Re: [dmarc-ietf] DMARC forensic reports (ruf=) and privacy

Дилян Палаузов <dilyan.palauzov@aegee.org> Sat, 26 January 2019 21:14 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24A73130FFA for <dmarc@ietfa.amsl.com>; Sat, 26 Jan 2019 13:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 51d5BSDgQ41B for <dmarc@ietfa.amsl.com>; Sat, 26 Jan 2019 13:14:23 -0800 (PST)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B383B130FC7 for <dmarc@ietf.org>; Sat, 26 Jan 2019 13:14:21 -0800 (PST)
Authentication-Results: mail.aegee.org/x0QLEJRs026638; auth=pass (PLAIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1548537259; i=dkim+MSA-tls@aegee.org; r=y; bh=PIY5sHFD+BT5WQmj2zkglsLaUmgUJCX22WepHcfDIbU=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=jWHmJ6sW9Xe3T8uVoWaU47Azle4XqJ9QHle2r1BvS9FRy7FdksjE2Vkpo5BUF3Qw7 c6WgrAZeSnmWdOCRQ8nj3COULSzF8UvJYrGgEgeq4Zki1Q0m79TtDwx6TVuml0cuVZ 0dgY/79O0r31GQ8Sim21P3rtI9k00P6q1do0Kkt2pz95MSl61j1wYogmKWKbpQ9KJs JexWzKfC2y7pV0NiLco7mNztynnWdum6d3j54+llHZjWKXDoajHCjZxMZlVtYr28+k RfrJGhqev/eYTuZdnIApbZyEVuXFp3CFMpU7vdRsTfEsCSHi3t+9d2GCxqq4sCUSH+ dYCoeMgHZLBZPrbmUqqhTDkj3bmcPKd3PL1+JBUAZ+a/3013cZOKoc/d8Td3OojvvO +/XyDzeekXGHahWl30mRMns6tET1qWwOefNG4aqxyap2gTl+ATQVABpkxYUxifNEwJ 6TdaUiIhcQ9AXOumdpT65GTpMDwIrP6tK4Esbbv6zfGR+yWdVgKngOW5sNeyl29iEg npAgf9jCrNQjd8r/tvwZnGe4k/THmSoOc+Q8/tv1GtjwT8IPoANn/ZXJnzC99ZGrqq u5BNCwDq/P4KjD0DOWr06kZqkNxaXquBhM1SIyprc9YYs/B8tfZ0EM2at9xd1mgGyP uNUdVhy3aM9cQ6tn0l0OXnVM=
Authentication-Results: mail.aegee.org/x0QLEJRs026638; dkim=none
Received: from Tylan (adsl-62-167-97-198.adslplus.ch [62.167.97.198]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x0QLEJRs026638 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 26 Jan 2019 21:14:19 GMT
Message-ID: <ad02c03115cebe042ba0c6f815b5e98cec0398ae.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <dilyan.palauzov@aegee.org>
To: Dotzero <dotzero@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Date: Sat, 26 Jan 2019 21:14:18 +0000
In-Reply-To: <CAJ4XoYd8zq53MRmsXKx=Fh1n0NpHj=Q+0i5fjD1HDnqDE26++Q@mail.gmail.com>
References: <20190126163123.AAA4B200D39816@ary.qy> <5cd324dcd2d76a77618f3f77d7d7a644c2d13564.camel@aegee.org> <CAJ4XoYd8zq53MRmsXKx=Fh1n0NpHj=Q+0i5fjD1HDnqDE26++Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.31.90
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.1 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HYnjPNS9KWO1ZN9O1LCC6AbgYD0>
Subject: Re: [dmarc-ietf] DMARC forensic reports (ruf=) and privacy
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jan 2019 21:14:26 -0000

Hello,

reiterating over the arguments against sending reports to the ruf= …dmarc address, the first provided reason was, that
such report will not match the expectations of the users.  Which users?  On the site that sent the initial mail or on
the site that generated the report.  It can be assumed, that sending reports to the ruf= address at a certain domain
matches the expectations of the users of that domain and any non-matching expectation is a problem of the one who
published the ruf= entry, not the one generating a report.  I do not say that once the report is generated and sent the
sender has to store the report, so that the expectation of the user, that received the initial mail, are also met, when
the report generating server does not store a copy of the sent report.

The second argument was, that staff managing DNS and staff managing emails (and able to read user’s email) are
completely different persons.  I do read here, that the DNS staff can use its posititon to insert arbitrary email
addresses in the ruf= tag and by this way come in a position to read emails, that otherwise the DNS staff would not be
entitled to read.  Seriously, if the ruf= tag is not trusted, why shall the p= tag be honoured, and why shall also be
the DKIM public signature and MX record be trusted?  Either the ruf= email address is trusted to receive reports, or the
whole DNS of the sending domain is not trusted.

