Re: [dmarc-ietf] draft-kucherawy-dmarc-base updated (-06)
"Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl> Mon, 29 December 2014 22:29 UTC
Return-Path: <R.E.Sonneveld@sonnection.nl>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B29D1A9111 for <dmarc@ietfa.amsl.com>; Mon, 29 Dec 2014 14:29:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScDECDXysEgq for <dmarc@ietfa.amsl.com>; Mon, 29 Dec 2014 14:29:32 -0800 (PST)
Received: from mx10.mailtransaction.com (mx10.mailtransaction.com [88.198.59.241]) by ietfa.amsl.com (Postfix) with ESMTP id 86F9C1A90B3 for <dmarc@ietf.org>; Mon, 29 Dec 2014 14:29:31 -0800 (PST)
Received: from mx14.mailtransaction.com (mx11.mailtransaction.com [88.198.59.230]) by mx10.mailtransaction.com (Postfix) with ESMTP id 3kBD2f3YKqz5MhcJ; Mon, 29 Dec 2014 23:29:30 +0100 (CET)
Received: from jaguar.sonnection.nl (D57E1702.static.ziggozakelijk.nl [213.126.23.2]) by mx14.mailtransaction.com (Postfix) with ESMTP id 3kBD2f1qr5z5MhXC; Mon, 29 Dec 2014 23:29:30 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by jaguar.sonnection.nl (Postfix) with ESMTP id 4B9B7123465; Mon, 29 Dec 2014 23:29:34 +0100 (CET)
X-Virus-Scanned: amavisd-new at sonnection.nl
Received: from jaguar.sonnection.nl ([127.0.0.1]) by localhost (jaguar.sonnection.nl [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id qbEdoplKj7Mw; Mon, 29 Dec 2014 23:29:27 +0100 (CET)
Received: from [192.168.1.49] (unknown [192.168.1.49]) by jaguar.sonnection.nl (Postfix) with ESMTPSA id 8316012344E; Mon, 29 Dec 2014 23:29:27 +0100 (CET)
Message-ID: <54A1D5C1.9030505@sonnection.nl>
Date: Mon, 29 Dec 2014 23:29:21 +0100
From: "Rolf E. Sonneveld" <R.E.Sonneveld@sonnection.nl>
Organization: Sonnection B.V.
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: "Murray S. Kucherawy" <superuser@gmail.com>
References: <CAL0qLwYOtQe0RLfPmO6TjoJv4CUKUoiRV=uzi29ip70_OZ9p3A@mail.gmail.com> <5463ECBD.9030703@sonnection.nl> <CAL0qLwYSTGhBixiOEyxnbQJ5O6h4F+0-8xiAAE7kvUUEnogkiQ@mail.gmail.com>
In-Reply-To: <CAL0qLwYSTGhBixiOEyxnbQJ5O6h4F+0-8xiAAE7kvUUEnogkiQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------060606070207000000070807"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sonnection.nl; s=2009; t=1419892170; bh=pHcMWMth2gQKBJnv9S4zF7BcM4NBFLyBjj+SBltN+ew=; h=Message-ID:Date:From:To:Subject:From; b=RIyrrfwpUUglBEFuUvqY7GJ5xSAg+TLRUtcD1X0R8RvL65cU5f+XKt1Y9KWOlCFbI uynYcZb32Nwb9hgLmAPQ6BbRfbQNSoqMf9vdo/Le4HOkVT62fUq7I9DjbEdRybkrCG bYSPix80RDTj7KvhF3ax8T0oZmLjZwFW0lgtC1TQ=
DKIM-Filter: OpenDKIM Filter v2.8.2 mx10.mailtransaction.com 3kBD2f3YKqz5MhcJ
Archived-At: http://mailarchive.ietf.org/arch/msg/dmarc/EFa57Mjs0sByGoEabE2Hxw_SO8E
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] draft-kucherawy-dmarc-base updated (-06)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: R.E.Sonneveld@sonnection.nl
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Dec 2014 22:29:37 -0000
Hi, Murray, On 12/24/2014 06:45 AM, Murray S. Kucherawy wrote: > Hi Rolf, getting back to your review (thanks for the nudge): > > On Wed, Nov 12, 2014 at 6:26 PM, Rolf E. Sonneveld > <R.E.Sonneveld@sonnection.nl <mailto:R.E.Sonneveld@sonnection.nl>> wrote: > > > > Abstract: > > This lack of cohesion has several effects: receivers have > difficulty providing feedback to senders about authentication, > senders therefore have difficulty evaluating their > authentication deployments, and as a result neither is able to > make effective use of existing authentication technology. > > > This focuses on the reporting function of DMARC, leaving out the > policy part of it. > > Suggested text: > > This lack of cohesion has several effects: senders have > difficulty providing information about their use of an > authentication policy and receivers have difficulty > determining a disposition preferred by senders. Vice versa, > mail receivers have difficulty providing feedback to senders > about authentication, senders therefore have difficulty > evaluating their authentication deployments, and as a result > neither is able to make effective use of existing > authentication technology. > > > The Abstract appears to have been rewritten since you reviewed it, so > a straight text swap won't work anymore. The new text focuses on > what's being provided, not what was missing. Do you want to take > another run at it? No need for it, the text of the Abstract in -09 is OK. > > Introduction: > > [...] mail receivers have tried to protect senders [...] > > > Suggested: > > [...] mail receivers have tried to protect senders and their > own users/customers [...] > > This text no longer appears in the draft. OK. > Starting with "DMARC allows domain owners and