Re: [dmarc-ietf] Priming the Pump for Discussion - Ratchets
Douglas Foster <dougfoster.emailstandards@gmail.com> Sun, 11 July 2021 21:42 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 631053A1FBB for <dmarc@ietfa.amsl.com>; Sun, 11 Jul 2021 14:42:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.197
X-Spam-Level:
X-Spam-Status: No, score=-0.197 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tC-reKooNHY6 for <dmarc@ietfa.amsl.com>; Sun, 11 Jul 2021 14:42:54 -0700 (PDT)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74B5F3A1F97 for <dmarc@ietf.org>; Sun, 11 Jul 2021 14:42:54 -0700 (PDT)
Received: by mail-oi1-x234.google.com with SMTP id t25so2777329oiw.13 for <dmarc@ietf.org>; Sun, 11 Jul 2021 14:42:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=eG06tkuUXL7Ac2YsPgHHebopS67AHV+dJWo7R4qFFb0=; b=ahS0w/4Nc3W6mE2z8JBkyh5WZ7AlOWuQoX/nIgY4hBa7v9Sm/JSQLhItMhJxZRuAA8 fEOfR9wtfS5MyvFtcPuBDGdigi629DVDJCvgM+jaBLbWZrroIqHGlEhONBgIJv6poRfp WV+gKaWYlRNRNlHjdjvNyAn/RltRmeMO4OGaJj40jbpXqGKDwV39VpHYDwjkNlLHdA94 nOvvSxYJakoibLarb4CQ4vyLPrX1YNQNpHTyGurntwiV/0wQT018+xAB9ye4qAyos6Qk OgbCd/2lyXoTkl4ByyYFDtx+2CTBO7P/7KiimJgW+QGV3fcKUc1EU9DMNl1QObIYNNqW bj8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=eG06tkuUXL7Ac2YsPgHHebopS67AHV+dJWo7R4qFFb0=; b=uPg7asy9veyY7FhfOJSPT7hepsZqgnOH9Y6M4KXlQz/cN9DAl5s79uG1DlqJ60iO/X RM7jc8fHxN52CsXc2jbwzhq7mA9fcWtyiZgeEr4+FF9owtIFtzhC1erA91LBWG5qDJkT oKJ0t85Ueij8OuJGsp7riaUt3O64xcJ9Hdni90ww0HuhJsi3xDhG82ZxQVARI5qEvb+H qUtIUSP3C+SwZ0xrAVsfHLa59XZsMiwEdj8G8V7iOzCo5QhL/suaHTffN0W5UqsAXB60 miePAprXm7aclpUaGtyJ+tmiCzWNlxw8wOVU/NEst70JbifXpLaGypLt1abiMlutdlxq LY9g==
X-Gm-Message-State: AOAM532PDM8Eb0tN4kAxacvrqPri4KDKS5tgkS2cYXkzn9V3RKSOnylx T9Q3IFNpz9xfC7QcNWlAKcsmCOF9lRcOhyREzs6x1qAgG6E=
X-Google-Smtp-Source: ABdhPJxd7VFaOj48SlcKDPOFbaiZIV3qsMtbVhYVbzM1E+nhS9g9hbwrWRq/EOWZK3CkGJKdBFC6Kml/wrXOTNLs/6s=
X-Received: by 2002:aca:c6cf:: with SMTP id w198mr7730623oif.73.1626039772406; Sun, 11 Jul 2021 14:42:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com> <CAH48ZfzzVV90CkKX+mCKAfDvgzQY62csCO6Vp92Bh03_zL8jWA@mail.gmail.com>
In-Reply-To: <CAH48ZfzzVV90CkKX+mCKAfDvgzQY62csCO6Vp92Bh03_zL8jWA@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 11 Jul 2021 17:42:41 -0400
Message-ID: <CAH48Zfz80FfDKEhPsEQPseR5eYJeuEGa5K1HU2MDWabO+0rZNg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000666b105c6dfe3cf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HDyjTsaFYuX4mO-Kyr6etnRglUs>
Subject: Re: [dmarc-ietf] Priming the Pump for Discussion - Ratchets
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jul 2021 21:43:06 -0000
Sorry, I got tangled up in the weeds between policy scope and alignment. The four policy assertions should have been phrased as: For messages with FROM within <policy scope>, · All messages with MAILFROM algined to FROM will produce SPF PASS, at first hop. · All messages with MAILFROM aligned to FROM will produce DKIM PASS, based on the FROM address, at first hop. · All messages with MAILFROM not algned to FROM will produce SPF PASS based on the SMTP address used, at first hop. · All messages with MAILFROM not aligned to FROM will produce DKIM PASS, based on the FROM address, at first hop. These are intended to be four independent assertions which can be individually ON or OFF. To implement this concept, we would need one or four new keyword=value tokens. DMARCv1 senders and receivers would use the existing tokens and values (of which it has been said, 94% are NONE or PCT=0.) DMARCbis senders and receivers would use the new tokens based on this concept. This is intended to address Dave Crocker's concerns which led to a rewrite of the introduction, Todd Herr's comments that DMARC FAIL should only be a data point which is integrated into the evaluation algorithm, and Alessandro's request for a partial implementation between NONE and QUARANTINE. Doug Foster On Sun, Jul 11, 2021 at 3:32 PM Douglas Foster < dougfoster.emailstandards@gmail.com> wrote: > If we are willing to break upward compatibility, it might be preferable to > define policy in terms of what the sender knows, rather than what the > receiver should do. After collecting feedback, the sender should know > whether all message sources are sending with SPF PASS, DKIM PASS, or both. > > > This could be implemented with granularity based on the domain-part used > in MAILFROM, and these four possible policy statements: > > Messages sent using organization domain for SMTP: > > · All messages with MAILFROM matching <FROM scope> will produce > SPF PASS, at first hop. > > · All messages with MAILFROM matching <FROM scope> will produce > DKIM PASS based on the FROM address, at first hop. > > Messages sent by mailing service providers using the service provider > domain for SMTP: > > · All messages with MAILFROM not matching <FROM scope> will > produce SPF PASS based on the SMTP address used, at first hop. > > · All messages with MAILFROM not matching <FROM scope> will > produce DKIM PASS based on the FROM address, at first hop. > > We know that forwarding can affect DMARC and SPF evaluation, and that > forwarding is outside the control of the sender. Consequently, when > verification fails, it is the recipient system’s burden to determine > whether forwarding has occurred, how the forwarding action affects the > trust level of the message, and consequently whether the forwarding path is > acceptable. One way to handle this would be for recipients of forwarded > mail to register that fact with the system administrator, so that the > system administrator could configure appropriate rules in the message > evaluation system. > > Additionally, not all DMARC-violating impersonation is malicious, so even > when impersonation is confirmed, it remains the recipient system’s burden > to decide whether the impersonation should be tolerated or repudiated. > > Some implementations of sender authentication have used IETF > specifications to simplistically implement message repudiation, without > understanding the possible exceptions, and consequently without providing > the necessary exception mechanisms. I am hoping that DMARCbis will include > enough discussion of exceptions to reduce the likelihood of this error > persisting forever. Changing the way we define policy might help achieve > this goal. > > > Doug Foster > > > > > > On Tue, Jul 6, 2021 at 8:46 AM Todd Herr <todd.herr= > 40valimail.com@dmarc.ietf.org> wrote: > >> Greetings. >> >> The theoretical goal of any domain owner that publishes a DMARC record is >> to transition from an initial policy of p=none to a final one of p=reject, >> because it is only at p=reject that DMARC's intended purpose of preventing >> same-domain spoofing can be fully realized. >> >> Many domain owners see the transition from p=none to p=reject as a black >> box, in that they believe they have no way of knowing what the full impact >> of such a change might have on their mail, and they fear irreparable harm >> to their mail if they make a mistake. >> >> The designers of DMARC anticipated this fear, and built several different >> transitional states, or ratchets, into the protocol, including: >> >> - The "pct" tag (https://trac.ietf.org/trac/dmarc/ticket/47) >> - The "sp" tag (https://trac.ietf.org/trac/dmarc/ticket/48) >> - "quarantine" as a value for "p=" ( >> https://trac.ietf.org/trac/dmarc/ticket/39) >> >> All of these are designed to allow the domain owner to request that some, >> but not all, of its mail be held to stricter authentication standards so >> that the domain owner can dip a toe in the water before jumping in. >> >> The ratchets have introduced some problems, though: >> >> - The 'pct' tag doesn't exactly work like it's intended to, and >> really can't because of the nature of mail flow, unless there is a high >> volume of failed authentication for the domain in question. (There is a >> much longer discussion of this in section 6.7.4, Message Sampling, of >> draft-ietf-dmarc-dmarcbis-02.) >> - Some domain owners have taken a "more is more" approach to >> ratchets, figuring if one is good, all are better, resulting