IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Dotzero <dotzero@gmail.com> Fri, 14 August 2020 08:27 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C8FA3A08A2 for <dmarc@ietfa.amsl.com>; Fri, 14 Aug 2020 01:27:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M2BW6pQBLgAX for <dmarc@ietfa.amsl.com>; Fri, 14 Aug 2020 01:27:16 -0700 (PDT)
Received: from mail-wr1-x42d.google.com (mail-wr1-x42d.google.com [IPv6:2a00:1450:4864:20::42d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 690CA3A089F for <dmarc@ietf.org>; Fri, 14 Aug 2020 01:27:16 -0700 (PDT)
Received: by mail-wr1-x42d.google.com with SMTP id a15so7576027wrh.10 for <dmarc@ietf.org>; Fri, 14 Aug 2020 01:27:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=YgyeBQgOPJ4eEXiboU5H7bWW32ezbEIZ/HKuLQHgtN8=; b=hL7t/vwPL5NgmX5NGlQTU7H15stGL1cWLJ/swGncBK/JC6gZnM+o1h4P2+PKSN+o/f 28CTMVPYutVjH8qDiG8co//aD1zRR8HqFRDNO7TKXFwduD1U/nJtHz6VDImB+RE9GGGs Z1aKMpaI00LtKjcvbc9Iyx4sdt8K8iCm1m1XNxATjn6aZH3ygSGtrRvWms1M+h/D4/eF kpMvb7oyczHP48I3qtTaliI0M7bR2uuMml5svWVcSLeYsmZWPaR6QBlXcXOS2uQdETMj 7FjzBmq9QyLoHuRvfaT85p2cbKx+DbYr2QDw6Do7rz/no5rmWKpt8L5ChhT9H68Kd3Mm vcHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YgyeBQgOPJ4eEXiboU5H7bWW32ezbEIZ/HKuLQHgtN8=; b=owPD4la3hLzH0Kma0hsKw1qrPZotYpgDYc4RBv/2UoUopQheMXqqJxrn3CgZhxbeEB i8VviNKLfO+azYMQ23dVAYOaFA5tioUdKD77wnaWeTvyk8EawNhXqw0LOEkinwW/YepN YgfepSKXw7BBE7nkNeE/Gm0U1H/dLY11H3W6xuXNNgQlGE3UPwjpGU2SdGLy8MtmSHeS +cJTaUFzmWU0bo7/VQ++T/25/eF5TVg6gwRGg0/tRzRtNo/PNKQtH+Eco+u46etoRXXV fcZ5LYetvGnxbvgXhT8jmKX5srFvvGlyu7Mr2UKnAxzvK0Ehq7hvike6sZ1s2Px81aH6 A10w==
X-Gm-Message-State: AOAM5313tKHFZfcNfvXBVEnFojT34DJPLEsP73Mc+ClyPnNFxYRBLQ47 EbVo2PWuqMp4Pu0cExCsgs638+aSr87DjaVTxaHlxKe04L0=
X-Google-Smtp-Source: ABdhPJyPgH4AJ6JyJc9MQnt5qRXAV56AfEmFjLao2G7qGMvL3cO1sw+kZ4bpQBX2/mIznwRmE1QrT0turcAp7gxhaxo=
X-Received: by 2002:adf:fd82:: with SMTP id d2mr1653700wrr.72.1597393634527; Fri, 14 Aug 2020 01:27:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAJ4XoYfpGMUmkDkQYN0qZeNFi_xZjfR=99yVu0dgLz-z19iwfA@mail.gmail.com> <20200814020806.7D8BF1E92E0C@ary.local>
In-Reply-To: <20200814020806.7D8BF1E92E0C@ary.local>
From: Dotzero <dotzero@gmail.com>
Date: Fri, 14 Aug 2020 04:27:03 -0400
Message-ID: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000270c4905acd23056"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/DZUp6BFIEYMv7gTQbu2NdZPI5o4>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 08:27:18 -0000

On Thu, Aug 13, 2020 at 10:08 PM John Levine <johnl@taugh.com> wrote:

> In article <CAJ4XoYfpGMUmkDkQYN0qZeNFi_xZjfR=
> 99yVu0dgLz-z19iwfA@mail.gmail.com> you write:
> >> "DISCUSS" shouldn't really be a joke. draft-crocker-dmarc-sender suffers
> >from a similar problem as PRA in the SenderId draft. There is no way to
> >validate that the specific intermediary is authorized by the (From) domain
> >originating the email through it's generic signalling that it
> >authorizes intermediaries. This means that any source can emit a message
> >claiming to be a legitimate intermediary just as any source could game PR
> >to gain a neutral result.
>
> That's a feature, not a bug. I want recipients to be able to assess
> the mail my lists send on its own merits.
>

And recipient domains do just that using local policy override. DMARC
policy is at best a request to the Validator/Receiving Domain. If a
Validator/Receiving Domain chooses to honor the published DMARC policy for
a domain such as p=reject, then they are in fact assessing the mail your
lists send based on the merits as they see them. The same goes if they
decide to not honor that published DMARC policy and accept mail from your
lists. Earlier in my DMARC journey I felt that MLMs should adjust and send
list mail as themselves. Now I have come to the conclusion that they should
reject list submissions from accounts at domains which publish a DMARC
policy of p=reject. Domains should not be able to externalize their
internal problems to others.

>
> >One could achieve similar outcomes using
> >only reputation and local policy override of DMARC policy.
>
> Only if you believe that the domain on the From: line is automatically
> more credible than the one on the Sender: line. The whole third party
> problem is that the people sending their mail through lists or
> whatever are in fact doing so legitimately, but for various reasons
> their organizations' DMARC policies lie and say they aren't.
>

I think you are misusing the term "credible". Domains which are publishing
p=reject policies are making an assertion regarding mail purporting to be
authorized by their domain. It is not an assertion that their mail is
"good" or should be delivered to a recipient or even given preferential
treatment with regard to filters or policy. The assertion is simply that
mail purporting to be authorized by my domain must pass either SPF or DKIM
validation or else we request that in the event of neither of these
properly validating for a particular email message, please reject this
message. Don't think of it as being about "legitimate" or "not legitimate".
There is a certain (normally small) amount of mail that fails to validate
even when it passes directly from the outbound MTA to the recipient
domain's MTA. The sending domain is accepting that this otherwise valid
mail may (SHOULD?) be rejected by the receiving domain. The organizations
DMARC policies aren't lying. They are simply saying "If this then that."

This ultimately goes back to the elephant in the room. Does an individual
user's use of an account at a domain trump the organization's right to
define how an account at a domain may/should be used? I absolutely agree
that in an ideal world this issue should not be externalized yet here we
are. This is why I made the point above that lists should respect DMARC
policy and not accept submissions from domains with DMARC p=reject
policies. It becomes "Not your circus and not your monkey". and forces the
problem back to the domain and it's users. If an MLM isn't modifying the
message then the DKIM signature should survive and this discussion is
irrelevant. I think this covers the range of MLM use cases that have been a
topic of discussion. If the MLM admin really wants to poke those domains
publishing p=reject then they can respond to user subscribe attempts or
submissions that are rejected with an explanation that they need to go have
a meaningful discussion with their mail admin/IT staff/domain account
provider or whoever is responsible for publishing p=reject for tht domain
but still allowing users to sign up for MLMs or attempt to use other
intermediaries. popcorn is of course optional.

Michael Hammer

v2.23.0 | Report a Bug | By Email