Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions

Jesse Thompson <jesse.thompson@wisc.edu> Wed, 25 November 2020 18:24 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC1B63A1535 for <dmarc@ietfa.amsl.com>; Wed, 25 Nov 2020 10:24:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PGwxhoP3liio for <dmarc@ietfa.amsl.com>; Wed, 25 Nov 2020 10:24:08 -0800 (PST)
Received: from wmauth2.doit.wisc.edu (wmauth2.doit.wisc.edu [144.92.197.222]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201213A1530 for <dmarc@ietf.org>; Wed, 25 Nov 2020 10:24:07 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02lp2055.outbound.protection.outlook.com [104.47.38.55]) by smtpauth2.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QKD00JFU746PI30@smtpauth2.wiscmail.wisc.edu> for dmarc@ietf.org; Wed, 25 Nov 2020 12:24:06 -0600 (CST)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-2, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.11.25.181519, AntiVirus-Engine: 5.79.0, AntiVirus-Data: 2020.11.17.5790001, SenderIP=[104.47.38.55]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ePnhL+fb7s22VvoHC/0EAkVMbI6QaxbQTlLNsKxHdVrkW+j228LvnxdRcZ/rIQrT+ugzX4itmfowRMCibaonZqeUhD2wxmOCyZXIhiliBp9AnVUd5VptNaXTfg/YFZdP7bbNJqpOdggg9VKETVfvE/4JW/w5S7/jAADDzxtnocJpjE73UEKg7fdrIRDpmuhnvk4mte+2A3EPRCT15Lu7lkjMJROx4rGBzctJA9eYoDtLw579k3ePaBxf+zj82vL7ZeFFwbFC5uBx5pbG6WjQ17k3pLH/ZUtRVtzTKS48zRs7jFN3p+Re+p9CqpUF3D3SVsx4+b5jnZCbkMtRo579+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oPzmsRVFy6zxqCrA73Lnaiyp5Brm3FEjPEMbnihbHv8=; b=mWEVlU9adNmNKd9MNTPiSh0QpUk4LFefMfY1V83XsS1ILtUSfVmawJntYBmgplYUcuntR/53CxQuQq4kN+cQ8IwQRb7x9PkLBDP0XPu0xcdtiIGuiGlkRSg+WmBM9OBjiqzcsBA3gMqonb/Ig6NLQJ0gXUsaOgxyIQwY4npyoq7/CUUx1gJpbQKWgCf60yqLm86sXIjsJfld76j9+pdqaxNRO4E9svtOxTT1iu6aB9eksU9h1P1VD4BKFXQ5aIz7OkXgUZC+o40OaBHf/3oIUfZVeShvwqj6pSt3ZU9AfeSWgRNK5BKaTJwY/unguXHu7dB3U/8vkWKEE7SHcGLHqQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oPzmsRVFy6zxqCrA73Lnaiyp5Brm3FEjPEMbnihbHv8=; b=eixz5jtiJmDVuQWN1YqYGmdBeFQj4P8MskX3pRWGl3NH3JHzkEQ0yAtbCb/H49wcmdzatclOUN57GDuI/9YJmJ2jNcugDN15pWmPnt1Wog0h7LC+9HUR9tg4F7S9GaIdodt+YImm/a1YCwZu0lBrPlATy1XofKbQ3wlLEqjwmvg=
Received: from CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18) by MWHPR06MB3021.namprd06.prod.outlook.com (2603:10b6:300:4a::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3564.25; Wed, 25 Nov 2020 18:24:05 +0000
Received: from CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5]) by CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5%7]) with mapi id 15.20.3589.022; Wed, 25 Nov 2020 18:24:05 +0000
To: dmarc@ietf.org
References: <e9166148b9564102a652b4764b4f61ff@com> <8c83fffc-077d-9ddb-db2f-b9763361c60f@tana.it>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <39eafc5e-3d9c-0bea-1173-7277070195ea@wisc.edu>
Date: Wed, 25 Nov 2020 12:24:02 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
In-reply-to: <8c83fffc-077d-9ddb-db2f-b9763361c60f@tana.it>
Content-type: text/plain; charset=utf-8
Content-language: en-US
Content-transfer-encoding: 8bit
X-Originating-IP: [146.151.213.183]
X-ClientProxiedBy: CH2PR18CA0051.namprd18.prod.outlook.com (2603:10b6:610:55::31) To CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [146.151.213.183] (146.151.213.183) by CH2PR18CA0051.namprd18.prod.outlook.com (2603:10b6:610:55::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.20 via Frontend Transport; Wed, 25 Nov 2020 18:24:04 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 41485d5e-93d1-4d6c-d7c1-08d8916f4a84
X-MS-TrafficTypeDiagnostic: MWHPR06MB3021:
X-Microsoft-Antispam-PRVS: <MWHPR06MB3021C396E3A0AD6B86262B41F6FA0@MWHPR06MB3021.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:7219;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: AsbrMuKkJVKhsbRchNXz+OYDfWssKAeIeH0bkqXvmqyEPQ8dU+Qb8HjwKGNOGeZdsB/oztgJ4jExL3MSsPaYzPvN79tpKiq4CCh6qqI+sY/0ftVv1Jqna5uTKgNRrKHb1giU4rdh9NaHy3feCKdfCLO4L0Ykq32AsNd0FnQMX4re/6S7ijP4c/rByNJQYSyAoeRxcQ4jZ/Mqd0Otg3P/fnktpXVxSUj1SBI/vjU/zGH9J/0KPvdUipMTRdYoaPpJiIscCfoUyHFrgJIjw5j9TlzNCDAeHm1kVJHmkz3i2qbtmiHL/fdER0JXhbqK9EwLjazn8WtHjvl4OUc4J4Ok8q0nJokOubKVYqthlld6Zdvw1BNMkPRYjB5Tu5BxHbOHpZu4v4o1KR7pJzJTaRfDZg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR06MB7059.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(136003)(396003)(346002)(366004)(376002)(31686004)(186003)(75432002)(2616005)(83380400001)(16526019)(86362001)(16576012)(786003)(316002)(31696002)(956004)(53546011)(26005)(6706004)(6916009)(2906002)(8676002)(36756003)(478600001)(6486002)(66556008)(5660300002)(8936002)(66946007)(44832011)(66476007)(3940600001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?ei9GRHd1ZjlCWlgxNU5Cczh2RDc1Q1B0NUZVbExZUFhzL0NUVDIzT3pXU1Zs?= =?utf-8?B?aWE5YmF5V0xJL1ZQQTZwaXhJTDRWTHRLVHF2MVpveHE5SFU2cjI2b0kwQ25E?= =?utf-8?B?VFNIeXNLdG9CNmJ3VnFUa0t0dlZxS3dvWkxETkI1bnh6cXkzRTJjalI0WVIx?= =?utf-8?B?VUlkT2YvQkt4R0hzcXJOUWh2YWs2UGt5YXV2OVBscU5CdFVDTVNKYXgrY240?= =?utf-8?B?U1pUazhINWFwbW9mZFR0WW82VHNTYjBHNG5YZjhMbXV4OEpEZXlrZkdXK2Rq?= =?utf-8?B?OStvbmJXb0x6NElHUXJDUDNZN1IyQXBUd2tKMENlZDc0c0syMEtWNlNrdlVN?= =?utf-8?B?U0NyN1FkcnAvV3JFUU00OFdPdUF0RW9vR1BqR1Y0UjZVbm56MzZ1M0lTK2dR?= =?utf-8?B?SHdCdU9ORjl6QWZyZ2wwekFqU2FheHdRTFVMbFFpMk5vc1J5SkluTEtqTmxa?= =?utf-8?B?OVlnRUNraGNSOW90TUs3eFFXRTJPazRwR1VJRGFBYmJNYjFKcGIvRXFnWnZ3?= =?utf-8?B?bEJKNEYrZ0ZreDBQSVVzbi8weWpGeW5pTWFFc2RiYWtGSnJrTjhSZGk4TmdT?= =?utf-8?B?YUhGVFR6ZXBlYkVZOHNpcTVsejNZRjRNSndhTm5YTVRtYUVKS2JRdSsyYVlL?= =?utf-8?B?OXFiZEJWMFJwTWZldFU1YUkyZkZrUUpsa1FOR0drQlorRFZheWc5b3FMY1ll?= =?utf-8?B?NlRaNzhyTVpSVituYkxmUnhhd0JvdDdzczV2TUFScXNiZHA2Y283V0tRMFlB?= =?utf-8?B?aW1yV0VDUFFFWmx6ei9tTG5GTU1JRWFob0ZKeUMyd0xZYytwSTZYaGZVZ01U?= =?utf-8?B?aVI2eEw0aXhzUjFBd1RmVk5DNmVFcXlQUTFvMlp1Z0lCS2J4Wkh0ODAzRGY3?= =?utf-8?B?ME80WGIzbFRrYTFnRXA2NVpSUHZpbk9HOTl5MGRDNjdOdSt6eWNsS0tTeEFM?= =?utf-8?B?MHZ5Yjk2VFcwQW9pbmpuRmpYSmhsVnk3Ylk4N1U2VlBUZDJEMHVwM25Lb2s4?= =?utf-8?B?WlBZNWhnUEFGa1pxdnV6L21JQUhZY2xVa0xKWCs0V3hReDRzZGRHZWZkQVAz?= =?utf-8?B?cmloZFNmMWZ1NmI0R3IwcTRBdTEvUDZsVU8rZzZpWUd5d2xwZUkySUNWOGJn?= =?utf-8?B?ajRNRE54U25TbFovaGJvSE5TaUF3OGNFSEhJeHhia1B4MEhIazBDeDkwdWVE?= =?utf-8?B?Y2d6a05MdGFLckt5TzFTTWlYMHZyMkk1cXFSNjZKRmdCSkx0TXc1ZXBUcWxu?= =?utf-8?B?YUF1Vk4wTkFVRmlJazVGdFllZ1FSVGE1cVZEeDV1ZklMSm1pOHhPQmpicDNF?= =?utf-8?Q?s8owavqUnyH4Q2fTqvWIo1bvpv598UYech?=
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 41485d5e-93d1-4d6c-d7c1-08d8916f4a84
X-MS-Exchange-CrossTenant-AuthSource: CO6PR06MB7059.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Nov 2020 18:24:05.1936 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 1qu44Y4Hz5QYHTk0cSXCX64PqvhS4y3JpkthGJCS29iXKkXDvz2n114lnROeFqvLGciwIpQ4GFOC3PTaVDSulA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR06MB3021
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/F-D-GbvGfnhwvudGY8RHdDic8Lc>
Subject: Re: [dmarc-ietf] A policy for direct mail flows only, was ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2020 18:24:10 -0000

