IETF Logo Mail Archive

Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30

"Brotman, Alex" <Alex_Brotman@comcast.com> Mon, 01 April 2024 12:18 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5A39C14F6A7 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2024 05:18:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.994
X-Spam-Level:
X-Spam-Status: No, score=-1.994 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b="TIauBrLs"; dkim=pass (1024-bit key) header.d=comcastcorp.onmicrosoft.com header.b="D7Go9+Sv"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GvVVjq9mT2gB for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2024 05:18:40 -0700 (PDT)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86DEEC14F69D for <dmarc@ietf.org>; Mon, 1 Apr 2024 05:18:40 -0700 (PDT)
Received: from pps.filterd (m0156892.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 431BJnOi001998 for <dmarc@ietf.org>; Mon, 1 Apr 2024 08:18:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20190412; bh=XR7IzRTHuPv6o0q5LuLZDgthP7oXVFrqAf1qrY04pc4=; b=TIauBrLsHvOvNCfcg55IzHtNOpb9r1FmQP8ecEw5y3gPH/9ZsoKjMNKb/R06sBdzt0PA HhpaXYO3OGvVsR/O5CGKw7S6Ci9Uy+Yw3venrboCAaeQo0mHRYVJZ5OjS4EY4ND2ocXA k5IMkuXcfI3k/jE97o92PIfAL2Ide6D398mkDtBJA4lhCCIL/l74BSC6f3bHJ/ev8B3S CjrBK4g5UuI1hUA/P2Jq07gxGY547yEwIEQDL0C9m4VEMEEDrqwLTIz/dHL4osdQ2GjR f7MyiW56vuWXprac8tmpGFmFpfth6nnbzc9Ydt0ghC1lKIqk+GG3dRchV8AqKgzdyPx+ rw==
Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by mx0a-00143702.pphosted.com (PPS) with ESMTPS id 3x6e2nc79s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Mon, 01 Apr 2024 08:18:39 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PhTrQ6H7mQHwLceDoaA540zO1bGWhFz7Q+xbPmsv4XYKHcy1mqe8Mz9B+zR/gxnPjRAc6ew0hmb2nzw1qhE81xzBHBfCjH0ouKlkHJb8kcVojzb90hk6GB21kWUYdiKqbvsg7gXK4fbR0hoXM4HovkOFFw4uiRIZBWXD7G45hN3/+cUr6stcQHMpUvTM4TZuZ3vpWGoQ7UkBUcWcINK7hRYXO8QpVFWmpDCy9J5yEhyakXhxm4IKjKI4givkmD+kml0MPcdLUblRODfDXo2gxAQ+n8IxDw/Lt7S0ms7jNsC5oNw2yMaoo2czHzqQRdGrCaFa/xWRdMDz8sHjcFzH5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=XR7IzRTHuPv6o0q5LuLZDgthP7oXVFrqAf1qrY04pc4=; b=DXBMmweWDIZUE6cSLv/uWkZT4w6jsEbHx1cVMZUi95pZf6fHH6YbUuplrwgPvmxJeojnNnYYRfoKB5JKLWE3ulKtltlSFzSO1YfMzyqKbeojqa2KOzzZMyB09KGvP/pMLWafDhgw4J61q3R1qJ4GLJckO8SeJ+9UUYiSgBYow1sP6mKuZV7RFQR7N0+9Lqb3nl7nR8AynDqbDCBZheS4WTDf2ZbyWA8ygP+pEkmXNUVbHVA6xU5L3/1JpJKJvMBT5vUKjU/CEOROzTc3X4scFcX/RDHtaayYgy+/709ZNQGw7WbF1AsfSLqPeaIG5DpmYCyiY/mJlHEOVWW1o7N8tw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XR7IzRTHuPv6o0q5LuLZDgthP7oXVFrqAf1qrY04pc4=; b=D7Go9+SvmN2zbB/stjyZoToGb0deRZMRWW3AZgEIArt/LDfl/z5H+drVN4i3ATbuz8ddcqXA1FRvgqe9W8u1MPAgkKWydpkcBwn7DddMokGGShDdXmXtxjaE9SOG0CJxh01puSJ0eTkQHRu8SO4xJ7OrH6vAQVaSbi992Jde/rA=
