Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Wed, 25 November 2020 12:57 UTC

Return-Path: <btv1==59897de5500==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 565E23A10C4 for <dmarc@ietfa.amsl.com>; Wed, 25 Nov 2020 04:57:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8RqwwOMZ-V7 for <dmarc@ietfa.amsl.com>; Wed, 25 Nov 2020 04:57:51 -0800 (PST)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 767183A0D7D for <dmarc@ietf.org>; Wed, 25 Nov 2020 04:57:51 -0800 (PST)
X-ASG-Debug-ID: 1606309067-11fa313c0156ca0001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id u76QPjdRYNMkXzGZ (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO); Wed, 25 Nov 2020 07:57:48 -0500 (EST)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=from:message-id:subject:to; bh=ofakgPkwbTEccEYPUYXEp/2yebU+kpObIsRzigZtqN0=; b=ax6Pbh1HiI/GYDAb8mD/XBH5ljDvsRChU+7OXOs0QNWX0iAt8KgRwIMRWUGqckyMX 36A7v7eZuUyfG+45CBxl8v20SiMES8ieFrFKWoxe7C7/EL3dZv47bEhGPU8ZEyM2N RbVycLcbiLTaTjrkApj/bdL1av46I4salfaLrSKOU=
Received: by webmail.bayviewphysicians.com via HTTP; Wed, 25 Nov 2020 07:57:41 -0500
To: Alessandro Vesely <vesely@tana.it>, dmarc-ietf <dmarc@ietf.org>
Date: Wed, 25 Nov 2020 07:57:38 -0500
X-ASG-Orig-Subj: RE: [dmarc-ietf] A policy for direct mail flows only, was ARC questions
Message-ID: <e9166148b9564102a652b4764b4f61ff@com>
MIME-Version: 1.0
Content-Type: multipart/multipart; boundary=6aa9872577674169a8494850d32443d7
SavedFromEmail: fosterd@bayviewphysicians.com
Importance: normal
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
X-Exim-Id: e9166148b9564102a652b4764b4f61ff
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1606309068
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 5243
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.81
X-Barracuda-Spam-Status: No, SCORE=0.81 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=HTML_MESSAGE, HTML_TAG_BALANCE_BODY
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.86114 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message 0.81 HTML_TAG_BALANCE_BODY BODY: HTML has unbalanced "body" tags
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9_2h21ou0Lp9aXpFrlUC0257Pxw>
Subject: Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 12:57:53 -0000

Indirect mail flows are difficult to detect.   SMTP address rewrite is already common practice for forwarding.More to the point, John's interest is finding ways to increase the trust level for forwarded mail, while your idea says that direct mail is more trusted than indirect maill, which is the problem he is trying to overcome.We need to be able to evaluate indirect mail based on both the submitter MTA. and the originator MTA.   ARC gets us started in that direction.   I think more filtering data is needed and am working on a proposal to that effect.Doug<div>
</div><div>
</div><!-- originalMessage --><div>-------- Original message --------</div><div>From: Alessandro Vesely <vesely@tana.it> </div><div>Date: 11/25/20  6:28 AM  (GMT-05:00) </div><div>To: dmarc-ietf <dmarc@ietf.org> </div><div>Subject: [dmarc-ietf] A policy for direct mail flows only, was ARC questions </div><div>
</div>On Mon 23/Nov/2020 22:27:41 +0100 John Levine wrote:
> ARC deals with the problem that most list software forwards everything
> with a subscriber's address on the From: line and does a lousy job of
> spam filtering. The question is if the entity sending the message to
> the list was who it purported to be. 
> 
> For example, if a message from a list fails DMARC alignment, but ARC
> says it was aligned on the way in, it's likely a real message from a
> subscriber. If it was unaligned on the way in, it's likely spam.


I publish p=none in order to avoid spurious rejections due to casual message 
modifications that happen in transit.  However, I'm quite confident that SPF or 
DKIM verify, since users submit messages through the right mail server.

Couldn't I address direct flows only?  Doing so would prevent a casual spammer 
from abusing mailing lists I'm subscribed to by simply faking From:.

A direct flow is one were SPF credentials (helo name or return address) are 
aligned with From:.  That includes some simple forwarding, but not mailing list 
traffic.  Direct policy could be expressed as dp=.  Authenticate as usual, 
either SPF or DKIM.  On failure, discard only if direct flow.  For example:
   v=DMARC1; p=none; dp=reject;

Makes sense?

Best
Ale
-- 






















_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc