IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 29 March 2023 22:30 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07719C151539 for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 15:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jvrN9lwxSw7q for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 15:30:16 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A408C151546 for <dmarc@ietf.org>; Wed, 29 Mar 2023 15:30:16 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id br6so22122564lfb.11 for <dmarc@ietf.org>; Wed, 29 Mar 2023 15:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680129013; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=RJiUwuLAntGVJhOpVeJM4t/PdmRORk+Um2Iu+PKL0X0=; b=Gm36BHbbkFHcjGB8IBTgNNTsaUB1YmYJYCHS+968SINFXAkwCE72dQ3pf0m+x7hYgr 6jnhUNkIQLoxPmM30XO7iOEcWMKawTEKEOB8WesgfsDu9NFi7j2TzS6Di9miJiK0m6Uz 1KaV24d+v4UGQgrtoxJGh1CAjIV3YqOLhHg2bMFDoOILRLAluNmXHKWlv2hSF2R9KC7u 8qnROPb3oHp5yxWQdUTZsbzqriD/c6B1Xx2a6JGOKZOJ78xunAX3UJtDRFSTDyKiUeOl QJLz1dRGokXP2ZgwqDxUMynfyMj1D01tKCc0v9z/VAB1kMNXLSd6KGTlitOqxJAndR4A HDyA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680129013; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RJiUwuLAntGVJhOpVeJM4t/PdmRORk+Um2Iu+PKL0X0=; b=sTWXXFV46yu0/f4dojU1r54fZok+zy3XbR80uDfnIwhrr27gk19XgYhVVIKlZqOYFf ALsmxPmGV3Jb4UY8lF6y2ERMXHGunX1V6Gy8P6Cm5t0ScaCCA2MfcSFJBdOx+WdqizUl 8O8/8FvJyU0I59wetWEIMwYRWKpc3xltGWzJsaf3conwmkEIYIGjKDN9N5WlterkBnhf krW4ph0gVDuLbjdxVelOiB+UgbCtkjLB59/1KIccvoglD3pKW9/cCFMjzhf3JJTIzSIa IINGthvmFAP3Uz3/NAgA0fvthX3X6PJVsl1rsOaiyTwg3BjCWRs8CoFUyEwy4wtUQxJQ 4/6g==
X-Gm-Message-State: AAQBX9cOPL5aYSCP2FloGhw/B8YkeFfrm5bSkERehhao4Kj3EISE/gFy 8xCF/5FpAYsG67sniTZ0Fmauo9OD86B3z2khXNaPHGR8
X-Google-Smtp-Source: AKy350bx/r4hPEdTqKFIKc2kluCR7JJ0jVrD6y2a0UWVxThcWkgYWUhXirYCEcfVHkteAn0PexOgIICoGKBme2xZapw=
X-Received: by 2002:ac2:5291:0:b0:4dd:a025:d8c with SMTP id q17-20020ac25291000000b004dda0250d8cmr6095453lfm.5.1680129013492; Wed, 29 Mar 2023 15:30:13 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <6319292.vCqnBZbX7o@localhost> <CAHej_8nd1xyAgwASLJbuJHyXEAfHbjqxNH1XtJxKFyfyOneyug@mail.gmail.com> <13145172.pEV04Z3DvM@localhost> <CAHej_8msLJQ0vbZ2jzitjxrQ1wdim5bHJkiD-QrU5F0EJvQp0g@mail.gmail.com> <FCFEB95E-63F9-46C3-A5F4-FA6B02FA8EB5@episteme.net> <CAHej_8=GbmzyXaeEkyLkv6uKc0-owuMC6UspPNq9irT7nF8b7w@mail.gmail.com> <CALaySJLmRyyBLE7ZKy88XUS_hXr9M2uwc8jOCYBrBPeC+pCdCg@mail.gmail.com> <MN2PR11MB43519A6CD95E5C80AA1EC2CFF7899@MN2PR11MB4351.namprd11.prod.outlook.com> <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com>
In-Reply-To: <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 29 Mar 2023 18:30:01 -0400
Message-ID: <CAH48ZfztW4OFm+ZMV=et7+uczj49dfbYT7i0w4LgU7pswuiEnw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000006ae2405f8118525"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/AgJJkrl-wiyQu9PYFN9O3MFZN6Q>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 22:30:21 -0000

There is no interoperability problem.
An evaluator  has an unlimited right to block any incoming message for any
reason.
Specifically, an evaluator has the right to block any message which he
determines to be insufficiently authenticated.

If a sender wants a message to be accepted, he carries the burden of
earning the evaluator's trust.   He has no right to have his message
delivered.

An intermediary does not have a right to alter a message in transit and
still have it treated as if it had not been modified.    Arguing that a
change is "innocuous" is not a viable argument.   Doing so would require a
before-and-after comparison (which is not available), and a
technical specification of "innocuous" (which does not exist.)

Interoperability only requires that the evaluator be given the opportunity
to evaluate the message, and to do so in a way that does not cause injury
to the submitting server.   It does not matter whether he blocks the sender
IP at his firewall, rejects the connection request at hello, rejects all
recipients on RCPT TO, rejects the message after DATA, or discards the
message after DATA.  As long as both parties implement RFC5321, we have
interoperability.

