IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Dave Crocker <dhc@dcrocker.net> Sun, 16 August 2020 18:16 UTC

Return-Path: <dhc@dcrocker.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F0313A0FC2 for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 11:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.849
X-Spam-Level:
X-Spam-Status: No, score=-2.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.949, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXLref0sIeR0 for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 11:16:26 -0700 (PDT)
Received: from simon.songbird.com (simon.songbird.com [72.52.113.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEB023A0FC7 for <dmarc@ietf.org>; Sun, 16 Aug 2020 11:16:26 -0700 (PDT)
Received: from [192.168.1.67] (108-226-162-63.lightspeed.sntcca.sbcglobal.net [108.226.162.63]) (authenticated bits=0) by simon.songbird.com (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id 07GIJ9Gv032318 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sun, 16 Aug 2020 11:19:10 -0700
To: Alessandro Vesely <vesely@tana.it>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net> <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it> <c972e0af-b589-1780-47b3-8cb2a2024ec2@dcrocker.net> <13a0ed72-2c5a-8ba6-84ab-b857e29403f1@tana.it>
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
Reply-To: dcrocker@bbiw.net
Message-ID: <1703e878-e20a-8ae2-09e8-25470c0cf5f8@dcrocker.net>
Date: Sun, 16 Aug 2020 11:16:17 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <13a0ed72-2c5a-8ba6-84ab-b857e29403f1@tana.it>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/BIG5I4uJHoEYTX40fXDU5YyQPT4>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2020 18:16:28 -0000

>>>> If I put my gmail address into the from field, there is no 
>>>> pretending, no matter what platform I am using.
>>>
>>>
>>> That conflicts with the coarse-grained authentication strategy, 
>>> established at the FTC Email Authentication Summit in November
>>> 2004, as Doug^W Michael recalled. >
>> 1. I was making a semantic point, not a technical or technical policy 
>> one.
> 
> 
> They have to match at some point.

it would be nice, wouldn't it?

but that's separate from the factual statement I made.


>> 2. There was nothing 'established' at that event.  There were 
>> interesting discussions, but that's all.
> 
> 
> I wasn't there.  Can't it be considered the historic event that marked 
> domain-level authentication as the promising strategy to counter email 
> abuse?

Reference to that event as if it 'established' anything is misguided, at 
best.  The meetings were helpful, but not definitive.  And the efforts 
at domain level authentication were wholly independent of these events.

As already noted on this list, the events served as a plea from the 
government and, therefore, a signal that the government was concerned.


>> 3. I'm not finding the reference in any of Doug^X Michael's notes
>> that your are relying on.  Please be specific about it.
> 
> 
> https://mailarchive.ietf.org/arch/msg/dmarc/-pX7yWlSk39ShOjAzWMxhxlKh1E

Finally found that you meant Herr Hammer.


>>> Your gmail address needs to be authenticated by gmail. 
>>
>> Good grief, no.  There is no system rule to that effect.  DMARC 
>> created that, but no policy before it was in place, never mind accepted.
> 
> 
> DMARC took that strategy to the extremes.  A number of users and 
> operators seem to have accepted it.  Why cannot we accept it too?

That DMARC does something and that some people use it is quite different 
from claiming that there was some grand change in the semantics and 
operational policy of email.  Why can't THAT be accepted?


> 
>>> Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and 
>>> whitelisted as yet another domain (songbird.com) can hardly be 
>>> verified.  There is no "pretending", since it's you, but it is not 
>>> formally distinguishable from spoof, is it?
>>
>> Whether valid and invalid uses can be distinguished does not alter the 
>> fact that valid uses are valid.
> 
> The problem is to find the technical means that allow receivers and 
> recipients to verify such validity.

Of course.  But when it's at the expense of valid use that has worked 
for 45 years, then those means are problematic.  Highly.

d/

-- 
Dave Crocker
Brandenburg InternetWorking
bbiw.net

v2.23.0 | Report a Bug | By Email