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by IA0PR11MB8356.namprd11.prod.outlook.com (2603:10b6:208:486::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.23; Mon, 1 Apr 2024 12:18:33 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::4d29:6e22:273a:deb2]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::4d29:6e22:273a:deb2%5]) with mapi id 15.20.7452.019; Mon, 1 Apr 2024 12:18:33 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
Thread-Index: AQHag5VPKpl91+Bm9kikYsfLEBc+qLFSQM+AgAAtboCAAAVmAIAADigAgADSWWA=
Date: Mon, 01 Apr 2024 12:18:33 +0000
Message-ID: <MN2PR11MB435115B7428C63C1B1058D9EF73F2@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <eda55c54-c149-475c-8117-bfdf3885a883@tekmarc.com> <20240331180009.F36CD8687B50@ary.qy> <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd-7A@mail.gmail.com> <lIU60SB3NeCmFAG+@highwayman.com> <CAL0qLwZt+bo4ydCVOQbfg6bQEv-ufXrrwr8Aege9Wsv7LgH=kA@mail.gmail.com> <CAOZAAfPtxdBwEthN26cgvAnAbQ70wym+2k0WjtKqNVf44=-vMg@mail.gmail.com>
In-Reply-To: <CAOZAAfPtxdBwEthN26cgvAnAbQ70wym+2k0WjtKqNVf44=-vMg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ActionId=3109d2a8-9d41-42b4-bfae-fa0a677c3798; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ContentBits=0; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Enabled=true; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Method=Standard; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Name=Confidential (C); MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SetDate=2024-04-01T12:10:58Z; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SiteId=906aefe9-76a7-4f65-b82d-5ec20775d5aa;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR11MB4351:EE_|IA0PR11MB8356:EE_
x-header-msdlpex: check
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 7mVnIUVfFbqTi9aBhnbIdbNOmVFNvR5hL0/RnmU+vfqCcjPyUo9gfgsicOTk2grAwxqJGmLC/fs3ObiQCEQ3JZKRuRgAopvKdtXBu8tEujpg/ejEMJFPD67A1h5UScs8qy7GJmZ/si3UdZPdP6uZgNRDbigpHs+YktcD8zjpQPAeCvE42lYVyKSQzC7yFvcIDLQHLQz5fvD+x1K1Y/q7hTzWHgldwq4Q6gUisMUb2oLb55tLr5R3TbLYKVGFo936ZZmg93y94+fnECipX6IiLceQuCc3J4maouvSMUAh776rRRlSonL2gQytoB4te/X0L+9byhSdFLRiDG7y3hIQyALDLHqffMTJeFwMRVbL/8ypqgwwrW32CKtflFqRBfctQ7DcCtm17x65AKWBfwauNwLRp+LtHlMYLLkLDsfSgAXOyTxTiu592hZCR7Z4eJZxi66rOp1NAgYiTW8OUhKbmM8K1PbYwILxemJIYzrxxYeudDkcRQPyCqcyfYwPpGqhNefQ+n6ADgZitc3juqaTSaGB0945yzEVb8uwlTS/vw4joukS2hNeFrhLo7KZDnVDtLJySw/TBulZPudh0xAzkeRCfnJj94eyBVKSvC/5tDAiJv+/w/EaQX2RtbM09nPF+l8z84O1dKoM/UXep7MnxqUPVJv1JhoRRvYE06nBuPo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(1800799015)(366007)(376005)(4143199003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: