IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Alessandro Vesely <vesely@tana.it> Sun, 16 August 2020 08:23 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2883A3A0884 for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 01:23:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.047
X-Spam-Level:
X-Spam-Status: No, score=-3.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nS8CrZeBhA8T for <dmarc@ietfa.amsl.com>; Sun, 16 Aug 2020 01:23:52 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B41713A087F for <dmarc@ietf.org>; Sun, 16 Aug 2020 01:23:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1597566228; bh=SXUdUHsfp/Ve7rQkUHv0THfE0xSyr/L+ZWJq0H6qtwo=; l=1367; h=To:Cc:References:From:Date:In-Reply-To; b=DNgsmWkvyMR0mJ9fqW8M0/804Ant6aHTcVeMtLL0flcWYSvsOD/jpsV0TRMBi9Xph +wwYClKD6mtVMPS62oDeL/VLNZ4fG0RpdU1nLX87S06WLw/vgUwKWyIVa42miFP60W xpHCqmBZ34ZlWzf4OuT/RmYihjR0//SQjOpHRmtySwSfXA7BzgHeeT9oyjfE+
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [192.168.1.102] ([5.170.69.62]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC053.000000005F38ED13.00000AE9; Sun, 16 Aug 2020 10:23:47 +0200
To: dcrocker@bbiw.net
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, IETF DMARC WG <dmarc@ietf.org>, John Levine <johnl@taugh.com>, Dotzero <dotzero@gmail.com>
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it>
Date: Sun, 16 Aug 2020 10:23:45 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/BkqESSCugH2Xvo5AGFYx5fe84HY>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Aug 2020 08:23:54 -0000

On Sat 15/Aug/2020 20:12:18 +0200 Dave Crocker wrote:> On 8/15/2020 
3:32 AM, Alessandro Vesely wrote:

>> If X pretends to be Y,
> 
> 
> If I put my gmail address into the from field, there is no pretending, 
> no matter what platform I am using.


That conflicts with the coarse-grained authentication strategy, 
established at the FTC Email Authentication Summit in November 2004, 
as Doug recalled.  Your gmail address needs to be authenticated by 
gmail.  Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and 
whitelisted as yet another domain (songbird.com) can hardly be 
verified.  There is no "pretending", since it's you, but it is not 
formally distinguishable from spoof, is it?


> This continuing practice of characterizing valid use as if it were 
> spoofing or pretending has been a major impediment to constructive 
> discussion in the industry.


A system that is able to recognize all your domains and affiliations 
in order to authenticate messages does cost several orders of 
magnitude more than a simple "mechanical" verifier.  That way, 
requiring too much flexibility is a push toward oligopoly.

Of course, the alternative is to keep email as a casual, unreliable, 
unofficial means of communication.  I'm not sure the latter is 
realistic, given current trends.  Are we sticking our heads in the sand?


Best
Ale
--

v2.23.0 | Report a Bug | By Email