On 11/25/20 11:30 AM, Alessandro Vesely wrote:
> Without resorting to ARC, it is still possible to validate author domain's signatures directly if the MLM just adds a subject tag and a footer, like, for example, this list does.   While ARC solves "deep" forwarding problems, which may arise in the context of email address portability, MLM transformation reversion solves the simpler mailing list problem, including reverting munged From:'s.

I agree that ARC isn't really needed to do this (trust the last hop from the MLM and determine the original authenticity from the MLM's perspective), although I think that ARC somewhat standardizes what headers/value to look for (I may be wrong).  Plus, if it eventually solves the "deep" forwarding issue, then ARC is certainly better than trying to follow received header chains, etc.

Anecdotally, after much debate, our team is leaning more towards *not* reverting munged From:'s from our own MLM

1. Until ARC has a reputation model that is commonly adopted, header munging isn't going to subside.  I still find MLM operators who are just now realizing that they have to munge messages.  We need to tell users that this is the new, growing, reality.

2. If we only unmunge for our own domains' users' authoring messages to our own MLM, it has limited overall effect, and it distorts the user-reality story from point #1.  We would have to unmunge for all domains' authors sending to all "trusted" MLMs in order to give the users what they expect from their prior reality.

3. Since we can only unmunge for our own recipients, it just creates an inconsistent experience on top of the already inconsistent experience of the conditional munging most MLMs do based on the authors' DMARC policies.  

We would rather see:

3a) MLMs that munge for all messages regardless of the author's domain's DMARC policy 

3b) MLMs that allow operators to configure recipient destinations that they know are going to trust non-munged messages (via ARC or whatever)

Jesse

P.S. If anyone knows how to trick Google Groups into doing 3a and/or 3b, please ping me (off list is OK)