IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 21 October 2022 22:01 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6947BC1524AB for <dmarc@ietfa.amsl.com>; Fri, 21 Oct 2022 15:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nYChHOZ4ZUe for <dmarc@ietfa.amsl.com>; Fri, 21 Oct 2022 15:01:53 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70BE9C1522DC for <dmarc@ietf.org>; Fri, 21 Oct 2022 15:01:53 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id m23so5519333lji.2 for <dmarc@ietf.org>; Fri, 21 Oct 2022 15:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=0da/sLjTEoxcs539+Jxm1HtUzDxX+9aTXmr+fRgPP7A=; b=C67bMUcRAWP8YhBWCm+6EYQoo8R7a3qDQM3C3+nELOzTs/Nq5mZsbihElXbLeIO5Fr 1y057i40mxEUbh+aRrwaNnCxJs1uvsSplFksZ5BmuFIf37IfBdrEkKNYZZyZwRx1srGn kfI2TWw0WN+8RKeDok89e0SwHT5+dV0W2zGsEgzew0VVzitIoXHZ8vnbNCwER39yaGM6 MBJT6bbSyas/iq9QGFpuqr9d2UbaHXsJC9bW7NBuW/59x4FvHS5RT4G6SzSZLHFmtyCd 2OXH0d7bnCRaHpjPGripVWUK5Yf4Lsby88V7/goszJg4k/vXNUy0pmJVxtzzaKvG9QfN scng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0da/sLjTEoxcs539+Jxm1HtUzDxX+9aTXmr+fRgPP7A=; b=LLCwUGqW4iilWe1Com1XhIVFC2kXp6Iuf4cDpdt63PBAVpD1HitWe1EpWtV28VcykP HXnSKy6odX04L4llc1qepynQwIxNiw3TEZxCtISOz8UbI3FWFJdx3ED1Xbbe2B32xcWW MOsQJZwMThZf8NBC5Hi22dgjKkQHXZHK74WURjdkU4UXrcZAW3fVo8s9EzoqkX+XRAB/ UYuljW9Hsjp7WSC0M/SiNDc9atah/2mn3odGexj8bpI5T5TcHkoYfUzZT/Dp08OO0ozL CjiybuymlU2n6TnTlm2u/e9+0cGlBvVhDGsFeYprkGhOb0Na/mCq+858ZVxQJvsc5+0Z xLWw==
X-Gm-Message-State: ACrzQf3dk2t1jsFHCqC1ZU5BYTlfhmPunPGDG6LjSu38ji5c9Td1Fk8H abXxnJtiDxxJJ6GCrktcSh6IYe2lo8cwLKCa44oCJLmrSsI=
X-Google-Smtp-Source: AMsMyM63emwHHdhslPMyFGM+rsMn/UTDlux49sJKbWslB09RvEH2TP3GxQThz0bSyM0YCdt3gbo76NGbWT9U8Xos2a4=
X-Received: by 2002:a05:651c:1954:b0:26f:e9d7:1650 with SMTP id bs20-20020a05651c195400b0026fe9d71650mr7263561ljb.140.1666389710693; Fri, 21 Oct 2022 15:01:50 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com>
In-Reply-To: <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 21 Oct 2022 18:01:39 -0400
Message-ID: <CAH48ZfzgMyeSX5Skz5wnbASMUCJj+w25xTa6SC-Zur0onzxpHg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c3680c05eb929608"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/D6TAlSm3mHx5R9m-mUly7PTKgpw>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 22:01:54 -0000

My closing should have said:

"I would be happy to hear a case summary which indicates how a real problem
was solved by a domain owner, and was only solvable using non-aligned
results obtained from aggregate reports."

