Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 21 October 2022 22:01 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6947BC1524AB for <dmarc@ietfa.amsl.com>; Fri, 21 Oct 2022 15:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nYChHOZ4ZUe for <dmarc@ietfa.amsl.com>; Fri, 21 Oct 2022 15:01:53 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70BE9C1522DC for <dmarc@ietf.org>; Fri, 21 Oct 2022 15:01:53 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id m23so5519333lji.2 for <dmarc@ietf.org>; Fri, 21 Oct 2022 15:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=0da/sLjTEoxcs539+Jxm1HtUzDxX+9aTXmr+fRgPP7A=; b=C67bMUcRAWP8YhBWCm+6EYQoo8R7a3qDQM3C3+nELOzTs/Nq5mZsbihElXbLeIO5Fr 1y057i40mxEUbh+aRrwaNnCxJs1uvsSplFksZ5BmuFIf37IfBdrEkKNYZZyZwRx1srGn kfI2TWw0WN+8RKeDok89e0SwHT5+dV0W2zGsEgzew0VVzitIoXHZ8vnbNCwER39yaGM6 MBJT6bbSyas/iq9QGFpuqr9d2UbaHXsJC9bW7NBuW/59x4FvHS5RT4G6SzSZLHFmtyCd 2OXH0d7bnCRaHpjPGripVWUK5Yf4Lsby88V7/goszJg4k/vXNUy0pmJVxtzzaKvG9QfN scng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0da/sLjTEoxcs539+Jxm1HtUzDxX+9aTXmr+fRgPP7A=; b=LLCwUGqW4iilWe1Com1XhIVFC2kXp6Iuf4cDpdt63PBAVpD1HitWe1EpWtV28VcykP HXnSKy6odX04L4llc1qepynQwIxNiw3TEZxCtISOz8UbI3FWFJdx3ED1Xbbe2B32xcWW MOsQJZwMThZf8NBC5Hi22dgjKkQHXZHK74WURjdkU4UXrcZAW3fVo8s9EzoqkX+XRAB/ UYuljW9Hsjp7WSC0M/SiNDc9atah/2mn3odGexj8bpI5T5TcHkoYfUzZT/Dp08OO0ozL CjiybuymlU2n6TnTlm2u/e9+0cGlBvVhDGsFeYprkGhOb0Na/mCq+858ZVxQJvsc5+0Z xLWw==
X-Gm-Message-State: ACrzQf3dk2t1jsFHCqC1ZU5BYTlfhmPunPGDG6LjSu38ji5c9Td1Fk8H abXxnJtiDxxJJ6GCrktcSh6IYe2lo8cwLKCa44oCJLmrSsI=
X-Google-Smtp-Source: AMsMyM63emwHHdhslPMyFGM+rsMn/UTDlux49sJKbWslB09RvEH2TP3GxQThz0bSyM0YCdt3gbo76NGbWT9U8Xos2a4=
X-Received: by 2002:a05:651c:1954:b0:26f:e9d7:1650 with SMTP id bs20-20020a05651c195400b0026fe9d71650mr7263561ljb.140.1666389710693; Fri, 21 Oct 2022 15:01:50 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com>
In-Reply-To: <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 21 Oct 2022 18:01:39 -0400
Message-ID: <CAH48ZfzgMyeSX5Skz5wnbASMUCJj+w25xTa6SC-Zur0onzxpHg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c3680c05eb929608"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/D6TAlSm3mHx5R9m-mUly7PTKgpw>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2022 22:01:54 -0000
My closing should have said: "I would be happy to hear a case summary which indicates how a real problem was solved by a domain owner, and was only solvable using non-aligned results obtained from aggregate reports." df On Fri, Oct 21, 2022 at 5:57 PM Douglas Foster < dougfoster.emailstandards@gmail.com> wrote: > I remain unconvinced. Mail is nearly free to the sender, but expensive > and risky for the recipient and his organization. Anything unwanted > message that gets through the spam filter consumes a person's time, which > is a non-trivial opportunity cost. Asking me to accept extra cost to > provide "nice to have" data is too much. > > Your first scenario is mostly about what an evaluator can do. I think > there is an opportunity and need to discuss all the ways that an evaluator > can obtain acceptable authentication on a message that fails SPF or DKIM, > but the chairs have been clear that doing so is "not DMARC" and out of > scope. I don't see is how the aggregate report contents facilitate or > hinder your un-munging algorithm. > > I am not a mass mailer with a complicated identity structure, so I am > willing to be educated about the wonderful things that can be learned from > aggregate reports. Based on my current knowledge, the use cases seem few, > and do not need unaligned results. > > 1) A server is sending legitimate mail and is correctly configured with > both SPF and DKIM. The feedback from non-forwarded recipients confirms > this fact. > > 2) A server is sending legitimate mail on behalf of the domain owner, but > has a configuration error: no signature, invalid signature, or using a > server not in SPF record. SPF results from non-forwarded recipients will > identify the problem so that it can be corrected. > > 3) A signature has been compromised and an unauthorized source is sending > authenticated mail. SPF FAIL with DMARC PASS provides the alarm trigger. > > 4) A server is using a delegated signature for an unauthorized purpose. > Nothing in the reports is likely to indicate this problem. If it is > detected from other sources, the correction involves revoking the public > key and terminating the offending organization. > > 5) Some mail is failing authentication after forwarding without MailFrom > rewrite or forwarding with changes. The IP address and MailFrom address > help to identify the problem