IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling MLMs

Hector Santos <hsantos@isdg.net> Fri, 14 April 2023 18:56 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA6AC1516F2 for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 11:56:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="Wnf9cq8S"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="UuO4cD0A"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gi7UuUWakFGp for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 11:56:15 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6193CC14CE45 for <dmarc@ietf.org>; Fri, 14 Apr 2023 11:56:15 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=29688; t=1681498573; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=oWLR57G6KfvQ7y63VJ57pmE37bZeaYc VD72RhDwqVEQ=; b=Wnf9cq8Sohe9zheb9jlkSsN3kBAWwys0YOBLfqhtlMv60dl 1+h1U/aRpI0BWXymI3cSfPw+OcLAN3J6ei4Q1X2NSYy8lU7bulamSxDZ9OG4igyi Jo5a3imlUrup/xW/AwJdq3NXWwBjilulJEZ85lt3svFZs7bPRRiOQKWz1kYQ=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Fri, 14 Apr 2023 14:56:13 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 1891370863.1.7984; Fri, 14 Apr 2023 14:56:12 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=29688; t=1681498571; h=Received:Received: From:Message-Id:Subject:Date:To:Organization:List-ID; bh=oWLR57G 6KfvQ7y63VJ57pmE37bZeaYcVD72RhDwqVEQ=; b=UuO4cD0AuCGh/MEPzTA/UDA ykZksYHvA2wNpNvEIQ/dys4sXPcnSkCHEh0Lr6jZmpT2WshrC+DrAO+B68Bi/Vfj ex100G5XHT2JkFhOeKImcc5BvtA07znLTTaOXIk97mZ1IlHfcMGeIxoSx5FOH8ig 0MAbrOINmcdOGFmiiJnA=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Fri, 14 Apr 2023 14:56:11 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 2337407113.1.13212; Fri, 14 Apr 2023 14:56:10 -0400
From: Hector Santos <hsantos@isdg.net>
Message-Id: <ACFFE36A-80CE-4CF6-B372-E32E6B60CF11@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EC7D3488-25A2-4C21-B3AC-A9C06FDD1634"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Fri, 14 Apr 2023 14:55:59 -0400
In-Reply-To: <6600461.14hOuAKI9C@localhost>
Cc: IETF DMARC WG <dmarc@ietf.org>
To: Scott Kitterman <sklist@kitterman.com>
References: <CAL0qLwZc2X7tyP+_8vvL3Yb7uJk6td3XGbsXUB68BNUEMhV4yQ@mail.gmail.com> <909C826B-2745-4BE8-AD16-920E6DE86D1C@kitterman.com> <329db752-fdeb-7633-ede1-06e435db1c0e@tana.it> <6600461.14hOuAKI9C@localhost>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/IWPJB6y2KqhJ8M4EOY1jhExth20>
Subject: Re: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2023 18:56:19 -0000

The solution to move forward is:

- Recommend MUST NOT publish if domain wants to allow users to use domain in public list systems,

- Warn MLS/MLS  to avoid From Rewrite and recommend to honor p=reject by rejecting subscription, submissions. This is already in practice since 2011.

- Update section 4.4.3 to assist domains with a desire to use p=reject to consider supporting extended technologies to help with public usage of p=reject.

- Add a section for marketers of DMARC security systems to assist in correcting this problem with less aggressive campaigns to be prepare mail hosting customers with p=reject policies before they’re ready to do so. Always start with p=none.

- Make DMARCbis Informational status for faster IETF adoption  As a proposed standard, it’s going to be a rough poison pill too shallow after ADSP was abandoned for the same problems.  The difference now is this MUST NOT publish and honor for DMARCbis.  This may be enough to get IETF endorsement for a proposed standard.  

—
HLS


> On Apr 14, 2023, at 1:58 PM, Scott Kitterman <sklist@kitterman.com> wrote:
> 
> On Friday, April 14, 2023 1:20:28 PM EDT Alessandro Vesely wrote:
>> On Fri 14/Apr/2023 15:47:12 +0200 Scott Kitterman wrote:
>>> On April 14, 2023 1:29:58 PM UTC, "Murray S. Kucherawy" 
> <superuser@gmail.com> wrote:
>>>> On Fri, Apr 14, 2023 at 4:31 AM Alessandro Vesely <vesely@tana.it> wrote:
>>>>> Heck, MLMs should start rejecting messages sent from domains that
>>>>> publish a
>>>>> blocking policy *when they fail authentication on entry*!!
>>>> 
>>>> That's not enough to avoid the damage we're talking about.
>> 
>> Agreed.  Yet, it is a sane half-way between crazy rejecting always and
>> completely ignoring ABUSE.
>> 
>>>>> From: rewriting is the de-facto standard.  In DMARCbis we can only
>>>>> substitute "de-facto" with "proposed".  Better methods, implying
>>>>> different, possibly experimental, protocols are to be defined in
>>>>> separate documents. >>
>>>> 
>>>> Are you suggesting we put that forward as our Proposed Standard way of
>>>> dealing with this problem?  It's been my impression that this is not a
>>>> solution that's been well received.
>> 
>> I agree there are better solutions, but they're not yet developed.  As ugly
>> as it may be, From: munging is the emerged solution.  It is a _fact_.  Now
>> repeat again that the IETF standardized facts, not theories...
>> 
>>>>> Let me recall that when I proposed something like that, I was told that
>>>>> that was phase II and the WG was then already in phase III.  So, let's
>>>>> complete DMARCbis /without cannibalizing the spec/ by saying that it
>>>>> MUST NOT be used (as it is being used already).
>>>> 
>>>> What you describe as "cannibalizing" is actually a matter of presenting
>>>> the
>>>> correct normative advice about interoperability.
>> 
>> It is nonsensical.  It means DMARC is only useful for looking at the
>> reports. If that's really what we think, we'd be better off deprecating p=
>> completely. Otherwise, let's wait until next April 1st and publish it as
>> such.  It's ridiculous.
>> 
>>>> So I don't agree at all with that characterization.
>>> 
>>> Agreed.  If people can't get over saying some domains will have
>>> interoperability problems when that's demonstrably a technically accurate
>>> statement (and I don't see anyone claiming it isn't), I don't see how
>>> progress is possible.
>> 
>> I agree that we have to say that some domains have interoperability problems
>> as a consequence of DMARC.  Let's say that MLMs MUST do From: munging
>> unless (or until) better solutions arise, or unless they don't alter
>> messages.
>> 
>> We're proposing email authentication, not anything less.
> 
> Yes, but we don't get to close our eyes and pretend the rest of the world 
> doesn't exist.
> 
> If we want to change this, we're going to have to update RFC 5321, which I 
> think is out of our scope.  In the section on aliases and lists (3.9), it 
> says:
> 
>>   However, in this case, the message header section (RFC 5322 [4]) MUST
>>   be left unchanged; in particular, the "From" field of the header
>>   section is unaffected.
> 
> I think it would be wrong to mandate From rewriting for a lot of reasons, but 
> I don't think we get to just ignore an Internet Standard.  I think we 
> particularly don't get to ignore an Internet Standard and make it through an 
> IETF wide last call.
> 
> I still don't hear anyone claiming there's no interoperability problems when 
> some domains publish p=reject.  Can we please just agree to document reality 
> and move forward?
> 
> Scott K
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org <mailto:dmarc@ietf.org>
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email