IETF Logo Mail Archive

Re: [dmarc-ietf] Overall last-call comments on DMARC

Alessandro Vesely <vesely@tana.it> Tue, 02 April 2024 10:01 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FFDCC15154E for <dmarc@ietfa.amsl.com>; Tue, 2 Apr 2024 03:01:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGC_gKsgFI7M for <dmarc@ietfa.amsl.com>; Tue, 2 Apr 2024 03:01:03 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4063EC151540 for <dmarc@ietf.org>; Tue, 2 Apr 2024 03:00:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1712052055; bh=P2U3ITTQN3S9iDpAnthTXeTNCPml2tnXNA4AT6yJlhk=; h=Date:Subject:To:References:From:In-Reply-To; b=AXEvfVxDZf4ZlbcGmfdvcT3h/iiyHMTlHQ5YI1cXr2knx8NM+zu+UKpzgZoDOeD3a hWuY/zL2zvi28/5edJYG6RC826W5xv2z7k5xMXv1Wd/OZcm42QEy678/DdV57a+aze /PnDtTKjxe1lP2jV9cJLzU9YBPkZocMPHCb0OqPI6szYib57PMRN4ZNYTyIXV
Original-Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [::ffff:172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC05A.00000000660BD756.000064C7; Tue, 02 Apr 2024 12:00:54 +0200
Message-ID: <49859572-18a4-483b-bb99-62c1c231896e@tana.it>
Date: Tue, 02 Apr 2024 12:00:54 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dmarc@ietf.org
References: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net> <5208da1b-ecfb-4d41-8506-a734a27ab3a0@tana.it> <CAL0qLwbnSe77Wdt+M8bi2pBmZFCZjDUQc6je9bjCzP5TQ0N6XA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
Content-Language: en-US, it-IT
In-Reply-To: <CAL0qLwbnSe77Wdt+M8bi2pBmZFCZjDUQc6je9bjCzP5TQ0N6XA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GdPmXDAUstqLiZgjznNG2pCYPy0>
Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 10:01:12 -0000

On Mon 01/Apr/2024 16:35:28 +0200 Murray S. Kucherawy wrote:
> On Mon, Apr 1, 2024 at 4:44 AM Alessandro Vesely <vesely@tana.it> wrote:
> 
>>> * Mailing lists — Mailing list operators, including ietf.org, have had 
>>> to implement rewriting of From addresses such as user@example.com 
>>> becomes user=40example.com@dmarc.ietf.org when a p=strict or 
>>> p=quarantine policy is in place. This works to some extent for IETF, but 
>>> there is an enormous number of mailing list operators, each of whom 
>>> would need to implement address rewriting. While address rewriting is 
>>> not the recommended solution, it is widely used because of the 
>>> widespread inappropriate use described above. >>
>> By now, most mailing lists arranged to either rewrite From: or not break 
>> DKIM signatures.  We all hope those hacks are temporary. >
> What do you mean by "temporary", given the time scales that have already 
> passed since RFC 7489 saw wide deployment?  Do you envision those 
> techniques ending sometime soon?


Yeah, the time scale is killing us.  Is ten years soon enough?


> If "most" mailing lists have arranged rewrites or non-mutation, and this 
> appears to be working, are there specific techniques we should standardize 
> here?


I believe it's possible to leverage ARC so as to overcome those mailing lists 
hacks, for an expanding set of domains.  It is not difficult to modify ML 
software in order to rewrite and/or mutate on a per-user basis.  One can obtain 
the same effect with existing software if it provides for twin lists or similar 
means to split users into two categories.


>> ARC provides a protocol whereby a mailing list can certify its behavior to 
>> an end receiver. Unfortunately, we are still missing a protocol whereby 
>> trusting an ARC sealer can be established by a receiver for each mail 
>> stream.  We are halfway across the ford. >
> Are you suggesting we need some standard way to calculate and/or share a
> sealer's reputation for any of this to work?


Sealer's reputation is the same as domain reputation.  Good to have it, 
whenever it comes.

For ARC, I'd rather consider per-forwarder contracts.  Forwarding (of which MLs 
are a case) doesn't happen out of the blue.  It has to be set up.  Involving 
the target receiver in the setup may make it trust the sender's seals, when 
they belong to the stream thus set up and identified.


Best
Ale
--

v2.23.0 | Report a Bug | By Email