Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
Hector Santos <hsantos@isdg.net> Thu, 14 March 2024 19:25 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE678C14F6A5 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 12:25:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="QdaOo8t9"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="N3iqze4q"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TCsTN76F-UsU for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 12:25:20 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73216C14F6E4 for <dmarc@ietf.org>; Thu, 14 Mar 2024 12:25:20 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5976; t=1710444314; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=csSvySehSRVOWphsW6uSWRCuuh0mh27 MvombWtSxPAQ=; b=QdaOo8t9LxFzkemzVwQPb4pq4K3Q4oJbFrmOi6RySE99QPw NBlpbXx1I/ai6JCtL6WK+2br/FwDQY9MDZlAAouLqjXAwGHInn0nTnHJjQpgRsFV BbNHliSg8Df3yZX1Bj3uPycrinl+1HgWSzY+Zsgt8O86XyTQHSeNakqiCibc=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.14) for dmarc@ietf.org; Thu, 14 Mar 2024 15:25:14 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.14) with ESMTP id 771693651.1318.4080; Thu, 14 Mar 2024 15:25:14 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5976; t=1710444311; h=Received:Received:From: Message-Id:Subject:Date:To:Organization:List-ID; bh=csSvySehSRVO WphsW6uSWRCuuh0mh27MvombWtSxPAQ=; b=N3iqze4qMC0a9j49A280TmBQU4lO f5DcS3jHosv0e+7bB2FR3qPM+ATWLiOmBQeLYZe1xtNxY5GU5ONbmovKWgFWk00R HsU3RGCxQnc/OdoJXMZGqT/m81lLOHS3CMnSE0OgVwbaX7CUclW31dpSReLnoYi4 E2i5I15td/TBb6A=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Thu, 14 Mar 2024 15:25:11 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 1217954854.1.13716; Thu, 14 Mar 2024 15:25:10 -0400
From: Hector Santos <hsantos@isdg.net>
Message-Id: <09C7D830-5966-4EE5-AA86-003696B5ECEE@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_B3AF6C92-7562-412D-B1AF-A7024A89FA1F"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Thu, 14 Mar 2024 15:24:59 -0400
In-Reply-To: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
References: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Bv4GcuxnRC4tOou0EYYNpKvpe34>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 19:25:24 -0000
> On Mar 14, 2024, at 10:09 AM, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote: > > > In the ticket, I propose the following replacement text: > > ================================================== > Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to take full advantage of DMARC, a Domain Owner MUST first ensure that either SPF or DKIM authentication are properly configured, and SHOULD ensure that both are. +1 > > To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain. The SPF record MUST be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain. A major consideration, Todd, is receivers will process SPF for SPF without DMARC (payload) considerations. IOW, if SPF is a hardfail, we have SMTP processors who will not continue to transmit a payload (DATA). DMARCBis is making a major design presumption receivers will only use SPF as a data point for a final DMARC evaluation where a potentially high overhead payload was transmitted only to be rejected anyway, > In the ticket, I propose the following new text: > > ================================================== > To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain. > ================================================== In order to maximize security, the Domain Owner is REQUIRED to choose a ….. Is REQUIRED the same as MUST? I think SHOULD or MUST is fine as long as we specify the reason it is required, — HLS
- [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … John Levine
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Hector Santos
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Hector Santos
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely