IETF Logo Mail Archive

Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy for the Author Domain - dmarcbis-06

Scott Kitterman <sklist@kitterman.com> Sun, 03 April 2022 00:26 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB3F3A18A4 for <dmarc@ietfa.amsl.com>; Sat, 2 Apr 2022 17:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, SPOOF_COM2OTH=0.001, T_HTML_ATTACH=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=N3E/+9yj; dkim=pass (2048-bit key) header.d=kitterman.com header.b=NGyXqdPw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vN279VWXcqby for <dmarc@ietfa.amsl.com>; Sat, 2 Apr 2022 17:26:35 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2A573A1890 for <dmarc@ietf.org>; Sat, 2 Apr 2022 17:26:34 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id DF0F8F80278 for <dmarc@ietf.org>; Sat, 2 Apr 2022 20:26:30 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1648945590; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding : from; bh=CJ+tn0gk8Do03KzWz5hyuTOy+T2ixLDcABML0gIBAuw=; b=N3E/+9yjuRqM6jWtiCASeHwna+/eKYGmoU4IVMphZwdnOd7RZmJJNOgbATt0Gon4nBGZq Cvqus/sbJI4vEbJBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1648945590; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding : from; bh=CJ+tn0gk8Do03KzWz5hyuTOy+T2ixLDcABML0gIBAuw=; b=NGyXqdPwVliSFeZ6Ndf0VHrZPlUOUjQup443QO0xXJjKBwCasAZLUxDHMU7y8LpEMlXds BmokxNksbM27Mil4l+/oUIw3qCgDTYelD8lyyQH66e+ff8iyqyVGxkCuBpzVDceoqYdP9fe JhVQmRm/zlFWrvdbTWPNApObzXl86FRI8uswUX2D8A65XKl5NW7uosBuvY93M2Wh4dZlTlH lv6uhIGBk3er5Kfdq9AtJVI/VWRdVeq2sIhkXkWpmrHyTOzA3LZdTO9OtQaEyot684J6c1d p0H4bih177+tBzMHKDi3naS40FW8qP4+KMSkdXJ82XOgnJlFAXREWdlPn3dw==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 91FECF80026 for <dmarc@ietf.org>; Sat, 2 Apr 2022 20:26:30 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sat, 02 Apr 2022 20:26:30 -0400
Message-ID: <4043503.2B49PIdcQF@zini-1880>
In-Reply-To: <4316007.NEMBVqxYyB@zini-1880>
References: <164789584226.30456.9564261134406099481@ietfa.amsl.com> <33b879bc-1dc4-dc8c-53ba-a8ce2483e396@tana.it> <4316007.NEMBVqxYyB@zini-1880>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="nextPart2354246.MtXR0KGyPR"
Content-Transfer-Encoding: 7Bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EabMPDrZKOrJwEnF5O-KRkrBlGY>
Subject: Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy for the Author Domain - dmarcbis-06
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Apr 2022 00:26:48 -0000

On Tuesday, March 22, 2022 11:16:13 AM EDT Scott Kitterman wrote:
> On Tuesday, March 22, 2022 5:54:33 AM EDT Alessandro Vesely wrote:
> > I think we need something like the following.
> > 
> > On Mon 21/Mar/2022 21:50:42 +0100 internet-drafts wrote:
> > > The IETF datatracker status page for this draft is:
> > > https://datatracker.ietf.org/doc/draft-ietf-dmarc-dmarcbis/
> > 
> > OLD
> > 5.5.4.  Publish a DMARC Policy for the Author Domain
> > 
> >     Once SPF, DKIM, and the aggregate reports mailbox are all in place,
> >     it's time to publish a DMARC record.  For best results, Domain Owners
> >     SHOULD start with "p=none", with the rua tag containg a URI that
> >     references the mailbox created in the previous step.
> > 
> > NEW (add or replace)
> > 5.5.4.  Publish a DMARC record for the Author Domain
> > 
> >     A DMARC record MUST be defined at the Organizational Domain, that is
> >     the
> > 
> > shortest domain that belongs to the organization, see Section 3.2.7.  This
> > domain determines the alignment of the identifiers.  The domain part of
> > the
> > aggregate reports mailbox also needs to be aligned, otherwise an
> > additional
> > DMARC record for external destination verification has to be defined.  If
> > any subdomain of the organization is used as an Author Domain, a DMARC
> > record for that subdomain MAY be defined.  For example, the subdomain may
> > want a different policy or different reporting mailboxes.
> > 
> >     If a subdomain is independent from the organization, that is if the
> >     organization delegated control of the subdomain to another
> >     organization,
> > 
> > then the former organization is a PSO.  In that case, it is necessary to
> > use the psd flag to break alignment, so that an organization cannot
> > impersonate another one.
> > 
> > 
> > Is that obscure enough?
> 
> I think we need something here.  I agree with your core point that
> Organizational Domain has to have a DMARC record and we should say that.  I
> would spend the words on more PSO description here.  Almost no one is a PSO
> and we shouldn't over emphasize it.
> 
> I need to take another turn on the words I've been working on based on other
> comments.  I'll include something along these lines in that update and then
> you can see what you think.

Somewhat later than I had hoped, I've taken a shot at this.  Please see the 
attached proposed update from dmarcbis-06 and rfcdiff.

I suggest several changes here:

1.  In the tree walk description, update the step descriptions so that the 
entire tree walk is performed if needed.  Just because we find a DMARC record, 
we can't necessarily stop.

2.  In the policy discovery section I added a few sentences on which policy to 
use once the policy record is identified.  This doesn't change anything 
relative to what's currently defined, but it seems to me that if we are going 
to have a discussion of policy discovery we should take it all the way to 
determining the poilcy and not stop at the determination of the record to use 
to determine the policy.

3.  Added 'u' as the default for the psd= tag.  I believe I've captured the 
discussion from the working group on this.  If I didn't, I did not 
intentionally innovate.

4.  As discussed above, made it explicit that the Organizational Domain needs 
to have a DMARC record.

Scott K

v2.8.7 | Report a Bug | By Email