjGDtk=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 11 Jun 2019 14:50:19 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com;
Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 1071459078.1.4760; Tue, 11 Jun 2019 14:50:19 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4894; t=1560278819; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=40OHBcE ABcJzJRTfDm6h4wFjT+pp1QO80reoMTKiqC8=; b=juNMR9HTG3OtA2/jOLNQLNS mE8OiD1aAFuMiNWzBP/2TMtBTGSWHM5inLpdqKguKdZDRmRxLbJB7mAfu1xtccRK LgpGjETsHb+MaVicy4XoOPRl3j0Xa4vZOYgxvsN2W9ky4YlkBiHvVuJvySJpLleO F2XjHCwoK2ASMFVbH2us=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.8) for dmarc@ietf.org; Tue, 11 Jun 2019 14:46:59 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.8) with ESMTP id 2643674941.9.213752; Tue, 11 Jun 2019 14:46:59 -0400
Message-ID: <5CFFF7A5.6050204@isdg.net>
Date: Tue, 11 Jun 2019 14:49:09 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <20190603142956.66B31120252@ietfa.amsl.com> <45cdc0da-5243-3a62-b217-8d5e4ea9ea11@dcrocker.net> <941abdbf28684283b972f69f25876220@bayviewphysicians.com> <5524dbb3-27ff-4aa8-aaf0-fc3a3fc23418@dcrocker.net> <1df2cc6b-c169-59ca-08f6-dadc06a702c6@tana.it> <1e096404-6b00-8896-0b79-841c243cacec@dcrocker.net> <7f8692bb-6b80-455e-f030-731f3ae36b58@tana.it> <b290ef43f3f0a27b136189966693528b4b7ef333.camel@aegee.org>
In-Reply-To: <b290ef43f3f0a27b136189966693528b4b7ef333.camel@aegee.org>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9IT6zWiSrekH8SS4gSPK3pPripc>
Subject: Re: [dmarc-ietf] Display address, was Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 18:50:33 -0000

On 6/11/2019 1:01 PM, Дилян Палаузов wrote:
> Hello Alessandro,
>
>> I'd propose bullets like the following for Section 12.4:
>>      o  The authentication status of the message should be visible.
>>
>
> For DMARC policy reject, the failed status will not be visible in the MUA, because the mail will not reach the
> recipient.  Likewise for the policy quarantine, because this policy means “do not deliver” (and do not reject, but do
> something different).

Like move to "spam/junk box" which potentially exposes the failed 
transaction to the user's eyeballs.

> So if the DMARC evaluation status for policies Quarantine or Reject is shown, it will be PASS.

I agree with you, a reject policy should not expose the user to the 
message at any level and if followed by the hosting server, the MUA 
will never see a FAIL but a PASS status.

However, there is also a school of thought where the written 
"rejection" semantics was not to be taken literally because in their 
opinion, no big guy rejects mail.  It was proven incorrect, but the 
philosophy is such in always letting the user decide, which means, all 
suspect mail goes into a "spam box."   This is part of the local 
policy concept how a receiver hands this at the system wide level 
and/or per user level.

SPF had a similar problem too especially now when it is combined with 
DMARC.

SPF -ALL Hard Policies allows for instant rejection before the DATA 
(payload) is transferred.  For DKIM, the DATA is needed in order to do 
DKIM processing.  If no DATA, no DKIM, therefore no DKIM POLICY 
concept can be processed.

However, for the sake of DMARC, some believe SPF -ALL should not 
reject before DMARC can be processed.  So if the DMARC policy is 
p=none and SPF policy is -ALL, this is, imo, a conflict in protocol 
design unless DMARC has it explicitly stated that it policies 
overrides SPF.  I don't think it does but I believe there is new breed 
and school of thought among DMARC administration that believe that is 
the case.  DMARC is always processed which means it is already 
received and SPF never rejects until DMARC is known.

Back when SPF and SenderID were "invented,"  SenderID was a Payload 
version of SPF.  So it basically did the same thing as SPF but it 
required the DATA because it wanted to get the SPF policy by 
extracting the 5322.From address called the PRA  "Purported 
Responsible Address."  See https://tools.ietf.org/html/rfc4407

In general, the PRA domain will equal the Return Path Domain for 
private 1 to 1 mail, but differ for list mail.  This is what we have 
today with DKIM and List Messages causing all the issues we are having 
-- why we are still here 13+ years later.

With PRA,  the SMTP client can sent the Author's address as part of 
the MAIL FROM command.  See https://tools.ietf.org/html/rfc4405   It 
used the ESMTP key word SUBMITTER:

   C: MAIL FROM:<return-path> SUBMITTER=pra

If your receiver supported this ESMTP extension, you will definitely 
have some clients use it. An example in today's log:

   C: MAIL FROM:<xxxxxxxxxxxxxxxx@mail.aeropency.us> 
SUBMITTER=curehemorrhoid@aeropency.us

So what the client is saying, you can use the return-path domain 
"mail.areopency.us" for SPF lookup and/or the submitter domain 
"aeropency.us" for SenderID lookups.

The PRA protocol served as an optimization because you could avoid 
receiving the payload data if the SPF policy failed. But you can also 
use the PRA domain to look up too if the SPF record did not exist. You 
would not need to get the DATA just to read the From: address.

In my opinion, this is what is needed now with DMARC.

An SMTP receiver having the "Author domain" passed via the MAIL FROM 
would do a lot for optimization.  You can see if there a DMARC policy 
at the SMTP level and go from there. We are always comparing to two 
anyway. More can done to reduce major overhead by using filters at 
SMTP before DATA is transferred.

SenderID and SUBMITTER was recently marked as historic. I have 
proposed the idea to use SUBMITTER keyword to leverage the existing 
implementation for DMARC purposes.

> For policy None, I doubt that showing the authentication status has added value.

There is also DKIM verification which can VALID or INVALID where 
INVALID can be promoted to NONE (view invalid as no signature).  That 
can have value.  POLICY is just how failure should be handled. So a 
MUA seeing status:

    DKIM=FAIL, POLICY=NONE

can tell the user not to trust the message over just seeing the 
promoted label.

    DKIM=NONE, POLICY=NONE

I say "promoted" because the concept took something clearly invalid to 
appear as it never existed, which logically is a "better" unknown 
position to be in.

Anyway, I agree with you, I would not want to pass failed messages 
with a domain policy p=reject|quarantine getting to user's eyeballs.

-- 
HLS

v2.23.0 | Report a Bug | By Email