IETF Logo Mail Archive

Re: [dmarc-ietf] Policy Enforcement Considerations

Alessandro Vesely <vesely@tana.it> Wed, 20 September 2023 08:03 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF79C14CE4A for <dmarc@ietfa.amsl.com>; Wed, 20 Sep 2023 01:03:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.198
X-Spam-Level:
X-Spam-Status: No, score=-7.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="TT3Ftp3T"; dkim=pass (1152-bit key) header.d=tana.it header.b="DP+cTxCk"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxge1GCxDT46 for <dmarc@ietfa.amsl.com>; Wed, 20 Sep 2023 01:02:55 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39C40C14CEFA for <dmarc@ietf.org>; Wed, 20 Sep 2023 01:02:52 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1695196969; bh=yUlAIflaBqWgDLRndaGq+2ccWNET8+kHAQJB4laItDo=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=TT3Ftp3TtsouvzPPZ0PWedNaTV5vUFkAElleXLWB/zAdZTx7ZPkW/JVjSamaAXnM+ gvlJ9/7GHX7E+uzCPQVBw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1695196969; bh=yUlAIflaBqWgDLRndaGq+2ccWNET8+kHAQJB4laItDo=; h=Date:Subject:To:References:From:In-Reply-To; b=DP+cTxCkb60k6nFPM3kubQz5hM99PNvfTH1vBR1nPbtGYZTMRE26JZw1Mj1khJCqE LpSY+X7Kt+UQNEvZ1o7jBujQZLhEN1A+FUY+oUgx03w/DvjB5WkYWDDllu5TVBNg/E giOsOdGMUyD1IxIx4V6Qd6qu0k+rv/eix3ox0wgalCNrOLqXlOtW0rCIIeHx8
Original-Subject: Re: [dmarc-ietf] Policy Enforcement Considerations
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC131.00000000650AA728.00002FC1; Wed, 20 Sep 2023 10:02:48 +0200
Message-ID: <6d55fb0c-9b3b-04d6-8494-be1b4b65be1d@tana.it>
Date: Wed, 20 Sep 2023 10:02:47 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0
Content-Language: en-US, it-IT
To: "Murray S. Kucherawy" <superuser@gmail.com>, dmarc@ietf.org
References: <c371f5b3-6133-1dc1-aa59-d3c6718a6ff2@tana.it> <92100200-55C3-47A2-9756-12A4AFD94E69@kitterman.com> <CALaySJJKT2LdZ2pDpNhhOwOcH2Otemd+h6c0dZxodJ1HPr85QA@mail.gmail.com> <a3b36b4b-a006-ec89-e376-758adc330e99@tana.it> <CAL0qLwYz7tWeFOsXLh2OX-wJ7-HVK+gsFSW18ieLuAh5KB_LCA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAL0qLwYz7tWeFOsXLh2OX-wJ7-HVK+gsFSW18ieLuAh5KB_LCA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EalKOPL9ZVJi2YTRJKwVUGFcxZg>
Subject: Re: [dmarc-ietf] Policy Enforcement Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 08:03:03 -0000

On Tue 19/Sep/2023 19:55:02 +0200 Murray S. Kucherawy wrote:
> On Tue, Sep 19, 2023 at 8:24 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> My wording can certainly be improved.  Before denying the idea, please 
>> consider a couple of facts: >>
>> 1) We want ARC to override DMARC, yet we don't say so.  Not in such a way 
>> that, when a receivers does so, he can say he's following the letter of 
>> the protocol. >
> Do we need to say that expressly?


I think a protocol ought to specify how it functions as precisely as possible.


> Isn't it just another input that a filtering engine could consider?


I don't get that logic.  What would such an engine actually do?  For example, 
add 1 for every black list, add 1 for DMARC failure, 2 if there is a hard 
policy, sum the result to SpamAssassin score and reject when it's more than 6?

I don't think adding incomparable values makes sense.  SpamAssassin itself, 
since I mentioned it, has difficulties at attributing a score to DKIM results. 
Indeed, we've been saying for ever that dmarc=pass doesn't mean that a message 
is good.


>> 2) Content filtering cannot override DMARC, can it?  By "override", I 
>> mean the author domain publishes a hard policy, both SPF and DKIM fail, 
>> and there is no deterministic sign (signature or IP) that the message 
>> comes from a recognized forwarder (including MLs).  What kind of content 
>> could ever suggest that a receiver conscientiously overrides DMARC? >
> Is that for this document to stipulate?


No, it's not.  I asked for an example to understand what we think.


> The actual, final logic of an operator's filtering engine is not our affair.


Agreed.  However, overriding DMARC policy is strictly our business.  Section 
5.8 seems to be talking about that, not the final logic.  I'm only trying to 
make that clearer.


>> "Other knowledge and analysis", as currently in the draft, certainly 
>> includes content filtering.  Do we mean it?  Can we think of an example? >
> Sure.  Think of the opposite case: DMARC passes for spam.  Content 
> filtering absolutely should override the DMARC result.


That's not overriding, inasmuch as dmarc=pass doesn't imply to deliver.


> Unless you want to go down the road of proposing that a "pass" should 
> always win out over any other result while a "fail" should be just one of 
> many dimensions of analysis, I think the way things are is both correct and 
> simpler.


In DMARC, p= specifies the policy when authentication fails.  We provide no 
hints about what to do when authentication succeeds.  Although it cannot say 
MUST reject, the protocol says that's the intended meaning of p=reject, e.g. in 
Section 8.3.  However, that's not the whole story.  The reason why such a 
simplistic directive doesn't work is because of forwarding (including mailing 
lists) not because of spam.

Content filtering decisions are independent of authentication.  In a correct 
multidimensional analysis, any dimension can bring a reason to reject, and 
that's not comparable with the results of other dimensions.  You don't add 
apples and oranges.

DMARC policy overriding is clearly in the same authentication dimension as 
DMARC itself, since it's explicitly considered in the I-D.  We don't have a 
protocol to recognize forwarding (yet), so we cannot tell /exactly/ in what 
cases the policy is overridden.  However, we mention future developments, so we 
can also say what's their scope, can't we?


Best
Ale
--

v2.23.0 | Report a Bug | By Email