The third argument is, that in case 1% ouf of 10 000 000 messages between two hosts are reported in the aggregate
message not to match DKIM, then it is worth investigating the cause.  Alright, that is exactly my point.  I want the
reports, provide ruf=, and don’t receive the reports.   Where will you start investigating?  How can you find out if the
problem is on the sender or receiver side?  If you validate once again your implementation and find nothing wrong with
it, does it prove, that the implementation of other side has bugs?  Perhaps the other side has also proven in the very
same way, that it is error-free.  You see only that 1% of the messages do not match DKIM validation, now and then.  What
is the next step to make signer and verifier compatible?

Guessing?  If making signers and verifier compatible can be achieved only by guessing, then DMARC cannot be trusted/is
not mature.

I have no problems if due changes somewhere DKIM for a while fails, as in this case there is nothing I can do.  But I
want to be sure, that the cause is not on my side, and currently this is not evident.  It is just not clear, if there is
a problem report, if the problem is temporary, when the cause was resolved, if the cause is on my side…  This properties
make DMARC not reliable.

Regards
  Дилян

On Sat, 2019-01-26 at 12:56 -0500, Dotzero wrote:
> Please, RUF is a ""Failure Report", not a "Forensic Report". Please read RFC 7489 - https://datatracker.ietf.org/doc/rfc7489/
> 
> On Sat, Jan 26, 2019 at 12:21 PM Дилян Палаузов <dilyan.palauzov@aegee.org> wrote:
> > Hello John,
> > 
> > On Sat, 2019-01-26 at 11:31 -0500, John Levine wrote:
> > > In article <6a56a3831dd4651e0d7610ee0c90f50749a7203b.camel@aegee.org> you write:
> > > > How can a domain owner communicate, that its users agree to have investigations on forensic reports, where DKIM
> > > > signatures failed (fot the purpose of avoiding repeating errors in DKIM signing/validation)?  In particular, that there
> > > > is no expectation of the users that a deleted message is erased and that the domain owner, DNS staff and email staff
> > > > function good as whole?
> > > 
> 
> This is way outside the scope of DMARC., however, the very fact that the domain has provided an email address for receiving RUF reports is a pretty reliable indicator. Presumably DNS  and mailops staff work for/on behalf of the domain owner.
>  
> > > I suppose they could try to put it in the terms of service, but I
> > > wouldn't begin to guess whether that would be enforcable or even legal
> > > in places with the GDPR and other privacy laws.
> > > 
> > > More to the point, I wouldn't bother.  The failure reports are almost
> > > entirely useless.  Of the ones I get, the majority are random Chinese
> > > spam that happened to forge one of my domains on the From line, the
> > > rest are from mailing lists where I wouldn't expect DMARC to pass.
> 
> Clearing out the chaff originating from servers other than your own helps, but I'm not going to try to teach John anything. 
> > A domain owner can certainly clarify anything in the terms of service, but even if the domain owner does these
> > clarifications, s/he will not receive DKIM/DMARC forensic reports, because there is no mean to communicate to the
> > generators of those reports, that sending forensic reports violates users expectations.
> 
> Individual user expectations are well outside the scope of DMARC. It is a domain/subdomain level protocol. If you don't want the reports then don't provide a destination for them to be delivered to.
> > The reasons mentioned here against sending forensic reports were, that this might not match user expectations (on
> > deleted information) and because email staff and DNS staff may differ.  I approached both concerns, by stating that user
> > expections can be put in Terms of Use and that a domain owner can decide, that for a domain it is acceptable to receive
> > forensic reports and insert this infomation in the Terms of Use.  So… what else exactly needs to happen, to resolve the
> > concerns against sending forensic reports (which was my original question)?
> > 
> > If GDPR is the only concern, this can also be clarified.  But clarifying that GDPR is not a problem, will be losing
> > time, if independent of it there are other concerns.
> > 
> > Imagine there is a failure report stating that after a direct communication between your server and another server, the
> > receiving server sends you an aggregate report, stating that 1% of the messages you sent yesterday do not validate DKIM.
> > How do you suggest to proceed to reduce this to 0%?
> 
> Over time you are unlikely to keep "legitimate" failures at 0%. There are lots of moving parts and pieces that can cause a failure. It also depends on the characteristics of the mail streams involved. The domain owner(s) and staff will need to determine how much effort they are willing to put in eliminating (legitimate) email failures. If I'm sending 10 million emails to a domain and 1% are failing then I'm likely to look into it. On the other hand, if I'm sending 100 emails a day to a domain from an overall large system and 1% (1 email) is failing, that really falls into the noise and is unlikely to get much time spent on it.
> 
> Michael Hammer
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc