Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
Hector Santos <hsantos@isdg.net> Fri, 07 May 2021 01:40 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029CD3A017E for <dmarc@ietfa.amsl.com>; Thu, 6 May 2021 18:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=HD1FzNd5; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=tYklm5gy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dew_BExtmEHp for <dmarc@ietfa.amsl.com>; Thu, 6 May 2021 18:39:59 -0700 (PDT)
Received: from mail.winserver.com (mail.santronics.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE74B3A09C3 for <dmarc@ietf.org>; Thu, 6 May 2021 18:15:14 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2799; t=1620350106; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=8SS5wLJKHI41CUYX0pCzvpSq0bwG 1Lx2BJ1ne5o4XAA=; b=HD1FzNd5hhyEZFghgMUTZNe4gC2rSU8vJdp9XWLSifIt NkWtkqQWQdvybHdVv24+CbzHSjhM6sFffNubAG2gVj48OlgsL4n2cVtmxlrXs8Wp N4hdPkJj01uF5k+vPfgaIrTZuIgluT2MnbsCB6n8A4I3U7lSMloDJIXHpOiR3Ug=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Thu, 06 May 2021 21:15:06 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 88286241.11534.4028; Thu, 06 May 2021 21:15:05 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2799; t=1620350030; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=8SS5wLJ KHI41CUYX0pCzvpSq0bwG1Lx2BJ1ne5o4XAA=; b=tYklm5gyVJC+esYZFt+JVHl uE7y8L233it/mW0AvZ824NRbJ3tPqCieIdZZsFykAtKA38c7fRZimFoAPD0zwJ5D TNQVi+JtbnyesR6oSSUKOmd4TA7BGnl+ykklRQsKU6O+eH+mCzEJNCXYaHRqUqUS 4ZWi1vrRjO0S4KQdeMo0=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Thu, 06 May 2021 21:13:50 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 771907738.1.48532; Thu, 06 May 2021 21:13:50 -0400
Message-ID: <60949496.7000301@isdg.net>
Date: Thu, 06 May 2021 21:15:02 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <CAH48Zfw36HJ0C4owJXPowgVqwZ5eLxSwibQ6ANzryZDKO0B6dw@mail.gmail.com> <3f70ef7c-d506-d799-2cb0-d836f47bc3d3@wizmail.org> <CAH48ZfxfMm12bkq8TfcXJpGNh0C_aLi28bLJHStx7MUXzxeF9w@mail.gmail.com>
In-Reply-To: <CAH48ZfxfMm12bkq8TfcXJpGNh0C_aLi28bLJHStx7MUXzxeF9w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Ekc5wl5sbARyG75_F7e2QKVyy88>
Subject: Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2021 01:40:05 -0000
On 5/6/2021 8:02 PM, Douglas Foster wrote: > I have begun data collection on the effectiveness of the MX and A > tests. Wildcard DNS entries increase the frequency of false > positives and reduce the usability of the test. For example, > "msaqq189.ford.com <http://msaqq189.ford.com>" returns a set of MX > results, but I rather doubt that I made a lucky guess and found a > mail domain that Ford Motor actually uses. You are adding an human element to this that doesn't exist. At best, all you can do is enforce the protocol requirements, the MUST semantics for sure, the SHOULD, most of the time (it is not a MUST) and the possible MAYS. You have to be ready for all that independent of reputation. The beauty of the DKIM Policy-based Model that began with DomainKeys, extended with DKIM which included SSP, reduced to ADSP when splitting SSP from DKIM-BASE, then abandoned and now DMARC which brought it back to life by adding Reporting, is the DOMAIN now giving the world a hint about its operations. DMARC is very limited to three policies: reject, quarantine & none. Reject and Quarantine is equivalent to an exclusive, restrictive policy which gives SMTP transport rejection authorization. Otherwise, you did nothing with a "none" policy. There are the protocol rules. The restrictive policies has alignment rules and there are procedures to getting to these results, like lookup DNS requirements. Independent of DMARC, MX is a SHOULD for a domain, you can still send mail to a domain that does not have MX records. AAAA is obviously a SHOULD because not everyone is TCP6 ready. Everyone is not going to have a DMARC record, nor a DKIM record. SSP, ADSP and now DMARC are the only way to get a DOMAIN policy above and beyond standard SMTP. SPF is also an extension to SMTP with its own independent requirements that DMARC MUST match. So whats the easiest for a domain not to have any trouble with any of this? Don't support it. Don't pretend to support it. Just ignore SPF, DKIM and its add-ons. SMTP Receivers are not at a point where we can enforce what may not exist - a domain policy extractable at two points: SMTP.MAIL FROM: for SPF SMTP.DATA.FROM: for DMARC I have proposed that we exploit the SUBMITTER protocol and optimized this high overhead protocol, by passing the 5322.FROM field to the MAIL FROM: line MAIL FROM:<return-path> submitter=5322.from Now SMTP has the ability to check for the DMARC policy to see how strong SPF SHOULD be and if its fails or not. This will allow for the short circuiting and optimization of MAIL data I/O which today is increasingly getting larger with multi-media data transfer. -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos
- [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs j… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Jeremy Harris
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Hector Santos
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… John Levine
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Seth Blank
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Todd Herr
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… John Levine
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Tim Wicinski
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… John Levine
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test nee… Douglas Foster