Re: [dmarc-ietf] Policy Enforcement Considerations
Alessandro Vesely <vesely@tana.it> Wed, 20 September 2023 08:03 UTC
Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF79C14CE4A for <dmarc@ietfa.amsl.com>; Wed, 20 Sep 2023 01:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.198
X-Spam-Level:
X-Spam-Status: No, score=-7.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="TT3Ftp3T"; dkim=pass (1152-bit key) header.d=tana.it header.b="DP+cTxCk"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxge1GCxDT46 for <dmarc@ietfa.amsl.com>; Wed, 20 Sep 2023 01:02:55 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C40C14CEFA for <dmarc@ietf.org>; Wed, 20 Sep 2023 01:02:52 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1695196969; bh=yUlAIflaBqWgDLRndaGq+2ccWNET8+kHAQJB4laItDo=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=TT3Ftp3TtsouvzPPZ0PWedNaTV5vUFkAElleXLWB/zAdZTx7ZPkW/JVjSamaAXnM+ gvlJ9/7GHX7E+uzCPQVBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1695196969; bh=yUlAIflaBqWgDLRndaGq+2ccWNET8+kHAQJB4laItDo=; h=Date:Subject:To:References:From:In-Reply-To; b=DP+cTxCkb60k6nFPM3kubQz5hM99PNvfTH1vBR1nPbtGYZTMRE26JZw1Mj1khJCqE LpSY+X7Kt+UQNEvZ1o7jBujQZLhEN1A+FUY+oUgx03w/DvjB5WkYWDDllu5TVBNg/E giOsOdGMUyD1IxIx4V6Qd6qu0k+rv/eix3ox0wgalCNrOLqXlOtW0rCIIeHx8
Original-Subject: Re: [dmarc-ietf] Policy Enforcement Considerations
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC131.00000000650AA728.00002FC1; Wed, 20 Sep 2023 10:02:48 +0200
Message-ID: <6d55fb0c-9b3b-04d6-8494-be1b4b65be1d@tana.it>
Date: Wed, 20 Sep 2023 10:02:47 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0
Content-Language: en-US, it-IT
To: "Murray S. Kucherawy" <superuser@gmail.com>, dmarc@ietf.org
References: <c371f5b3-6133-1dc1-aa59-d3c6718a6ff2@tana.it> <92100200-55C3-47A2-9756-12A4AFD94E69@kitterman.com> <CALaySJJKT2LdZ2pDpNhhOwOcH2Otemd+h6c0dZxodJ1HPr85QA@mail.gmail.com> <a3b36b4b-a006-ec89-e376-758adc330e99@tana.it> <CAL0qLwYz7tWeFOsXLh2OX-wJ7-HVK+gsFSW18ieLuAh5KB_LCA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAL0qLwYz7tWeFOsXLh2OX-wJ7-HVK+gsFSW18ieLuAh5KB_LCA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EalKOPL9ZVJi2YTRJKwVUGFcxZg>
Subject: Re: [dmarc-ietf] Policy Enforcement Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 08:03:03 -0000
On Tue 19/Sep/2023 19:55:02 +0200 Murray S. Kucherawy wrote: > On Tue, Sep 19, 2023 at 8:24 AM Alessandro Vesely <vesely@tana.it> wrote: > >> My wording can certainly be improved. Before denying the idea, please >> consider a couple of facts: >> >> 1) We want ARC to override DMARC, yet we don't say so. Not in such a way >> that, when a receivers does so, he can say he's following the letter of >> the protocol. > > Do we need to say that expressly? I think a protocol ought to specify how it functions as precisely as possible. > Isn't it just another input that a filtering engine could consider? I don't get that logic. What would such an engine actually do? For example, add 1 for every black list, add 1 for DMARC failure, 2 if there is a hard policy, sum the result to SpamAssassin score and reject when it's more than 6? I don't think adding incomparable values makes sense. SpamAssassin itself, since I mentioned it, has difficulties at attributing a score to DKIM results. Indeed, we've been saying for ever that dmarc=pass doesn't mean that a message is good. >> 2) Content filtering cannot override DMARC, can it? By "override", I >> mean the author domain publishes a hard policy, both SPF and DKIM fail, >> and there is no deterministic sign (signature or IP) that the message >> comes from a recognized forwarder (including MLs). What kind of content >> could ever suggest that a receiver conscientiously overrides DMARC? > > Is that for this document to stipulate? No, it's not. I asked for an example to understand what we think. > The actual, final logic of an operator's filtering engine is not our affair. Agreed. However, overriding DMARC policy is strictly our business. Section 5.8 seems to be talking about that, not the final logic. I'm only trying to make that clearer. >> "Other knowledge and analysis", as currently in the draft, certainly >> includes content filtering. Do we mean it? Can we think of an example? > > Sure. Think of the opposite case: DMARC passes for spam. Content > filtering absolutely should override the DMARC result. That's not overriding, inasmuch as dmarc=pass doesn't imply to deliver. > Unless you want to go down the road of proposing that a "pass" should > always win out over any other result while a "fail" should be just one of > many dimensions of analysis, I think the way things are is both correct and > simpler. In DMARC, p= specifies the policy when authentication fails. We provide no hints about what to do when authentication succeeds. Although it cannot say MUST reject, the protocol says that's the intended meaning of p=reject, e.g. in Section 8.3. However, that's not the whole story. The reason why such a simplistic directive doesn't work is because of forwarding (including mailing lists) not because of spam. Content filtering decisions are independent of authentication. In a correct multidimensional analysis, any dimension can bring a reason to reject, and that's not comparable with the results of other dimensions. You don't add apples and oranges. DMARC policy overriding is clearly in the same authentication dimension as DMARC itself, since it's explicitly considered in the I-D. We don't have a protocol to recognize forwarding (yet), so we cannot tell /exactly/ in what cases the policy is overridden. However, we mention future developments, so we can also say what's their scope, can't we? Best Ale --
- [dmarc-ietf] Policy Enforcement Considerations Alessandro Vesely
- Re: [dmarc-ietf] Policy Enforcement Considerations Scott Kitterman
- Re: [dmarc-ietf] Policy Enforcement Considerations Dotzero
- Re: [dmarc-ietf] Policy Enforcement Considerations Barry Leiba
- Re: [dmarc-ietf] Policy Enforcement Considerations Alessandro Vesely
- Re: [dmarc-ietf] Policy Enforcement Considerations Murray S. Kucherawy
- Re: [dmarc-ietf] Policy Enforcement Considerations Murray S. Kucherawy
- Re: [dmarc-ietf] Policy Enforcement Considerations Alessandro Vesely