but the domain owner has no ability to correct > the problem. He can use p=none to limit the consequences. > > 6) Some mail is failing authentication because it originates from an > illegitimate source. The IP address and MailFrom address help to > identify the problem but the domain owner has no ability to correct the > problem. He can use p=reject to limit the consequences. > > Case 5 and Case 6 are distinguishable only by the reputation of the server > or MailFrom address. Malicious senders are unlikely to add a signature to > prove their identity, so perhaps a signature suggests case 5 rather than > case 6. But a competent forwarder will be doing MailFrom rewrite, so the > forwarder identity will be present whether a signature is added or not. > > These use cases do not deal with authentication failures after multiple > forwards. An abundance of signature data might allow the domain owner to > reconstruct the forwarding path, but is that something he needs to do,? I > don't think so. > > As for the duplicate signature issue, my rule would detect support for the > new signature algorithm if it appears first. > > I would be happy to hear a case summary which indicates how a real problem > was solved, and was only solvable using non-aligned results. > > Doug Foster > > > > On Fri, Oct 21, 2022 at 4:11 AM Alessandro Vesely <vesely@tana.it> wrote: > >> On Fri 21/Oct/2022 00:53:56 +0200 Douglas Foster wrote: >> > >> > Aligned DKIM PASS >> > When an aligned DKIM result is PASS, I don't see that the domain owner >> needs >> > any more data collection performed. The verifiable DKIM scope ID >> should tell >> > him where the message originated, and the source IP and HELO name tell >> the last >> > place it landed before delivery. I cannot see why a domain owner >> would spend >> > a lot of time trying to analyze success results, unless his interests >> have >> > transitioned from assuring identity to analyzing marketing impacts. >> We are >> > not trying to provide marketing data, and any successful use of DMARC >> for that >> > purpose seems like an encroachment on the privacy concerns that we want >> to >> > minimize. >> >> >> Non-aligned signatures can be meaningful for various reasons. In that >> case, >> the result of their evaluation is also meaningful. For an example, the >> original author's domain signature, before From: was munged, is >> meaningful. If >> it fails, it can be retried after undoing MLM transformation, possibly >> leading >> to secure recognition of the true author. Is that worth its carbon >> footprint? >> >> And for scope, one may wonder whether the recognized, or failed to be >> securely >> recognized original author's domain deserves a copy of the report. >> People >> prone to set p=quarantine; pct=0 in order to avoid receiving "errors" >> would >> clearly dislike a copy of the report. Others may want it, in order to >> tune >> their DKIM signing configuration. >> >> >> > Duplicates: >> > If an aligned domain has multiple DKIM signatures and one passes, I >> suggest >> > that the PASS is the only one that needs to be reported. If an aligned >> domain >> > has multiple DKIM signatures and none pass, I suggest that the first >> one found >> > (from the top) is the most important, because it is the last one >> applied. If >> > duplicates are reported, disaggregation is increased, so why report >> data that >> > is not useful? >> >> >> Currently, putting 2 signatures, one rsa and one ed25519, is the way to >> monitor >> who supports the latter. >> >> >> Best >> Ale >> -- >> >> >> >> >> >> >> >> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> >
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-aggrega… internet-drafts
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-agg… Brotman, Alex
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-agg… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Todd Herr
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Brotman, Alex
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Barry Leiba
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Laura Atkins
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Neil Anuskiewicz
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Scott Kitterman
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Scott Kitterman
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Neil Anuskiewicz
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Neil Anuskiewicz
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Brotman, Alex
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Brotman, Alex
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster