IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Dotzero <dotzero@gmail.com> Sat, 22 October 2022 11:42 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 659B9C1524B4 for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 04:42:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fiH7lwfvktkF for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 04:42:56 -0700 (PDT)
Received: from mail-oi1-x232.google.com (mail-oi1-x232.google.com [IPv6:2607:f8b0:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 831EEC14CE24 for <dmarc@ietf.org>; Sat, 22 Oct 2022 04:42:56 -0700 (PDT)
Received: by mail-oi1-x232.google.com with SMTP id g10so6049861oif.10 for <dmarc@ietf.org>; Sat, 22 Oct 2022 04:42:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=uhxsv/rhMoDzVYHJPdYuYZm5vdc9C744vKExHd9ftmw=; b=dAFZHbNoI/bCiZhSfolSB8RPpfdtdhIPo4Qgta0eRGA5833wDWDWrITMnBvRMX7DrF pJDO24Wsw1M3ikYlSXBVNoKHVyoeM8UDhju7zkkoD4/6yLq5DsBwgK4cTRNwmRY0BoUX wdQMQsrUQgUruVdkhOputz7pqkiieVaBPns2kqMmJg8CZm4UVeL6pDG1RPdy6u3I3DK0 SKXrlmZsqqF91+cbNIHJ2pX+AJ55t95ZhKp8mAkOKSp4AEv0sFlRT4Go4J7YVtYFIcF0 fW3VDDhmTiR7faI/USK2f1HK1CZCi4XF0nl3afA6tfpM+gMLacq8mMTcG8gezuDIHPKL 8jEg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uhxsv/rhMoDzVYHJPdYuYZm5vdc9C744vKExHd9ftmw=; b=MapLPiTGU5uE/TBN/lWVMlU9gkV7JG5VY2imNsPZHntJPKs+T827iwBzad54kFYdGH fbTX/G3l6KwTMTikDO4cxkAOKu1QrLy/1omHUc1WNLOaOyoSFZRvvsehId5M7gi0W47i ASzQf22b5oxjFa5Z+E8DDblrve45ku50k0ezLQh29P/DhmhfeJAaV7NkQYuq7h03hc+Q jZ9ADZl60YwjXTdkbpB94sAF4Nonhn1+ReKmsGIhwxijYHsILpoX0shxBcfjWoUrb2Vl TdGTay4AKSBdzf4fr/f3iC3dJKe4NNMtU6YWMpAA7oFRLUyZS14rCN1dkadnqOTwwjAE g4aA==
X-Gm-Message-State: ACrzQf0SrA6Gwbb+DVvGrKxdlmWgwwB/jwXPptIoyh+vyiomi6oSEgbM gPY/fbg8Ney6UkMrsNciFdpUK/imgL0kWmbdOuwCiweO1o4=
X-Google-Smtp-Source: AMsMyM6x6tt1mpwxpDFZhDvF53CWwQ2OtD+crLMIkIFD/LyC7AZvsykfyjByxyDQ7fmYCG/WZ4kLs2cdno+9dSR4jnE=
X-Received: by 2002:a17:90a:5e04:b0:20b:1f20:5069 with SMTP id w4-20020a17090a5e0400b0020b1f205069mr61427031pjf.126.1666438965041; Sat, 22 Oct 2022 04:42:45 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com>
In-Reply-To: <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Sat, 22 Oct 2022 07:42:35 -0400
Message-ID: <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008d1f9805eb9e0e86"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HKVdZlCqhzgN_xkiac2ibFlell8>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 11:42:57 -0000

" 3) A signature has been compromised and an unauthorized source is sending
authenticated mail.  SPF FAIL with DMARC PASS provides the alarm trigger."

This is incorrect. SPF FAIL with DMARC PASS can simply be an indirect mail
flow. It might also be an incorrectly configured SPF record.