S/WAc05i8RxZRB8KdCeIE5felczqNqZaWHjRdRaKcunXlFPgsuCJVev/i3rn7Jz1+83As7eTWtAvVNE6F3Nivlh1yMaZ323imfhfJQxJUciRWWyIXiHzC4Boz1Xx8YWfE4ppp7n0XVivdP3+nMDANOYsaVqO/fxswf2LdmfAr+0ok5m1CLjN8WE3kbFK8qITjKfG/1M/+J2Niri93LCCXNf+GOTl92nNr8lblSMA1JvN4h1TLEMnSnJ8aPw3LpD9bxEi7hpd0An6ecP0WiS/0cAB4I2ZJ9/MbJgH1xurEG+sCkzAbXB4MKPCL5us3bUIwF4qsCfklbnRcezYGbBXa2qdyqYMlnkS7bASly8mX+GqbfylGVPte19bseB95nVqAy0aQWNgsxgvb400rRVGSdg6MxV0PXjOXI7A8HoNhxECDUxkWtj6Iy9YuvZM9x506WROjVCQaBxlBPNv7xl7gO18lyVNO6VYpvHVfYwUTAC9FS2VOMFLew6HcwWYyqSduS7/tV2grtb9QwAt5SqSqoolGIUbheGXorw+aYBt+pv1B98WJqTrlxKVVlNqDgpjIuuS5Mw3I8Hi7vNjU19eefEgwztn2jGI6d6sRBhLukaOfGdjcYWf141z+OuTBYdzwUI0PReTrr6PWd8rGdNLOBXL7YoyvdF9GXUkFXCD+HEzsYXLM54idMIbYfF9vPpW3ttSAV11xh/03L+j7PDEKzYxrAydxEVLYEDTPvquVqox1WSzSLlX6b3SiFbJFbk1kpoZ/Xa5ayzoxPgMOptHoqiZ8+5pQ/dPoNJhQVK4avvAJopsA2Iyc763yWgoYO7bHRBb+fm/CsCaaJcVhE1zyXnjA3T3C9FBmTLkoJLj+vEwhYlcm90zx9D5u0/sml0ohZKGQ4tsMzUOQisZBp0wg9tM4zqj6nlTtQ2Vz96AB9PV3PdF6YvzeDraaSqXWBj3sZDo9uC9cyFqp7eCGd2abj9bEHFXirBWyP+hKcXJ3wpMKcTfrV6JLQDh51ZJOMqftURvF01UGKrVJA480gv2A5P3P532sbNrAg6+EDf43vSrFewynnwqczB/WSfmJ8Z1F08ZIwmiWHlpca1D+cmXrKe8j4OCPuwzknpYRXfmb/09+HvOr4bTtynap0eOXMjl2mbVfmsjtWK+MrAOSHgLANl4oXSVdZ7U4/+vMQyWdgzmqgW9Qjh1pJ9Msfsooyeqc+VVXSCWZqu1PUoMvtig/8r02rqtUOvy21z+gN1uIW5Y39SniKWTt/T+wfDy8Kvk9JQ4qIqmNEYKtnK8FumIkO11t4Yp+pSdwuobJIymc+mW29PbHRyMI7tjMKLmKfj1mrSZ/w7OpAEqxRsUEvzdjan+J4iFlXVOgVSj8WZ/GxPjZiGbicVo1rd4lg6ct5Gyg/XtyXjs4qiu96xv/PqF8+YZQmIdPp0gkQHwjz0ab+pD+9i4Vea/UQUsCq3f/mfjkn0GEzgoKqYdUFl0AGsOotbt603QM4f8E24TPwVaWEydzCWHX/Z732w+ysoEXI2TgPUG1rDhu/gC7gBZ9a3KrC488WUDTLfvbsuBevUkhifWbUOIssOc46n84ls7PY1vgpzScQ0G+zvUe8lNFBClIA==
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB435115B7428C63C1B1058D9EF73F2MN2PR11MB4351namp_"
MIME-Version: 1.0
X-OriginatorOrg: comcast.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4351.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 73e81e04-6a6b-4cc1-dd26-08dc5245d959
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2024 12:18:33.2291 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZtNokKQ6k8lV2iVzL2gz9XFJ5fBs19nfUQgFpXeZR9F6BfP2Pbo4plofFU54J7f3TyMRIKbNwnUZ2CsM1ONq69IAvmj6G9itqUgg4ILrWy4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA0PR11MB8356
X-Proofpoint-GUID: oRtRCic6nJ4NPKPhpICok5H-1rZHN1Oo
X-Proofpoint-ORIG-GUID: oRtRCic6nJ4NPKPhpICok5H-1rZHN1Oo
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1011,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2024-04-01_08,2024-04-01_01,2023-05-22_02
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/BLB5vJBC-nERsADNafyXnz9fmH0>
Subject: Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 12:18:44 -0000

