Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC spec
"John Levine" <johnl@taugh.com> Thu, 23 May 2013 18:36 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A93AB21F9401 for <dmarc@ietfa.amsl.com>; Thu, 23 May 2013 11:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.808
X-Spam-Level:
X-Spam-Status: No, score=-110.808 tagged_above=-999 required=5 tests=[AWL=-0.109, BAYES_00=-2.599, GB_ABOUTYOU=0.5, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fap1hE6MaUAo for <dmarc@ietfa.amsl.com>; Thu, 23 May 2013 11:35:58 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 3ED5321F87C5 for <dmarc@ietf.org>; Thu, 23 May 2013 11:15:35 -0700 (PDT)
Received: (qmail 76438 invoked from network); 23 May 2013 18:15:27 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 23 May 2013 18:15:27 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=519e5cbf.xn--i8sz2z.k1305; i=johnl@user.iecc.com; bh=RGa10LnU54oOO5LoE+LuvyCV+5wvh91SqDFe73z33jo=; b=LR5km9XBIkLn/LlfVUpeB74X7RWlMflcDSlC9MBoDz31NbyI9WkIVMYv8fLMA74UEe01eWiCktJNHtkmXsMZwn4260BsX/0jI4FDOvKvpo8hQe1eYUZEYAzejEwXb3HA1rKHPDvUO/fpkLvjbHGlUV7PSmlVMGeU0s3SD+3HUXg=
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=519e5cbf.xn--i8sz2z.k1305; olt=johnl@user.iecc.com; bh=RGa10LnU54oOO5LoE+LuvyCV+5wvh91SqDFe73z33jo=; b=u4md4Av1n2uxazqgbzcnqy4/JGHfrq0Lg+51ARhffibGk9lxqGMZ/LYshRB13/+J1sJgIvAxY0ZshpvYBJezg4t/H8ZaUgc/OqcR1yknyXh775CAeEO5IkvXfUtaSg6jv8Y0q4ZupVgCCnqk681hpbwjDXpUzQVawluaPGn7u8I=
Date: Thu, 23 May 2013 18:15:05 -0000
Message-ID: <20130523181505.26913.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
In-Reply-To: <CAL0qLwYZOp1FNVSAmzXYkZG_O3Yv+EQrAKKLpRiE5svcOMamTA@mail.gmail.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Cc: Eliot Lear <lear@cisco.com>
Subject: Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC spec
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 May 2013 18:36:11 -0000
I agree with pretty much everything Eliot said. Fortunately, having written a DMARC implementation that handles everything other than sending reports (the stuff is in a database, I could do it if I wanted to) I believe the problems can be fixed with little or no change to the bits on the wire. DMARC does two separate things. One is the policy stuff, what a domain would like you to do if you see mail with their domain on the From: line and no corresponding DKIM or SPF authentication. The other is the report stuff, requesting per-message and daily aggregate reports from the world about the authentication results of mail with your domain on the From: line. The two parts have practically nothing to do with each other other than sharing the _dmarc DNS record and it's quite possible to use one without the other. I've collected lots of interesting stats for domains that will never publish a DMARC policy. As far as what it does, or what it's good for, the policy stuff does one very specific thing, denouncing unauthenticated mail with your domain on the From: line. For some senders, that category of mail matches up well with a narrow but significant category of phishing. For others it may match up with phish-like behaviors in which company employees send mail from outside to avoid routing mail through the corporate servers (a big issue for stockbrokers and the like where the servers log everything.) For a lot of senders, e.g., ISPs, the policy isn't useful at all since the authentication model doesn't match what their users do. I would strenuously resist any attempts to claim that it does more, particularly attempts to make it the FUSSP of the month, often from people who should know better. The reporting stuff is useful to see what sort of mail purporting to be from you is arriving at the sites that send reports. For some domains, it may be useful to see how much you're being phished. If you're a stockbroker, it could be useful to find people evading the server logging by sending from gmail. Again, I would resist attempts to claim that it does more than what it does, send reports which may tell you interesting things about your mail (and in the security section, note that it can also tell you interesting things about other people's mail, e.g., the mailing lists that your users subscribe to.) All but one of the technical comments seem on target. I think the protocol is OK, but the description needs to be edited down be a description of what it does, leaving out all the reasons it's wonderful. Nit about the pct phrase: >8. This requires that state be maintained on a receiver, and could be an >attack vector. I implement it as perform policy if (time mod 100) < pct, which I think is what everyone else does, no DMARC state needed. It's worth mentioning this as an adequate implementation. R's, John
- [dmarc-ietf] Fwd: Eliot's review of the DMARC spec Murray S. Kucherawy
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… SM
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… John Levine
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Tim Draegen
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… Matt Simerson
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… John R Levine
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Murray S. Kucherawy
- Re: [dmarc-ietf] Fwd: Eliot's review of the DMARC… Murray S. Kucherawy
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Eliot Lear
- Re: [dmarc-ietf] Eliot's review of the DMARC spec John Levine
- Re: [dmarc-ietf] Eliot's review of the DMARC spec Murray S. Kucherawy
- [dmarc-ietf] Review of draft-kucherawy-dmarc-base… SM
- Re: [dmarc-ietf] Eliot's review of the DMARC spec John R Levine
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… Franck Martin
- [dmarc-ietf] cousin domain definition (was Re: Fw… Dave Crocker
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… SM
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] cousin domain definition (was Re… Dave Crocker
- Re: [dmarc-ietf] cousin domain definition (was Re… Elizabeth Zwicky
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… Franck Martin
- Re: [dmarc-ietf] cousin domain definition (was Re… Franck Martin
- Re: [dmarc-ietf] cousin domain definition (was Re… Dave Crocker
- Re: [dmarc-ietf] cousin domain definition (was Re… John Levine
- Re: [dmarc-ietf] cousin domain definition (was Re… Murray S. Kucherawy
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… SM
- Re: [dmarc-ietf] Review of draft-kucherawy-dmarc-… Murray S. Kucherawy
- Re: [dmarc-ietf] cousin domain definition (was Re… Murray S. Kucherawy
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson
- Re: [dmarc-ietf] cousin domain definition (was Re… Dave Crocker
- Re: [dmarc-ietf] cousin domain definition (was Re… MH Michael Hammer (5304)
- Re: [dmarc-ietf] cousin domain definition (was Re… Steve Jones
- Re: [dmarc-ietf] cousin domain definition (was Re… Barry Leiba
- Re: [dmarc-ietf] cousin domain definition (was Re… Scott Kitterman
- Re: [dmarc-ietf] cousin domain definition (was Re… Steve Jones
- Re: [dmarc-ietf] cousin domain definition (was Re… Matt Simerson