Michael Hammer

On Fri, Oct 21, 2022 at 5:57 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> I remain unconvinced.   Mail is nearly free to the sender, but expensive
> and risky for the recipient and his organization.   Anything unwanted
> message that gets through the spam filter consumes a person's time, which
> is a non-trivial opportunity cost.   Asking me to accept extra cost to
> provide "nice to have" data is too much.
>
> Your first scenario is mostly about what an evaluator can do.  I think
> there is an opportunity and need to discuss all the ways that an evaluator
> can obtain acceptable authentication on a message that fails SPF or DKIM,
> but the chairs have been clear that doing so is "not DMARC" and out of
> scope.    I don't see is how the aggregate report contents facilitate or
> hinder your un-munging algorithm.
>
> I am not a mass mailer with a complicated identity structure, so I am
> willing to be educated about the wonderful things that can be learned from
> aggregate reports.   Based on my current knowledge, the use cases seem few,
> and do not need unaligned results.
>
> 1) A server is sending legitimate mail and is correctly configured with
> both SPF and DKIM.   The feedback from non-forwarded recipients confirms
> this fact.
>
> 2) A server is sending legitimate mail on behalf of the domain owner, but
> has a configuration error:  no signature, invalid signature, or using a
> server not in SPF record.    SPF results from non-forwarded recipients will
> identify the problem so that it can be corrected.
>
> 3) A signature has been compromised and an unauthorized source is sending
> authenticated mail.  SPF FAIL with DMARC PASS provides the alarm trigger.
>
> 4) A server is using a delegated signature for an unauthorized purpose.
>  Nothing in the reports is likely to indicate this problem.   If it is
> detected from other sources, the correction involves revoking the public
> key and terminating the offending organization.
>
> 5) Some mail is failing authentication after forwarding without MailFrom
> rewrite or forwarding with changes.    The IP address and MailFrom address
> help to identify the problem but the domain owner has no ability to correct
> the problem.   He can use p=none to limit the consequences.
>
> 6) Some mail is failing authentication because it originates from an
> illegitimate source.      The IP address and MailFrom address help to
> identify the problem but the domain owner has no ability to correct the
> problem.   He can use p=reject to limit the consequences.
>
> Case 5 and Case 6 are distinguishable only by the reputation of the server
> or MailFrom address.   Malicious senders are unlikely to add a signature to
> prove their identity, so perhaps a signature suggests case 5 rather than
> case 6.   But a competent forwarder will be doing MailFrom rewrite, so the
> forwarder identity will be present whether a signature is added or not.
>
> These use cases do not deal with authentication failures after multiple
> forwards.   An abundance of signature data might allow the domain owner to
> reconstruct the forwarding path, but is that something he needs to do,?   I
> don't think so.
>
> As for the duplicate signature issue, my rule would detect support for the
> new signature algorithm if it appears first.
>
> I would be happy to hear a case summary which indicates how a real problem
> was solved, and was only solvable using non-aligned results.
>
> Doug Foster
>
>
>
> On Fri, Oct 21, 2022 at 4:11 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> On Fri 21/Oct/2022 00:53:56 +0200 Douglas Foster wrote:
>> >
>> > Aligned DKIM PASS
>> > When an aligned DKIM result is PASS, I don't see that the domain owner
>> needs
>> > any more data collection performed.   The verifiable DKIM scope ID
>> should tell
>> > him where the message originated, and the source IP and HELO name tell
>> the last
>> > place it landed before delivery.    I cannot see why a domain owner
>> would spend
>> > a lot of time trying to analyze success results, unless his interests
>> have
>> > transitioned from assuring identity to analyzing marketing impacts.
>>  We are
>> > not trying to provide marketing data, and any successful use of DMARC
>> for that
>> > purpose seems like an encroachment on the privacy concerns that we want
>> to
>> > minimize.
>>
>>
>> Non-aligned signatures can be meaningful for various reasons.  In that
>> case,
>> the result of their evaluation is also meaningful.  For an example, the
>> original author's domain signature, before From: was munged, is
>> meaningful.  If
>> it fails, it can be retried after undoing MLM transformation, possibly
>> leading
>> to secure recognition of the true author.  Is that worth its carbon
>> footprint?
>>
>> And for scope, one may wonder whether the recognized, or failed to be
>> securely
>> recognized original author's domain deserves a copy of the report.
>> People
>> prone to set p=quarantine; pct=0 in order to avoid receiving "errors"
>> would
>> clearly dislike a copy of the report.  Others may want it, in order to
>> tune
>> their DKIM signing configuration.
>>
>>
>> > Duplicates:
>> > If an aligned domain has multiple DKIM signatures and one passes, I
>> suggest
>> > that the PASS is the only one that needs to be reported.  If an aligned
>> domain
>> > has multiple DKIM signatures and none pass, I suggest that the first
>> one found
>> > (from the top) is the most important, because it is the last one
>> applied.   If
>> > duplicates are reported, disaggregation is increased, so why report
>> data that
>> > is not useful?
>>
>>
>> Currently, putting 2 signatures, one rsa and one ed25519, is the way to
>> monitor
>> who supports the latter.
>>
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email