in needlessly >> complicated policy records >> >> The purpose of this email is to get folks thinking about possibly >> simplifying the ratchet mechanisms, perhaps boiling them down into one. >> This thinking and on-list discussion on this topic would serve as a >> precursor to further face-to-face discussion at the next interim working >> group meeting. >> >> I'll start the discussion by taking an extreme position... >> >> Ratchet mechanisms don't help in any way that a short TTL on your DMARC >> record won't help, and in fact you need the short TTL on your record >> anyway, because if you're trying a ratchet mechanism and find it's too >> much, you still gotta update DNS to roll it back. >> >> Getting to p=reject isn't a difficult undertaking, at least from a >> technical standpoint. Enumerate all your mail streams, ensure that they're >> authenticating properly, and boom, you're done. The proper tools for doing >> that are p=none, a rua tag pointed at a mailbox that is parsed by automated >> means, active daily monitoring of the data consumed in those aggregate >> reports (so that mail streams can be enumerated and authentication problems >> addressed), and time. Time is the big one here, because sufficient time >> must elapse to ensure that all of your legitimate mail streams are >> exercised and reported upon, and that can take many months in large >> organizations or at companies that are in the business of seasonal email >> sending. >> >> The big challenge to fixing authentication issues, especially in large >> organizations, is usually in just finding who owns the host/process that's >> generating that unauthenticated mail. That can add time to the process, but >> once you've enumerated them all, updated your SPF record and/or made sure >> they're all properly DKIM signing, you can skip right from p=none to >> p=reject. >> >> I look forward to lively conversation... >> >> -- >> >> *Todd Herr* | Technical Director, Standards and Ecosystem >> *e:* todd.herr@valimail.com >> *m:* 703.220.4153 >> >> This email and all data transmitted with it contains confidential and/or >> proprietary information intended solely for the use of individual(s) >> authorized to receive it. If you are not an intended and authorized >> recipient you are hereby notified of any use, disclosure, copying or >> distribution of the information included in this transmission is prohibited >> and may be unlawful. Please immediately notify the sender by replying to >> this email and then delete it from your system. >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> >
- [dmarc-ietf] Priming the Pump for Discussion - Ra… Todd Herr
- Re: [dmarc-ietf] Priming the Pump for Discussion … Dilyan Palauzov
- Re: [dmarc-ietf] Priming the Pump for Discussion … Alessandro Vesely
- Re: [dmarc-ietf] Priming the Pump for Discussion … John Levine
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Todd Herr
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Priming the Pump for Discussion … Steven M Jones
- Re: [dmarc-ietf] Priming the Pump for Discussion … John Levine
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Todd Herr
- Re: [dmarc-ietf] Priming the Pump for Discussion … Jim Fenton
- Re: [dmarc-ietf] Priming the Pump for Discussion … Jim Fenton
- [dmarc-ietf] Fwd: Priming the Pump for Discussion… Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dotzero
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Benny Pedersen
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dotzero
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 tjw ietf
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Steve Siirila
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Matthäus Wander
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Дилян Палаузов
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… John R Levine
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Benny Pedersen
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Douglas Foster
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… John Levine