IETF Logo Mail Archive

Re: [dmarc-ietf] Overall last-call comments on DMARC

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 04 April 2024 20:30 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C449C151082 for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 13:30:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TLw6B-747glC for <dmarc@ietfa.amsl.com>; Thu, 4 Apr 2024 13:30:19 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 13A2BC14F721 for <dmarc@ietf.org>; Thu, 4 Apr 2024 13:30:19 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2d4a8bddc21so18832841fa.0 for <dmarc@ietf.org>; Thu, 04 Apr 2024 13:30:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712262616; x=1712867416; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=gWDG+IigfKXXKtjjWIzBhX0bPHGpSEHwzQHgrtv6ryQ=; b=NzIiiSTZZ5m2rguyA2HfxDejqH4jg7hESFLu9tYno0yqIaP27Jy/RiumCxlXdGN5R5 WKXNZRWscyJA5Oi62/vBp4oXltg9qpLZ7KYLpDoRDlAnKWxoax0yw5dotHBJ31yWsjBF ZxHlN/br4nmrThpBmagLsGNImB4KtflnYcm0LF9G7zHCjLXvjy/JwQJRl0MB6YhTLOoQ 3jcnQNGbRP/oy76X74W2aiy/cCcJsMCAl30g63hGwYqpT7A83X9SY2+33AiqBG+ryDQY 8LCJJp23Kqpj2IOPZkJN5eXe3ejPGRTXD2I4cNFaI6TPI27PTebErhqvXtwEj66gvRiD 4T0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712262616; x=1712867416; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=gWDG+IigfKXXKtjjWIzBhX0bPHGpSEHwzQHgrtv6ryQ=; b=wxzGEqAVSvhUQAb12xHMsInMD0J8cQNM0/eyQkJAgDPpiZ+K+HWaWPlx6IgL4vNhJs QDkgY0/SuTs1f9pEMuwFxssRsqzKd+WjwL/k7nsi2BtkDyO2Q8UlCXrmWCCbBFmgYa7k l9f6yehzJIgg1SHJBpLnPD2ZmSZj2X9BnVdLfZHHPV3R4+ca8ScIBpKiEM8VKOfrY7f4 giVlnehMn3vKHIWKh3+Gu0vASWXcMstgiw9w01k6h3gHcHkxOyMYaAcoL0bHZ8sUnrqu j3cBibowqYzTinQqxeTgM87XhcGHNadLCkmzDBMEZnmlEj4QFXTRLZWyf/iIG5RyT3wS kVEA==
X-Gm-Message-State: AOJu0Yw7KKeE2qNxXZ9lFVjiAu+xOhujKyP4tmMw03ILiQ6OZAks4cMV VCemFes2BISMmlDLyRWisZDFteDRZnOqocncTEjYL9KWXi7gmNULGqEqU52VAzON/aBDjTk/tTE gNcvm+YIAQLEppkNMrO5UruvDq6IubUrm
X-Google-Smtp-Source: AGHT+IFn33Qmf8yZxSxvQ9wwYYWfX9ltFpI+La8edNieq3bjHeIAtMpyd1Dy0hgcr4siQTq7FJcmlvWZtQ9IcN1IZhw=
X-Received: by 2002:a2e:910e:0:b0:2d8:23b4:9067 with SMTP id m14-20020a2e910e000000b002d823b49067mr2398178ljg.39.1712262615828; Thu, 04 Apr 2024 13:30:15 -0700 (PDT)
MIME-Version: 1.0
References: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net> <5208da1b-ecfb-4d41-8506-a734a27ab3a0@tana.it> <CAL0qLwbnSe77Wdt+M8bi2pBmZFCZjDUQc6je9bjCzP5TQ0N6XA@mail.gmail.com> <49859572-18a4-483b-bb99-62c1c231896e@tana.it> <CAL0qLwZc6idmMra11pVx2bbtk2Em9-vy6+962M7jDWOMnP+UHQ@mail.gmail.com> <1ee6df39-a622-4060-83db-bcc9a7a835d4@tana.it> <CAL0qLwYX_D7S_-Vn9RwwRzwyNO=8=3UVqbP8rz3SCWG4dvGZig@mail.gmail.com> <f5f55a39-127d-4a84-a66b-950379ecb013@tana.it> <CAL0qLwZzfnDA=7bwCu26S1SJPEE3hBq929674hH6naKXWuyh5g@mail.gmail.com> <ebf343ed-ee60-47b0-a02f-8518a8369bb0@tana.it> <CAL0qLwagtzjYYJmyyGpMeMTtKLtYyk_JjagkXGtscvN61kSDbw@mail.gmail.com> <CAH48ZfyKE6n2Q_GfW8oZv9y=MxOBV8sRPPMPV8akHdu6W_jn1A@mail.gmail.com> <CAL0qLwbt7A-9dUGphs5KLUhygYEd+4aY4Jr10efKpHZXAqMfmA@mail.gmail.com> <CAJ4XoYc5HYHE0EGhFw9jef3JXPQ5HKdUoZf8RD+YqzepHsWFmA@mail.gmail.com> <CAL0qLwbUzscPbk1mGj-c9fPYtMu+0VmMOm1KR4sGOrY6xapCCA@mail.gmail.com> <80DC41F0-7AF9-4C08-9374-37626FCA2BB3@bluepopcorn.net>
In-Reply-To: <80DC41F0-7AF9-4C08-9374-37626FCA2BB3@bluepopcorn.net>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 04 Apr 2024 16:30:05 -0400
Message-ID: <CAH48Zfyyed_FLTh5Lz2TomA8ed0aykXreocGHDjcOdADYm2PHQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fa8f9406154b3452"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9Tg686tcBmWK0Fd6-n2nCG8sfzo>
Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Apr 2024 20:30:23 -0000

