[dmarc-ietf] Re: DMARCbis version -33 is ready for document shepherd and AD processing
Todd Herr <todd.herr@valimail.com> Mon, 16 September 2024 14:59 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8502BC18DB90 for <dmarc@ietfa.amsl.com>; Mon, 16 Sep 2024 07:59:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JEmlZg0HptrL for <dmarc@ietfa.amsl.com>; Mon, 16 Sep 2024 07:59:31 -0700 (PDT)
Received: from mail-yb1-xb35.google.com (mail-yb1-xb35.google.com [IPv6:2607:f8b0:4864:20::b35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7566C151983 for <dmarc@ietf.org>; Mon, 16 Sep 2024 07:59:31 -0700 (PDT)
Received: by mail-yb1-xb35.google.com with SMTP id 3f1490d57ef6-e1da3677ca7so3596128276.0 for <dmarc@ietf.org>; Mon, 16 Sep 2024 07:59:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1726498770; x=1727103570; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=rHeF+hfEvjAOfT2rsPdWaQ1aLvzzqwcz0h9C/UjpzTI=; b=CGD5nWc1O8BzAUCorzAmFHE60gIKXfNJ7OsyKDViVGx/ecAHWbmbX+PtCIV5Ft/46d 3DdC7YpFo07CDuqhcB1Lhc1sMAGFOUvq+Op3sjvXuWB63r1kBby7gkr/2cITpOy7XiRR YyTQqiUcIyatOG8zdI6MBKMLfawJRdfAOeklW4l/c56MUlR/CdOHH3f7fWpAvbCmCVwB Gw8C/GISxSAwzBo1WR9Vd6JLnWLkpkvqBM/VA9kjJtwdSKcVwyo4QuM8ocYZza4qpYLF Iso7H9kPG1oeQgVcFmPx9Txhg+5oykhJt/9d3X4dlusAZgAw3BrfnjriQcN0Y/+WI0tO qFzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726498770; x=1727103570; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rHeF+hfEvjAOfT2rsPdWaQ1aLvzzqwcz0h9C/UjpzTI=; b=H4QLmCy0Gs3z+cEPuCVoVTcPz075LYRhkUnrUtw/rk1X4GbvnIKJEuu5Tek/SVaxU+ OPNan3GKd0/FbeLM32BeVeCqoh35DLLqrA85LboQs0W81YDSawzPxIHmuM3VjT/hkTT8 XahplxaOV6CZW/lEeVRQ/d/V4gycbrB6fyYUgjYeJDR3zwWzwwbpR+7F51HktuG1f9dm bnvbFoJO9OhEve/Tcw7QNgML4mOtLAjEmK1GGkG7K8a1Rd8qNXMFjAjySrEFtmKwPR9u 3uq0SOjy2W+YY4aId7vg17bGJ//usypgUJK7jLXK6u+efJBD74E5NLJChkMWys/kfqq7 6sHw==
X-Gm-Message-State: AOJu0YzaCjjx4bqf2/CC3cSbktmEIvuukOQyqzJTE2NGlXyf3zJn5o+m 4gOQlCsER1zQMczC/nzUxXqcdszE051jM8k9V3eJ49OZs/keNd7R/4dhp56lpfjSiVPMrs0LUA3 XvQuF4ooNg7kuM6K7wRMNYq/NBK8W5G8ti+1/6Cc9dhUw7wxKbRg=
X-Google-Smtp-Source: AGHT+IGyryQ+Q02xIBZDtV2rbkYHN7565P/8cXaq6gqMEKm3jXF9jqtT0/D9MHRJCEL9ubxjOJyC7tJN+yey4Tj9KMg=
X-Received: by 2002:a05:6902:1881:b0:e0b:e47d:ccc9 with SMTP id 3f1490d57ef6-e1d9db98c66mr14364518276.8.1726498770362; Mon, 16 Sep 2024 07:59:30 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJJ4rFxfg4WS3cpXaKp3i1xKOXvNpOwOAtUE-2PFVPpy_w@mail.gmail.com> <b2e8632d-ab6f-4038-9023-6fb1ae17c8c8@lear.ch> <CAHej_8kLCAKdTcTnF4TexdX2o1Yzi8bvFi=o6wEF7dLQcCkzAQ@mail.gmail.com> <94c37d8d-8f1b-4da1-856e-7f2e4a703ff9@tana.it> <BA0F249E-BBCA-4187-A68E-0D7222E5340A@kitterman.com> <906378cf-6287-4b4d-8968-1fcba8f179e4@crash.com> <EF08EBD2-8B1D-42C9-A376-7715E0BDCBF0@kitterman.com> <d3870a42-0f64-4a0d-a091-aab5276a1122@tana.it> <c30a0c97-dfa3-987c-93a2-2f429f22f24e@crash.com> <1ddb187f-41c0-4cea-a5c3-4d704ed25074@tana.it> <26340.36200.911731.603946@fireball.acr.fi>
In-Reply-To: <26340.36200.911731.603946@fireball.acr.fi>
From: Todd Herr <todd.herr@valimail.com>
Date: Mon, 16 Sep 2024 07:59:13 -0700
Message-ID: <CAHej_8kr++cDDkyhoZaAdFAsBnB-8ba188kCvTc3vj7WqtWJMQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e9bff306223dd12c"
Message-ID-Hash: Y7GPBLWJZH2NVVXNAEVPUJPNOGIYZHXI
X-Message-ID-Hash: Y7GPBLWJZH2NVVXNAEVPUJPNOGIYZHXI
X-MailFrom: todd.herr@valimail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dmarc.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [dmarc-ietf] Re: DMARCbis version -33 is ready for document shepherd and AD processing
List-Id: "Domain-based Message Authentication, Reporting, and Compliance (DMARC)" <dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ED0bOMaeG-BADXOuvRB1YaFph-M>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Owner: <mailto:dmarc-owner@ietf.org>
List-Post: <mailto:dmarc@ietf.org>
List-Subscribe: <mailto:dmarc-join@ietf.org>
