IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Alessandro Vesely <vesely@tana.it> Mon, 24 October 2022 09:48 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9A05C14F74C for <dmarc@ietfa.amsl.com>; Mon, 24 Oct 2022 02:48:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=aVPOXoyj; dkim=pass (1152-bit key) header.d=tana.it header.b=CQKB26XY
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FajyO3V5QWxD for <dmarc@ietfa.amsl.com>; Mon, 24 Oct 2022 02:48:06 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74D01C14F720 for <dmarc@ietf.org>; Mon, 24 Oct 2022 02:48:03 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1666604876; bh=q3UgDq1Aj9uCOmOEglB+vcc1GqkWuj4oPmoNoJFvadY=; h=Author:Date:Subject:To:Cc:References:From:In-Reply-To; b=aVPOXoyjGRw4vfTGl3pEnQqTeKvAQ0iKqgqC3kKbb11Ka0adMXh0aoU+hjcxyEljY dQ+CPna/6EAiXV04xlQDA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1666604876; bh=q3UgDq1Aj9uCOmOEglB+vcc1GqkWuj4oPmoNoJFvadY=; h=Date:Subject:To:Cc:References:From:In-Reply-To; b=CQKB26XYqM9KRbGx/8WvcnlCAz7OCSNoy8VZG+67FeQz6p5uW9QF0hF+AtacNx1Gs snbnuOOeFzxyjPhUq4WPGNVMp8shuIZgLf/EAlY6sAKlX1xkcZ2twATooECO0M885G 0syDZ2QlR6LynVdWM+PeJ/oS+JbxyXVAf1iVo9jYPsu8p180VFvAvw49npyiz
Original-Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
Author: Alessandro Vesely <vesely@tana.it>
Original-Cc: dmarc@ietf.org
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0D8.0000000063565F4C.000059D8; Mon, 24 Oct 2022 11:47:56 +0200
Message-ID: <bcdac862-95d3-94b3-9876-1a7b62a231e6@tana.it>
Date: Mon, 24 Oct 2022 11:47:56 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0
Content-Language: en-US
To: Dotzero <dotzero@gmail.com>
Cc: dmarc@ietf.org
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com> <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com> <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com> <CAJ4XoYe+s7BmFcvtNPaWu1i4kv_j=CtqA1DbkusfGk9s4rDYeA@mail.gmail.com> <560ccd88-2217-9e47-f690-6bc413c67ffa@tana.it> <CAJ4XoYdbPzf5ib6TX1s4tASANUj0FdrHb1uuJy52KdQayj8y3Q@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAJ4XoYdbPzf5ib6TX1s4tASANUj0FdrHb1uuJy52KdQayj8y3Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9ZRtyWvbGBpIr5BTcXTVBEB00vs>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Oct 2022 09:48:12 -0000

On Sun 23/Oct/2022 14:16:30 +0200 Dotzero wrote:
> On Sun, Oct 23, 2022 at 6:29 AM Alessandro Vesely <vesely@tana.it> wrote:
>> On Sat 22/Oct/2022 18:25:55 +0200 Dotzero wrote:
>>> Unaligned signatures are orthogonal/irrelevant to DMARC. They may be useful in
>>> other contexts. In the DKIM standard, signatures mean that the signer is 
>>> asserting some (unspecified) responsibility for the signed message. That may be
>>> useful for some reputation systems.
>>
>> Somewhat skewed w.r.t. orthogonality, actually.  Indirect flows are 
>> explicitly mentioned in the I-D as a reason to override DMARC dispositions:
> 
> DMARC only gives a pass if either SPF or DKIM passes. Unaligned DKIM 
> signatures will NEVER give a DMARC pass.


How about dmarc=redeemed?


>>     There MAY be an element for reason, meant to include any notes the
>>     reporter might want to include as to why the disposition policy does
>>     not match the policy_published, such as a Local Policy override
>>     (possible values listed in Appendix A).
> 
> Local Policy is just that. When a Receiver invokes Local Policy it is 
> saying "I don't care what DMARC says, I'm choosing to ignore DMARC Policy 
> and do something else".


It is a local decision to trust an ARC seal or an unaligned signature, 
depending on the signing domains.  Yet, the decision can be made by the same 
filter which looked up the From: domain policy.


>> ARC too is a kind of unaligned signature, albeit with a bunch of 
>> additions. The extra information it carries, designed to bestow enough 
>> trust in the chain of custody to outweigh the self-referential reliance of 
>> aligned From:, doesn't substantially change the semantic of DKIM 
>> signatures.  And we should say how to report it, sooner or later.
> > ARC != DMARC. It is a separate RFC that gives participants an alternative
> means of evaluating mail flows when DKIM signatures are broken. Nothing 
> more and nothing less.


Conflicting protocols?  ARC was devised by the DMARC WG, during the phase of 
"improving the identification of legitimate sources that do not currently 
conform to DMARC requirements."  So, yes, on the one hand, since unaligned 
signatures don't conform to DMARC requirements, they're not DMARC.  On the 
other hand, as a fusion of deterministic authentication techniques and domain 
policies, DMARC is intrinsically extensible.  For aggregate reporting in 
particular, we explicitly provide for extensions.


>> I'm not proposing to mandate the evaluation of any evaluable item. 
>> However, I'd neither discourage it.  Perhaps technology will provide us 
>> with ecological sources of energy.
>
> There is nothing wrong with using whatever data points you have available. 
> That doesn't necessarily mean that such evaluations and choices are DMARC.


If ARC were a separate thing, it'd make no sense to include its data in DMARC 
aggregate reports.

I think what we could do is to identify some criteria that a report generator 
may follow, such as doing everything, reporting up to X signatures, or doing 
SPF only.  Such meta data could be useful to report consumers, along with the 
generator's software/version.


Best
Ale
--

v2.23.0 | Report a Bug | By Email