If an evaluator blocks a message that a user considers acceptable, that is
a management issue between the user and the administrator.  It happens all
the time, and it is resolved through normal support processes.

Doug Foster






On Wed, Mar 29, 2023 at 5:00 PM Scott Kitterman <sklist@kitterman.com>
wrote:

> Would you feel any better if the MUST NOT was followed by 'to preserve
> interoperability '?  That's implicitly there and I believe technically
> correct.  If you value other properties of the system higher than
> interoperability, then the advice may not apply, which is fine.
>
> Scott K
>
> On March 29, 2023 3:32:10 PM UTC, "Brotman, Alex" <Alex_Brotman=
> 40comcast.com@dmarc.ietf.org> wrote:
> >I’m just not sure how we determine what is high-value.
> >
> >comcast.com: p=reject
> >comcast.net: p=none
> >xfinity.com: p=quarantine
> >
> >The top one is corporate, middle is consumer, bottom is consumer (but not
> actually used) & customer comms (sub-domains).  They’re all used in various
> ways for internal messaging.  Should I tell our corporate admins that they
> need to no longer publish p=reject?  They’re violating the RFC by doing
> so?  There are very few consumer-oriented messages that originate from
> comcast.com.  Are we doing it right?  It makes things a little harder
> when one of our employees wants to use a mailing list.  But that still
> feels like the right thing to do.
> >
> >If it’s not obvious, I’m having a hard time with “MUST NOT”, and
> dictating to domain owners what is in their best interests, regardless of
> our perceived value of their domain.
> >
> >--
> >Alex Brotman
> >Sr. Engineer, Anti-Abuse & Messaging Policy
> >Comcast
> >
> >From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Barry Leiba
> >Sent: Wednesday, March 29, 2023 10:15 AM
> >To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
> >Cc: dmarc@ietf.org
> >Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail
> flows
> >
> >I'm very much against text such as this, as I think it encourages
> deployments that are contrary to interoperability and to the intent of
> p=reject.
> >
> >I contend that p=reject (as with the similar construct in the older ADSP)
> was intended for high-value domains and transactional mail, and that it was
> never intended for use in domains where general users send general email.
> >
> >I stand by the MUST NOT that I proposed.
> >
> >Barry
> >
> >
> >On Wed, Mar 29, 2023 at 10:33 PM Todd Herr <todd.herr=
> 40valimail.com@dmarc.ietf.org<mailto:40valimail.com@dmarc.ietf.org>>
> wrote:
> >On Tue, Mar 28, 2023 at 9:06 PM Pete Resnick <resnick@episteme.net
> <mailto:resnick@episteme.net>> wrote:
> >
> >If you agree that interoperability is increased, then I'd suggest that
> you actually do agree that the proposed text is appropriate.
> >
> >
> >I don't know that I agree that interoperability is increased...
> >
> >I'm having trouble squaring proposed language that says "Domain owners
> MUST NOT publish p=reject because it breaks interoperability" with the
> following language from section 5.8:
> >
> >
> >Mail Receivers **MAY** choose to accept email that fails the DMARC
> >
> >mechanism check even if the published Domain Owner Assessment Policy
> >
> >is "reject". In particular, because of the considerations discussed
> >
> >in [@!RFC7960], it is important that Mail Receivers **SHOULD NOT** reject
> >
> >messages solely because of a published policy of "reject", but that
> >
> >they apply other knowledge and analysis to avoid situations such as
> >
> >rejection of legitimate messages sent in ways that DMARC cannot
> >describe, harm to the operation of mailing lists, and similar.
> >
> >It seems inconsistent to state with certainty that authorized mail will
> be rejected due to authentication breakage when there is no requirement
> that a reject policy be honored (and we have plenty of evidence that Mail
> Receivers are following the 'SHOULD NOT reject messages' guidance).
> >
> >Language that would be more consistent in guidance to the domain owners
> might look something like this:
> >
> >After careful analysis of the aggregate report data as described in
> section 5.5.5
> >(Collect and Analyze Reports), Domain Owners **MAY** choose to change
> their
> >policy from 'none' to 'quarantine' or 'reject'. If, in the Domain Owner's
> judgement,
> >unauthorized and deceptive use of its domain name in the RFC5322.From
> field puts
> >at risk the trust it has built with its recipients, then it is
> **RECOMMENDED** that
> >the Domain Owner make use of the p and/or sp tags to set policy to
> 'quarantine' or
> >'reject' for those streams most at risk of loss of trust.
> >
> >If going that route, probably want to consider expanding on 5.5.5, too; I
> need to think about it some more.
> >
> >--
> >Todd Herr | Technical Director, Standards and Ecosystem
> >e: todd.herr@valimail.com<mailto:todd.herr@valimail.com>
> >m: 703.220.4153
> >
> >This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> >_______________________________________________
> >dmarc mailing list
> >dmarc@ietf.org<mailto:dmarc@ietf.org>
> >https://www.ietf.org/mailman/listinfo/dmarc<
> https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dmarc__;!!CQl3mcHX2A!BnSVJ7Ot7xEorNxvwnQPPLKjCUoG0MiUMFnPczO18L4RV-xRev7lnYcl6buwUHNn4JbzvGlzqAMl2J5l4bHsMbKOXw$
> >
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email