IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Alessandro Vesely <vesely@tana.it> Wed, 12 April 2023 09:45 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81AB4C13AE46 for <dmarc@ietfa.amsl.com>; Wed, 12 Apr 2023 02:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="9MMwg+px"; dkim=pass (1152-bit key) header.d=tana.it header.b="ABz9EoTR"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HztD3eRK1vkJ for <dmarc@ietfa.amsl.com>; Wed, 12 Apr 2023 02:45:16 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50AE0C13AE45 for <dmarc@ietf.org>; Wed, 12 Apr 2023 02:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1681292706; bh=GY17NrBbcY73FkZWALSa1fJ1qSj+dExD5/Xewo6IGRM=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=9MMwg+pxkgesTn/9nGbT08p0CWZMgm4CnnTnV+LgtSPkCGdRwWXoCJSm4u66xTIVO liYBmtfSRotxDOREoasDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1681292706; bh=GY17NrBbcY73FkZWALSa1fJ1qSj+dExD5/Xewo6IGRM=; h=Date:Subject:To:References:From:In-Reply-To; b=ABz9EoTRkXQ5mPR+1zzCO64aFYVkB/LorU8sd+eJshPeb2RJmYgiwl9q0AgdVKR/V 7XCG3ibijpgC0ooI6QnvphHjU1ZCnqDgRb/ZIbRqP6v40rGqnuYA2qmUdhZhuiAMZj 8ozXIJqU2ygYzY03ikdkwYjOaKifi+NuUE/S1yWPyVJmniy1pBRNNZjXH+Ymw
Original-Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0D3.0000000064367DA2.00003E83; Wed, 12 Apr 2023 11:45:06 +0200
Message-ID: <def03c2f-25ec-d3f1-1ea5-678b16369f61@tana.it>
Date: Wed, 12 Apr 2023 11:45:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com> <CALaySJLY-9O1Wauk50WMMobNs3cKUzmB+=np080nYCHEZa32UA@mail.gmail.com> <3129648.WqDQmVRvLn@localhost> <CAJ4XoYe3Z8=G8H6hQFuiMMwfZQt1JvLpK3bQmrtGCz=b-w=CJA@mail.gmail.com> <86E22FA6-759F-40F3-AEA3-119EE90F64A0@kitterman.com> <80086446-effa-7ee2-91c7-1f44449d92fb@tekmarc.com> <CAL0qLwaKO5A_OSjod00msw+8EALOUqYzeXb_aPjVhQ2R1wZKJg@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAL0qLwaKO5A_OSjod00msw+8EALOUqYzeXb_aPjVhQ2R1wZKJg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/9xHQd9JG7cEjUBcCqCJx2-osuMs>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 09:45:23 -0000

On Sun 09/Apr/2023 09:50:46 +0200 Murray S. Kucherawy wrote:
> Mike Hammer asks, reasonably, whether an IETF standard containing a "MUST NOT" 
> that we know people will ignore calls into question the IETFs relevance or 
> legitimacy.  But I submit that the IETF issuing a standards track document 
> which fails to take the strongest possible stance against deploying DMARC in a 
> way that knowingly imposes substantial breakage, for any reason, is 
> irresponsible and is the greater threat to our legitimacy.  Keep in mind that 
> improper deployment of DMARC results in damage to innocent third parties: It's 
> not the sender or the MLM that's impacted, it's everyone else on the list.  
> It's breathtaking to me that we can feel comfortable shrugging this off under 
> the banner of "security" or "brand protection".


It is not clear whether the damage is caused by those who publish p=reject 
rather than by those who honor it.  For the protocol to work, both are needed.

History ratified that mailing lists are the refractory element.  At the time, 
John compiled a list of possible DMARC workarounds[*].  Out of inertia, From: 
rewriting emerged as the de-facto standard.  It works.  It's amendable, though; 
there are cooperative solutions for example.  And ARC.

Rather than considering how to better the coordination between senders and 
receivers, we disregard the mailing lists adaptation as undue.  Thus we're 
stuck at crossroads.  DMARC breaks mailing lists.  SPF breaks forwarding.

For a possible way forward, senders can coordinate with receivers by 
identifying mail streams, pivoting on users who subscribe to mailing lists or 
require forwarding for email address portability.  Just like the classic, 
one-sided whitelisting of specific email addresses, but using email authentication.

Can we stop longing for the 1980s?  Let's accept the damaged we caused.  It's 
been mended already.


Best
Ale
-- 

[*] https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail

v2.23.0 | Report a Bug | By Email