receivers to > collaborate by", the terms 'domain owners', 'receivers', 'senders' > and 'SMTP receivers', 'Mail Receivers', 'mail receivers' are used > throughout the document. I'd suggest to add a definition of the > term ' Mail Senders' to the introduction part of chapter 3 and > then use only the terms as defined in 3., throughout the document. > Suggested text for the term Mail Sender: > > * Mail Sender: the sender of mail with a domain for which the > Domain Owner may have published a DKIM public key and/or an > SPF authentication record and/or a DMARC policy; > > > (although we may want to not mention DKIM or SPF here). > > > It looks like that got cleared up; -08 has no reference to "Mail Sender". OK. > > 2.2 Out of Scope > > Add: > > o cousin domain attacks > > Covered in Section 2.4 of -08. OK. > 3.1.2 Key Concepts > > Last sentence: add a reference to this 'other referenced material'. > > Good idea; added. Thanks. > 3.1.3 Flow diagram > > The box titled 'User Mailbox' could give the impression that > there's only one choice for delivery. However, quarantining can be > done without delivery to a mailbox. I'd suggest to label this box > 'rMDA'. > > That's already done in -08. OK. Well, it's MDA, but that's OK. One typo in the diagram. When: > "sMTA" is the sending > MTA, and "rMTA" is the receiving MTA. is correct, the box in the diagram should be labelled 'sMTA', not 'oMTA'. > > The part within parentheses of step 6: > >> 6. Recipient transport service conducts SPF and DKIM >> authentication checks by passing the necessary data to their >> respective modules, each of which require queries to the Author >> Domain’s DNS data (when identifiers are aligned; see below). > > might indicate that SPF and DKIM authentication checks need not be > performed when identifiers are not aligned. However, for sake of > reporting, SPF and DKIM authentication checks will in general > always be done, or am I missing something? > > > I can envision a DMARC implementation that skips SPF or DKIM checks if > the corresponding identifiers are not aligned, because they won't be > interesting to DMARC in that case. Whether or not to generate reports in the case of non-alignment is not clear from the text, or am I missing something? Par. 3.1.3: > 8. If a policy is found, it is combined with the Author's domain and > the SPF and DKIM results to produce a DMARC policy result (a > "pass" or "fail"), and can optionally cause one of two kinds of > reports to be generated (not shown). and par. 6.2 goes right into the format of reports, not the conditions under which a report is to be sent. > 3.1.4.1 DKIM-authenticated Identifiers > > remove (or change) the 'Cousin Domain' example: it doesn't hold > when a bad actor is signing the mail with d=cousindomain and > RFC5322.From=localpart@cousindomain > > > It's not there in -08. OK. > > 4 Use of RFC5322.From > > Last bullet (The DMARC mechanism ...). It seems the other bullets > provide reasons why RFC5322.From is chosen while the last one does > not. It looks to me as a circular reasoning. > > It's not there in -08. OK. > 5.2 DMARC URIs > > It is not clear from the text what the report originator must do > when the report payload exceeds the maximum size as indicated by > the record. Should it not send anything, should it split up > reports, should it notify the requester that there was a report > exceeding the maximum size? > > > Section 6.2.2 in both versions explains what to do here. OK. > > 5.3 General Record Format > > adkim and aspf do not provide a list of all possible options (like > is done for fo and p). Of course it is pretty obvious that for > 'strict' the 's' must be used, but it's not clear from the text. > > They're there in -08. Excellent. > Next, the P: and pct: tags: they show that (in hindsight) the > policy part and the reporting part of DMARC might have been better > off, when they were defined in different specs. Now we need to > complicate the text to say that the policy tag p: is required, but > not for third-party reporting records. And for pct, that it "MUST > NOT be applied to the DMARC-generated reports". Well, I believe > this has been discussed before, no need to redo this discussion. > > I'd suggest to synchronize the short description of the tags in > 5.3 with the descriptions of the tags in the table of 10.4 (now > different terminology is used here and there, for example > Requested Mail Receiver policy (5.3) and Requested handling policy > (10.4). Suggested text in 5.3 becomes then: > [...] > > Section 5.3 is meant to be verbose descriptions of each of the tags, > while Section 10.4 is a set of short, terse descriptions with > references to the