One item left out of Seth’s text is that due to MBPs who act in this fashion, these SPF evaluation failures will (understandably) not show up in DMARC reports, and the domain owner may not have visibility for these failures.  However, the text also puts the onus on the domain owner instead of the MBP.  The text could be altered to instead suggest that MBPs who deploy DMARC should not utilize the outcome of SPF in this fashion.  If the domain owner wants to protect their domain, and has no idea if the MBP supports DMARC properly (presuming they also have an enforcing policy), is it more or less advisable to use “-all” with your SPF record?

I’d be curious to see the Venn diagram of MBPs who implement SPF in this fashion, and also fully support DMARC.  I feel like the MBPs who I’ve encountered deploying an SPF check in this way had not at the time supported DMARC.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Seth Blank
Sent: Sunday, March 31, 2024 7:38 PM
To: Murray S. Kucherawy <superuser@gmail.com>
Cc: dmarc@ietf.org
Subject: Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30

It is a very common issue that companies want DMARC, but their security teams believe an SPF hard fail is more secure, and then all sorts of actual operational issues slam in. It ends up being lots of work to convince those security teams otherwise.

I think it is desirable to state that this issue is known, and with respect to DMARC a hard fail can have unintended consequences. Operationally for DMARC, anything that is not an SPF pass is treated the same, so a hard fail is not a stronger signal if you wish to implement DMARC with a policy that is not none.

There are two M3AAWG documents that do call out explicit issues and best practice, so I won’t push strongly that this should be in the document. But since there’s already text that’s so close, why not update it to cover this more explicitly?

S, participating, after just having this conversation the other week


Seth Blank | Chief Technology Officer
Email: seth@valimail.com<mailto:seth@valimail.com>

[https://hosted-packages.s3.us-west-1.amazonaws.com/Valimail+Logo.png]
This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.


On Sun, Mar 31, 2024 at 18:47 Murray S. Kucherawy <superuser@gmail.com<mailto:superuser@gmail.com>> wrote:
On Sun, Mar 31, 2024 at 3:28 PM Richard Clayton <richard@highwayman.com<mailto:richard@highwayman.com>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In message <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd-
7A@mail.gmail.com<mailto:7A@mail.gmail.com>>, Seth Blank <seth=40valimail.com@dmarc.ietf.org<mailto:40valimail.com@dmarc.ietf.org>>
writes

>    Some Mail Receiver architectures implement SPF in advance of any
>    DMARC operations. This means that an SPF hard fail ("-") prefix on
>    a sender's SPF mechanism, such as "-all", could cause that
>    rejection to go into effect early in handling, causing message
>    rejection before any DMARC processing takes place, and DKIM has a
>    chance to validate the message instead of SPF. Operators choosing
>    to use "-all" to terminate SPF records should be aware of this.

I understood what this said thus far ... but I wonder what it is doing
in a document about DMARC.   Some architectures may reject email from
IPs listed in the PBL ... again nothing to do with DMARC. This isn't a
document on how to improve deliverability is it ?

I don't understand the link being made here between operational details and deliverability.  I understand this to be pointing out that if you do any short circuiting, DMARC can't be evaluated.  That includes any early rejection, be that based on SPF results, DKIM signature failures, domain reputation rejections, or anything of the sort.

Mind you, I'm a little worried about anyone that plans to rely seriously on DMARC yet to whom this isn't relatively obvious.  You need those results before DMARC can even begin, and the DKIM result comes only after the body arrives.

-MSK, p11g
_______________________________________________
dmarc mailing list
dmarc@ietf.org<mailto:dmarc@ietf.org>
https://www.ietf.org/mailman/listinfo/dmarc<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dmarc__;!!CQl3mcHX2A!Er4si3rg3N5KnUebouOY2UdPZYKtSg5FWlKPTfAyMdBbEvZxLikFJWUDCbbyQXGMsefJCNIeeWWHe-T1FcHrYkCzX7CZsYzpt6k$>

v2.23.0 | Report a Bug | By Email