df

On Fri, Oct 21, 2022 at 5:57 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> I remain unconvinced.   Mail is nearly free to the sender, but expensive
> and risky for the recipient and his organization.   Anything unwanted
> message that gets through the spam filter consumes a person's time, which
> is a non-trivial opportunity cost.   Asking me to accept extra cost to
> provide "nice to have" data is too much.
>
> Your first scenario is mostly about what an evaluator can do.  I think
> there is an opportunity and need to discuss all the ways that an evaluator
> can obtain acceptable authentication on a message that fails SPF or DKIM,
> but the chairs have been clear that doing so is "not DMARC" and out of
> scope.    I don't see is how the aggregate report contents facilitate or
> hinder your un-munging algorithm.
>
> I am not a mass mailer with a complicated identity structure, so I am
> willing to be educated about the wonderful things that can be learned from
> aggregate reports.   Based on my current knowledge, the use cases seem few,
> and do not need unaligned results.
>
> 1) A server is sending legitimate mail and is correctly configured with
> both SPF and DKIM.   The feedback from non-forwarded recipients confirms
> this fact.
>
> 2) A server is sending legitimate mail on behalf of the domain owner, but
> has a configuration error:  no signature, invalid signature, or using a
> server not in SPF record.    SPF results from non-forwarded recipients will
> identify the problem so that it can be corrected.
>
> 3) A signature has been compromised and an unauthorized source is sending
> authenticated mail.  SPF FAIL with DMARC PASS provides the alarm trigger.
>
> 4) A server is using a delegated signature for an unauthorized purpose.
>  Nothing in the reports is likely to indicate this problem.   If it is
> detected from other sources, the correction involves revoking the public
> key and terminating the offending organization.
>
> 5) Some mail is failing authentication after forwarding without MailFrom
> rewrite or forwarding with changes.    The IP address and MailFrom address
> help to identify the problem but the domain owner has no ability to correct
> the problem.   He can use p=none to limit the consequences.
>
> 6) Some mail is failing authentication because it originates from an
> illegitimate source.      The IP address and MailFrom address help to
> identify the problem but the domain owner has no ability to correct the
> problem.   He can use p=reject to limit the consequences.
>
> Case 5 and Case 6 are distinguishable only by the reputation of the server
> or MailFrom address.   Malicious senders are unlikely to add a signature to
> prove their identity, so perhaps a signature suggests case 5 rather than
> case 6.   But a competent forwarder will be doing MailFrom rewrite, so the
> forwarder identity will be present whether a signature is added or not.
>
> These use cases do not deal with authentication failures after multiple
> forwards.   An abundance of signature data might allow the domain owner to
> reconstruct the forwarding path, but is that something he needs to do,?   I
> don't think so.
>
> As for the duplicate signature issue, my rule would detect support for the
> new signature algorithm if it appears first.
>
> I would be happy to hear a case summary which indicates how a real problem
> was solved, and was only solvable using non-aligned results.
>
> Doug Foster
>
>
>
> On Fri, Oct 21, 2022 at 4:11 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> On Fri 21/Oct/2022 00:53:56 +0200 Douglas Foster wrote:
>> >
>> > Aligned DKIM PASS
>> > When an aligned DKIM result is PASS, I don't see that the domain owner
>> needs
>> > any more data collection performed.   The verifiable DKIM scope ID
>> should tell
>> > him where the message originated, and the source IP and HELO name tell
>> the last
>> > place it landed before delivery.    I cannot see why a domain owner
>> would spend
>> > a lot of time trying to analyze success results, unless his interests
>> have
>> > transitioned from assuring identity to analyzing marketing impacts.
>>  We are
>> > not trying to provide marketing data, and any successful use of DMARC
>> for that
>> > purpose seems like an encroachment on the privacy concerns that we want
>> to
>> > minimize.
>>
>>
>> Non-aligned signatures can be meaningful for various reasons.  In that
>> case,
>> the result of their evaluation is also meaningful.  For an example, the
>> original author's domain signature, before From: was munged, is
>> meaningful.  If
>> it fails, it can be retried after undoing MLM transformation, possibly
>> leading
>> to secure recognition of the true author.  Is that worth its carbon
>> footprint?
>>
>> And for scope, one may wonder whether the recognized, or failed to be
>> securely
>> recognized original author's domain deserves a copy of the report.
>> People
>> prone to set p=quarantine; pct=0 in order to avoid receiving "errors"
>> would
>> clearly dislike a copy of the report.  Others may want it, in order to
>> tune
>> their DKIM signing configuration.
>>
>>
>> > Duplicates:
>> > If an aligned domain has multiple DKIM signatures and one passes, I
>> suggest
>> > that the PASS is the only one that needs to be reported.  If an aligned
>> domain
>> > has multiple DKIM signatures and none pass, I suggest that the first
>> one found
>> > (from the top) is the most important, because it is the last one
>> applied.   If
>> > duplicates are reported, disaggregation is increased, so why report
>> data that
>> > is not useful?
>>
>>
>> Currently, putting 2 signatures, one rsa and one ed25519, is the way to
>> monitor
>> who supports the latter.
>>
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>

v2.23.0 | Report a Bug | By Email