places where the details can be found. We could add > section numbers to the references found in 10.4 if you think that > would be helpful. > > Further suggestion for the table in 10.4: reverse the order of 'p' > and 'pct' as 'p' is first discussed in the text of 5.3, before 'pct'. > > > I see what you're after here, but as it is they're in alphabetical > order, like a dictionary, and I think that makes for easier referencing. Fair enough. > Suggestion for 'ri': remove the normative language (MUST and > SHOULD) as that might ask for a 'compliancy' section. Instead, > move these suggested values to the BCP document. > > Well there is a normative component there, which is to say that anyone > has to be able to produce at least daily reports. I think we have to > at least say that. We (the IETF) seem to shy away from doing minimum > compliance sections these days. A 'conformance' section, similar to what RFC2049 is for MIME, would be nice, indeed ;-) > 5.6.2. Determine Handling Policy > > Bullet 6 in combination with the introduction text might give the > impression that the receiver MUST always follow the policy as > published by the Domain Owner. Suggestion to replace the text: > > 6. Apply policy. Emails that fail the DMARC mechanism check > are disposed of in accordance with the discovered DMARC policy > of the Domain Owner. See Section 5.3 > > with: > > 6. Apply policy. Emails that fail the DMARC mechanism SHOULD > be disposed of in accordance with the discovered DMARC policy > of the Domain Owner. See Section 5.3 > > Section 5 itself already has the equivalent of that SHOULD, followed > by a "MAY deviate" based on local policy. OK. > 5.6.3. Policy Discovery. > > This paragraph states that: > > If the RFC5322.From domain does not exist in the DNS, Mail > Receivers SHOULD direct the receiving SMTP server to reject > the message. The choice of mechanism for such rejection and > the implications of those choices are discussed in Section 9.3. > > Although this might be common practice (either by default MTA > settings, or by configuration parameters set by many mail > operators), I believe this informational RFC about DMARC cannot > use normative language here to decribe what must be done with mail > with a domain that is not present in DNS. > > This has been brought up before. I think consensus has landed on the > idea that this is an acceptable thing to say because it applies only > to operators that are choosing to be DMARC participants. Moreover, > the SHOULD ultimately enables you to make the choice for yourself if > you think bouncing mail from non-existent domains would be > destructive. And this is what DMARC operators have been doing for a > while now, so I'll also fall back to noting that this specific effort > is documenting current practice. If the working group wants to make a > different statement, it can crack this topic open if and when it > starts work on a version of DMARC along the Standards Track. This has been discussed in the recent thread 'Jim Fenton's review of -04', no need to redo this discussion. > > 5.7 Last sentence: > > Mail Receivers SHOULD also implement reporting instructions of > DMARC in place of any extensions to SPF or DKIM that might > enable such reporting. > > Not sure what this means. But it seems to me DMARC cannot claim > priority over other options/extensions in other IETF protocols. > > This is another spot where the SHOULD gives the operator the choice to > do both if it wishes. I can't remember off the top of my head what > the use case is here, but essentially the absence of a request for > DKIM or SPF reporting (as developed by the MARF working group some > time ago) should not preclude DMARC reporting, nor should their > presence interfere with DMARC reporting. Then, borrowing from your text, may I suggest the following text: "Mail Receivers SHOULD implement reporting instructions of DMARC, even in the absence of a request for DKIM or SPF reporting [MARF]. Furthermore, the presence of such requests SHOULD NOT interfere with DMARC reporting." And as a general statement: thanks for all the work, Murray! /rolf
- [dmarc-ietf] draft-kucherawy-dmarc-base updated (… Murray S. Kucherawy
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Dave Crocker
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Rolf E. Sonneveld
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Murray S. Kucherawy
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Murray S. Kucherawy
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Rolf E. Sonneveld
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Murray S. Kucherawy
- Re: [dmarc-ietf] draft-kucherawy-dmarc-base updat… Wei Chuang