Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification

Hector Santos <hsantos@isdg.net> Fri, 07 May 2021 01:40 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 029CD3A017E for <dmarc@ietfa.amsl.com>; Thu, 6 May 2021 18:40:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=HD1FzNd5; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=tYklm5gy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dew_BExtmEHp for <dmarc@ietfa.amsl.com>; Thu, 6 May 2021 18:39:59 -0700 (PDT)
Received: from mail.winserver.com (mail.santronics.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE74B3A09C3 for <dmarc@ietf.org>; Thu, 6 May 2021 18:15:14 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2799; t=1620350106; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=8SS5wLJKHI41CUYX0pCzvpSq0bwG 1Lx2BJ1ne5o4XAA=; b=HD1FzNd5hhyEZFghgMUTZNe4gC2rSU8vJdp9XWLSifIt NkWtkqQWQdvybHdVv24+CbzHSjhM6sFffNubAG2gVj48OlgsL4n2cVtmxlrXs8Wp N4hdPkJj01uF5k+vPfgaIrTZuIgluT2MnbsCB6n8A4I3U7lSMloDJIXHpOiR3Ug=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Thu, 06 May 2021 21:15:06 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 88286241.11534.4028; Thu, 06 May 2021 21:15:05 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=2799; t=1620350030; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=8SS5wLJ KHI41CUYX0pCzvpSq0bwG1Lx2BJ1ne5o4XAA=; b=tYklm5gyVJC+esYZFt+JVHl uE7y8L233it/mW0AvZ824NRbJ3tPqCieIdZZsFykAtKA38c7fRZimFoAPD0zwJ5D TNQVi+JtbnyesR6oSSUKOmd4TA7BGnl+ykklRQsKU6O+eH+mCzEJNCXYaHRqUqUS 4ZWi1vrRjO0S4KQdeMo0=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Thu, 06 May 2021 21:13:50 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 771907738.1.48532; Thu, 06 May 2021 21:13:50 -0400
Message-ID: <60949496.7000301@isdg.net>
Date: Thu, 06 May 2021 21:15:02 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <CAH48Zfw36HJ0C4owJXPowgVqwZ5eLxSwibQ6ANzryZDKO0B6dw@mail.gmail.com> <3f70ef7c-d506-d799-2cb0-d836f47bc3d3@wizmail.org> <CAH48ZfxfMm12bkq8TfcXJpGNh0C_aLi28bLJHStx7MUXzxeF9w@mail.gmail.com>
In-Reply-To: <CAH48ZfxfMm12bkq8TfcXJpGNh0C_aLi28bLJHStx7MUXzxeF9w@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Ekc5wl5sbARyG75_F7e2QKVyy88>
Subject: Re: [dmarc-ietf] Ticket #111 - MX/A/AAAA test needs justification
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2021 01:40:05 -0000

On 5/6/2021 8:02 PM, Douglas Foster wrote:
> I have begun data collection on the effectiveness of the MX and A 
> tests.   Wildcard DNS entries increase the frequency of false 
> positives and reduce the usability of the test.   For example, 
> "msaqq189.ford.com <http://msaqq189.ford.com>" returns a set of MX 
> results, but I rather doubt that I made a lucky guess and found a 
> mail domain that Ford Motor actually uses.

You are adding an human element to this that doesn't exist.

At best, all you can do is enforce the protocol requirements, the MUST 
semantics for sure, the SHOULD, most of the time (it is not a MUST) 
and the possible MAYS.   You have to be ready for all that independent 
of reputation.

The beauty of the DKIM Policy-based Model that began with DomainKeys, 
extended with DKIM which included SSP, reduced to ADSP when splitting 
SSP from DKIM-BASE, then abandoned and now DMARC which brought it back 
to life by adding Reporting, is the DOMAIN now giving the world a hint 
about its operations.

DMARC is very limited to three policies: reject, quarantine & none.

Reject and Quarantine is equivalent to an exclusive, restrictive 
policy which gives SMTP transport rejection authorization. Otherwise, 
you did nothing with a "none" policy.

There are the protocol rules.  The restrictive policies has alignment 
rules and there are procedures to getting to these results, like 
lookup DNS requirements.

Independent of DMARC,  MX is a SHOULD for a domain, you can still send 
mail to a domain that does not have MX records.   AAAA is obviously a 
SHOULD because not everyone is TCP6 ready.  Everyone is not going to 
have a DMARC record, nor a DKIM record.  SSP, ADSP and now DMARC are 
the only way to get a DOMAIN policy above and beyond standard SMTP.  
SPF is also an extension to SMTP with its own independent requirements 
that DMARC MUST match.

So whats the easiest for a domain not to have any trouble with any of 
this?

Don't support it.  Don't pretend to support it.  Just ignore SPF, DKIM 
and its add-ons.

SMTP Receivers are not at a point where we can enforce what may not 
exist - a domain policy extractable at two points:

SMTP.MAIL FROM:  for SPF
SMTP.DATA.FROM: for DMARC

I have proposed that we exploit the SUBMITTER protocol and optimized 
this high overhead protocol, by passing the 5322.FROM field to the 
MAIL FROM: line

MAIL FROM:<return-path>  submitter=5322.from


Now SMTP has the ability to check for the DMARC policy to see how 
strong SPF SHOULD be and if its fails or not.

This will allow for the short circuiting and optimization of MAIL data 
I/O which today is increasingly getting larger with multi-media data 
transfer.


-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos