IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Dotzero <dotzero@gmail.com> Mon, 18 March 2024 08:14 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91D4C15108B for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2024 01:14:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8e1EIsHV5BMu for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2024 01:14:39 -0700 (PDT)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C5BEC14CE53 for <dmarc@ietf.org>; Mon, 18 Mar 2024 01:14:39 -0700 (PDT)
Received: by mail-ua1-x932.google.com with SMTP id a1e0cc1a2514c-7e05d6b0dd0so344432241.3 for <dmarc@ietf.org>; Mon, 18 Mar 2024 01:14:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710749678; x=1711354478; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=45PzsIZsA3ji9AaS/Emx/ldFq0AyAcGQRN33iafdK7U=; b=cqF+SCojRxLUOpQIYtQakvG9CYBLwsYeUZfyutVFUwaYCvn7QC3IHwa1tRlzQi/slG yx0iI5EX/hcWFzSMW7ufXFprC1fOJVaIP85/c25zoVUWuYAI5c/axBPwc9lBv+XkyrNc UvoBJaj2P47CUhoFHGEnbCJsyOr4ged3C62qlfUi+bZX5bqMfDtSFANuAJ1zLt+/8Es1 h8ZhcKaGymU4zdx7dcrdj97OBmKN8KN7uHIefRIMdLKLpIhID+MBukNjBebVRbolbabt VRDbnEAN7NVOOb5D87xnr5FDqeMTNR0pXs84amrtwW33J2pIIltiDk4b27bUj8Nq35ve 4lUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710749678; x=1711354478; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=45PzsIZsA3ji9AaS/Emx/ldFq0AyAcGQRN33iafdK7U=; b=IhrRn2VV/3OGVo76M7RaT9tjDejfIC3YgNRWjK+2MrbxQacisUEKYD7tkG2vIGd9CG F+6nGpznnDqf2mDpbqKeOJvEeRNkoVlzi7xXezjRq51DjYFOf3rYQ0DTOHNhNe6SZrbO Dbq7Xo2Me1VKI/5aw4Vj4IzLjqkRz/L0eThUK3jei6ongfoVAyllfFSN0M98dvxDMoDc FB61QDsjRip2WGK8IWD43MaYZ62g3OpiU7Ym2YpaEqIheSYe9FZafIATE2N1totW72ME NXQufo+2B7KucC831zNGe81MlRXNar7FV0Ac3dxe7esod8t+K70BCziY2r86eiqj28M7 ZF4Q==
X-Gm-Message-State: AOJu0YxJWvasyFVEw6i47EVOgh5fs7OGuMM80PYnak6RQxfZJi1diclZ ffRlXmsPazFiM31KUlWzfijy6tyczx8Qqu9/39WVRPkKLcvS2ZJJzLoF2/icWT3fJ20yiWlMDZ4 i3vyih5lGdec8TlcyXzdJQlwkpYYHC0gypWY=
X-Google-Smtp-Source: AGHT+IHwKAfSGZHH8d0G5AdJY+GazRKD1V01azcSc6V8Rph4BkNdjWXbEoxD4n8KYscos9Rg+G8WK4PZ3unxebt2vdM=
X-Received: by 2002:a05:6122:553:b0:4d3:373b:4db1 with SMTP id y19-20020a056122055300b004d3373b4db1mr9165582vko.6.1710749677769; Mon, 18 Mar 2024 01:14:37 -0700 (PDT)
MIME-Version: 1.0
References: <2068150.yCtiIVWOOC@zini-1880> <20240318013630.455118593233@ary.qy> <CAJ4XoYcoJFqYoAt_jq6jfsSjqtjaifiUzaqY-zkg7R3o5Bio0A@mail.gmail.com> <810a3322-4ba3-ac67-5c7b-0118028aeb34@taugh.com>
In-Reply-To: <810a3322-4ba3-ac67-5c7b-0118028aeb34@taugh.com>
From: Dotzero <dotzero@gmail.com>
Date: Mon, 18 Mar 2024 04:14:26 -0400
Message-ID: <CAJ4XoYfCgo6DrD0HLMrL3+xT=K0TebQJdKjsUh3e+d-1ND3uUQ@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dmarc@ietf.org, Scott Kitterman <sklist@kitterman.com>
Content-Type: multipart/alternative; boundary="000000000000d7e1ad0613eaf2b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/EhwGpDCu_IRoeHO9E1aziw1JkRc>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 08:14:44 -0000

On Mon, Mar 18, 2024 at 2:38 AM John R Levine <johnl@taugh.com> wrote:

> On Sun, 17 Mar 2024, Dotzero wrote:
> >> Whenever mail is sent, there is a risk that an overly permissive source
> >> may send mail which will receive a DMARC pass result that was not, in
> >> fact, authorized by the Domain Owner. These false positives may lead
> >> to issues when systems interpret DMARC pass results to indicate
> >> a message is in some way authentic. They also allow such unauthorized
> >> senders to evade the Domain Owner's requested message handling for
> >> authentication failures.
>
> > I have a problem with this 2nd paragraph and believe it is factually
> > incorrect. The Domain Owner has in fact authorized the message(s) as a
> > result of an overly permissive approach. I would suggest that in fact any
> > resulting DMARC pass is technically NOT a false positive because it is
> > authorized by the overly permissive approach..
>
> Seems to me we it depends on what you think "authorized" means.  My sense
> is I told you it's OK to send the message, yours seme to be that any host
> on an IP in the SPF record or anyone who steals your DKIM key is
> authorized by definition.
>
> Is there some other wording that can make the difference clear?
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly



Here's a quick stab at some modified wording for the second paragraph:

Whenever mail is sent, there is a risk that an overly permissive source
may send mail which will receive a DMARC pass result that was not, in
fact, intended by the Domain Owner. These results may lead
to issues when systems interpret DMARC pass results to indicate
a message is in some way authentic. They also allow such unauthorized
senders to evade the Domain Owner's intended message handling for
authentication failures.

Michael Hammer

v2.23.0 | Report a Bug | By Email