List-Unsubscribe: <mailto:dmarc-leave@ietf.org>
My current working copy of the document has these two paragraphs: As discussed in "Interoperability Issues between DMARC and Indirect Email Flows" [@!RFC7960], use of p=reject can be incompatible with and cause interoperability problems to indirect message flows such as "alumni forwarders", role-based email aliases, and mailing lists across the Internet. As an example of this, a bank might send only targeted messages to account holders. Those account holders might have given their bank addresses such as jones@alumni.example.edu (an address that relays the messages to another address with a real mailbox) or finance@association.example (a role-based address that does similar relaying for the current head of finance at the association). When such mail is delivered to the actual recipient mailbox, it will most likely fail SPF checks unless the RFC5321.MailFrom address is rewritten by the relaying MTA, as the incoming IP address will be that of example.edu or association.example, and not an IP address authorized the originating RFC5321.MailFrom domain. DKIM signatures will generally remain valid in these relay situations. and I believe that the referenced RFC (RFC 7960) does a pretty good job of describing why forwarding might cause issues with DMARC and SPF here: If the RFC5321 <https://datatracker.ietf.org/doc/html/rfc5321>.MailFrom is present and the forwarder maintains the original RFC5321 <https://datatracker.ietf.org/doc/html/rfc5321>.MailFrom, SPF validation will fail unless the forwarder is an authorized part of the originator's email sending infrastructure. If the forwarder replaces the RFC5321 <https://datatracker.ietf.org/doc/html/rfc5321>.MailFrom with its own domain, SPF might pass, but Identifier Alignment with the RFC5322 <https://datatracker.ietf.org/doc/html/rfc5322>.From header field will fail. https://datatracker.ietf.org/doc/html/rfc7960#section-2.2 so can we please just call this good and move on? On Fri, Sep 13, 2024 at 12:07 PM Tero Kivinen <kivinen@iki.fi> wrote: > Alessandro Vesely writes: > > I googled a bit on that but didn't find a satisfactory analysis. There > are > > several good files, e.g. http://www.open-spf.org/whitepaper.pdf or > > > https://www.maawg.org/sites/maawg/files/news/MAAWG_Email_Forwarding_BP.pdf > . > > M3AAWG is just now in process of updating that Email forwarding best > practice. There should be new version published in few months. > -- > kivinen@iki.fi > > _______________________________________________ > dmarc mailing list -- dmarc@ietf.org > To unsubscribe send an email to dmarc-leave@ietf.org > -- Todd Herr | Technical Director, Standards & Ecosystem Email: todd.herr@valimail.com Phone: 703-220-4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] DMARCbis version -33 is ready for do… Barry Leiba
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Murray S. Kucherawy
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Murray S. Kucherawy
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… tjw ietf
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Eliot Lear
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Todd Herr
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Alessandro Vesely
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Scott Kitterman
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Steven M Jones
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Scott Kitterman
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Alessandro Vesely
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Steven M Jones
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Alessandro Vesely
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Tero Kivinen
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Todd Herr
- [dmarc-ietf] Re: DMARCbis version -33 is ready fo… Alessandro Vesely