IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Barry Leiba <barryleiba@computer.org> Wed, 29 March 2023 14:15 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C516DC13AE54 for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 07:15:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.549
X-Spam-Level:
X-Spam-Status: No, score=-1.549 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 70wabni7WaKY for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 07:15:30 -0700 (PDT)
Received: from mail-ed1-f42.google.com (mail-ed1-f42.google.com [209.85.208.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E6AAC151B25 for <dmarc@ietf.org>; Wed, 29 Mar 2023 07:15:25 -0700 (PDT)
Received: by mail-ed1-f42.google.com with SMTP id eh3so63834559edb.11 for <dmarc@ietf.org>; Wed, 29 Mar 2023 07:15:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680099323; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ks47D9fUDWdKXp8/PGaQnTpAAyZWoIjYUJ2jyb8IrfQ=; b=Plywd+q2Os5NYTl5qIPXCuQ3HtyCnTAS3ECuii7wco85MSkqZqGAUKlM54kz5ZXfcS 36fx8FZOMIHXX/EDkf4eCdMKukiUzSeUx6UKEwBSGPS6t9trWKjg6ev3k4lEU5/Ie9J9 /6LegUgQL6QP2Vag4b9RhaDQYODvdzBAVUGBlG1E13HFBIIMsvyBtIeFRl7qspZj7A/3 XC1kDpBL9uC3HW3DdkvjIKHnM+jbC4OzdV0mP3VE/ar0amZSaZHn24I0rhwxiqdedzLd x7loSxDoonrXYpT3G8fKXxInRB8owdbRS93JWRr7avHaH15j+nPf5G4KvK0M2ML4xaU+ whkw==
X-Gm-Message-State: AAQBX9cBH7t1IHAD4Mrvsi2eXAAsy0szW49cT8K8xjYhQOas1Md6kCAK 32R56KIfKg0LTp6r66UfM7wHV5JLBsbvYOqoQhYKRmGA6gw=
X-Google-Smtp-Source: AKy350YIR8WPk7bMDxnVA45GhUd9JpFuTjdy5zfeEL+Vb17ah5KZQ6dCRaJS2Ke7aDh3WSCrczs7R0ksfWOTxuHoq+c=
X-Received: by 2002:a17:907:9711:b0:8f1:4c6a:e72 with SMTP id jg17-20020a170907971100b008f14c6a0e72mr9898715ejc.0.1680099323260; Wed, 29 Mar 2023 07:15:23 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <6319292.vCqnBZbX7o@localhost> <CAHej_8nd1xyAgwASLJbuJHyXEAfHbjqxNH1XtJxKFyfyOneyug@mail.gmail.com> <13145172.pEV04Z3DvM@localhost> <CAHej_8msLJQ0vbZ2jzitjxrQ1wdim5bHJkiD-QrU5F0EJvQp0g@mail.gmail.com> <FCFEB95E-63F9-46C3-A5F4-FA6B02FA8EB5@episteme.net> <CAHej_8=GbmzyXaeEkyLkv6uKc0-owuMC6UspPNq9irT7nF8b7w@mail.gmail.com>
In-Reply-To: <CAHej_8=GbmzyXaeEkyLkv6uKc0-owuMC6UspPNq9irT7nF8b7w@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 29 Mar 2023 23:15:11 +0900
Message-ID: <CALaySJLmRyyBLE7ZKy88XUS_hXr9M2uwc8jOCYBrBPeC+pCdCg@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="00000000000059b26e05f80a9b1a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/GegHrNYs-ganTiXFUGL2V-87UlM>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 14:15:33 -0000

I'm very much against text such as this, as I think it encourages
deployments that are contrary to interoperability and to the intent of
p=reject.

I contend that p=reject (as with the similar construct in the older ADSP)
was intended for high-value domains and transactional mail, and that it was
never intended for use in domains where general users send general email.

I stand by the MUST NOT that I proposed.

Barry


On Wed, Mar 29, 2023 at 10:33 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Tue, Mar 28, 2023 at 9:06 PM Pete Resnick <resnick@episteme.net> wrote:
>
>> If you agree that interoperability is increased, then I'd suggest that
>> you actually do agree that the proposed text is appropriate.
>>
>>
>> I don't know that I agree that interoperability is increased...
>
> I'm having trouble squaring proposed language that says "Domain owners
> MUST NOT publish p=reject because it breaks interoperability" with the
> following language from section 5.8:
>
> Mail Receivers **MAY** choose to accept email that fails the DMARC
>
> mechanism check even if the published Domain Owner Assessment Policy
>
> is "reject". In particular, because of the considerations discussed
>
> in [@!RFC7960], it is important that Mail Receivers **SHOULD NOT** reject
>
> messages solely because of a published policy of "reject", but that
>
> they apply other knowledge and analysis to avoid situations such as
>
> rejection of legitimate messages sent in ways that DMARC cannot
> describe, harm to the operation of mailing lists, and similar.
>
>
> It seems inconsistent to state with certainty that authorized mail will be
> rejected due to authentication breakage when there is no requirement that a
> reject policy be honored (and we have plenty of evidence that Mail
> Receivers are following the 'SHOULD NOT reject messages' guidance).
>
> Language that would be more consistent in guidance to the domain owners
> might look something like this:
>
> After careful analysis of the aggregate report data as described in
> section 5.5.5
>
> (Collect and Analyze Reports), Domain Owners **MAY** choose to change
> their
> policy from 'none' to 'quarantine' or 'reject'. If, in the Domain
> Owner's judgement,
>
> unauthorized and deceptive use of its domain name in the RFC5322.From
> field puts
>
> at risk the trust it has built with its recipients, then it is
> **RECOMMENDED** that
>
> the Domain Owner make use of the p and/or sp tags to set policy to
> 'quarantine' or
>
> 'reject' for those streams most at risk of loss of trust.
>
>
> If going that route, probably want to consider expanding on 5.5.5, too; I
> need to think about it some more.
>
> --
>
> *Todd Herr * | Technical Director, Standards and Ecosystem
> *e:* todd.herr@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email