Sender reputation is in use everywhere.  What is lacking is an omniscient
data source, but I have no hope of finding one.   Small senders will always
be at a disadvantage because sender reputation is entirely based on past
experience, and smaller senders have less experience to draw upon.   ARC
does not change that dynamic.

Forwarding creates two problems:   (1) knowing that a forwarding operation
occurred, and (2) knowing how I would have dispositioned the message if the
forwarding operation had not occurred.  ARC helps with both of these.
 Forwarding tends to hide or discard data, and ARC offsets that data loss.

One step in ARC evaluation is determining whether the data provided is
sufficient and internally consistent with the rest of the header set.   To
be fully sufficient, I want to know Mail From address, Helo name, Source
IP, and From address at the moment represented by the ARC Set.  Without all
of this, the ARC set is probably not actionable.

With complete data, the ARC set can be matched to a Received header, to
check for data consistency.   For example, I don't trust a Microsoft ARC
set that asserts DKIM Pass for a signature that does not exist.   The
complete data set also allows me to evaluate how I would have dispositioned
the message if it had been received directly, based on the reputations of
the prior server, Mail From domain, and From address.

Exactly two points of trust come into this process:   (a) deciding whether
to trust DMARC Pass on a signature that no longer validates, and (b)
whether to accept that the internally-consistent data is not a very
sophisticated internally-consistent ruse.   In the event that I make an
incorrect "Allow" decision based on a fraudulent ARC Set, I have to hope
that my content filtering will detect and block the attack.   But this is
nothing new.  On a daily basis, I have well-authenticated messages that are
malicious and have to be blocked by content filtering.

So, I will accept some ARC data, ignore some ARC data, and maybe even block
based on some suspicious-looking ARC data.   I can only do that if I have
the data available to use.

Doug Foster




On Thu, Apr 4, 2024 at 3:55 PM Jim Fenton <fenton@bluepopcorn.net> wrote:

> On 4 Apr 2024, at 12:08, Murray S. Kucherawy wrote:
>
> > On Thu, Apr 4, 2024 at 12:02 PM Dotzero <dotzero@gmail.com> wrote:
> >
> >>
> >>
> >>>
> >>> My overall point is that this thread makes it seem like we're not
> putting
> >>> forward a complete solution.  It feels a lot more like a proposed
> standard
> >>> that for its clear success depends on a bunch of other things that
> range
> >>> from experimental to abstract to undefined.  And if that's a correct
> >>> summary, I'm asking if that's what we really want to do.  It seems a
> little
> >>> haphazard, like we're scrambling to tie together the loose ends of a
> movie
> >>> plot.  We need to do a good job of bringing our audience to as solid a
> >>> conclusion as possible, or the critics' reviews might not come out
> well.
> >>>
> >>
> >> My response to your statement "... this thread makes it seem like we're
> >> not putting forward a complete solution." is a complete solution to
> what?
> >> It seems like people are trying to throw in everything but the kitchen
> >> sink, including new proposals and rehashing old issues that were
> supposedly
> >> settled, as we go through last call.
> >>
> >
> > Yes, that's part of what I'm observing.  It's possibly a form of scope
> > creep, and indeed "We should stop that" is one valid response.  :-)
>
> I don’t think it’s scope creep at all. The WG charter puts “Review and
> refinement of the DMARC specification” in phase III, after “Specification
> of DMARC improvements to support indirect mail flows”. It seems clear to me
> that standards-track DMARC needs to incorporate those improvements.
>
> IESG accepted ARC as an improvement to support indirect mail flows, and I
> think a complete solution needs to incorporate that. I wish there were
> better data to support advancing ARC to standards track, and not just from
> Google (it has to work for smaller players as well).
>
> But I am troubled by the possibility that ARC might require domain
> reputation to avoid ARC header fields supporting From address spoofing. One
> reason it might work for Google is because they’re big enough to derive
> their own domain reputation. We’ve not had success with domain reputation
> at internet scale.
>
> -Jim
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email