IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Alessandro Vesely <vesely@tana.it> Sun, 17 March 2024 11:11 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2095FC151075 for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 04:11:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="+pMpvKjt"; dkim=pass (1152-bit key) header.d=tana.it header.b="AVtgEXoo"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3Aw9xmRZLrln for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 04:11:12 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD390C14F6BF for <dmarc@ietf.org>; Sun, 17 Mar 2024 04:11:09 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1710673865; bh=etcXAK4QDVZduE4jIW03U1TglNiw4RBbhL/cXRpbbik=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=+pMpvKjtK63y2DSHknVnwgwg4zvZSfTY0+cKqT3CHwvfFvJKAIEJ2DqbHIA4K44jU jqfRyI0FiYa1mtAtTGjCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1710673865; bh=etcXAK4QDVZduE4jIW03U1TglNiw4RBbhL/cXRpbbik=; h=Date:Subject:To:References:From:In-Reply-To; b=AVtgEXooIL2+SvJ3EPPPNw6bagYFwrTFWGYAO9lfYk2HbnhjPxDFhi8iBsHyN9xEL 4HOhxUQQI5oS036kwh359tJTkkgyFI79w5J6O5YcJaHbwnx1hc4Hlowg/4MS97zkQ9 3BpmAAUoohJUGKrgsztHcqgI6t0/HgDRELkmYlMQK8f6jHfaKYmxWlYLWN5HI
Original-Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC083.0000000065F6CFC8.000065D7; Sun, 17 Mar 2024 12:11:04 +0100
Message-ID: <cf416f6b-3de2-4bf3-a3e2-0b634157050d@tana.it>
Date: Sun, 17 Mar 2024 12:11:04 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <CAHej_8nrQG3XN5k=p0x5KzV3ZLAzzGQaXNpG9cFvPS338uS0dw@mail.gmail.com> <2956306.Z6hNudi34S@zini-1880> <2068150.yCtiIVWOOC@zini-1880>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <2068150.yCtiIVWOOC@zini-1880>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/IZ882iw5cKeaGePgvFT65zvVQPo>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 11:11:19 -0000

On Sat 16/Mar/2024 20:01:22 +0100 Scott Kitterman wrote:
> On Thursday, March 14, 2024 12:24:50 PM EDT Scott Kitterman wrote:
>> On Thursday, March 14, 2024 11:44:22 AM EDT Todd Herr wrote:
>>>
>>> Issue 135 is open for the subject topic. Please add your thoughts to this 
>>> thread and/or to the issue in Github.
>>>
>>> Thank you.
>> 
>> [...]
>> 
>> I think both of these should be addressed as part of this issue in Security
>> Considerations.
> 
> It seems to me that, to the extent we are going to address this issue, there
> is agreement that Security Considerations is appropriate.  Here's proposed
> text:
> 
> 11.X  External Mail Sender Cross-Domain Forgery
> 
> Both of the email authentication methods which underlie DMARC fundamentally
> provide some degree of assurance that an email was transmitted by an MTA which
> is authorized to do so.  SPF policies just map domain names to sets of
> authorized MTAs [ref to RFC 7208, section 11.4].  Verified DKIM signatures
> indicate that an email was transmitted by an MTA with access to a private key
> that matches the published DKIM key record.
> 
> When Domain Owners authorize mail to be sent by sources outside their
> Administrative Management Domain there is a risk that an overly permissive
> source may send mail which will, as a result, receive a DMARC pass result that
> was not, in fact, authorized by the Domain Owner.  These false positives may
> lead to issues with systems that make use of DMARC pass results to indicate a
> message is in some way authentic.  They also allow such unauthorized senders
> to evade the Domain Owner's requested message handling for authentication
> failures.
> 
> The only method to avoid this risk is to ensure that no overly permissive
> sources can successfully DKIM sign the domain's mail or transmit mail which
> will evaluate as SPF pass.  If there are non-DMARC reasons for a domain owner
> to include a permissive source in a domain's SPF record, the source can be
> excluded from DMARC consideration by using the '?' qualifier on the SPF record
> mechanism associated with that source.


That text is too long and lacks an example.

The first paragraph can be omitted without losing context.  BTW, Section 11.4 
of RFC 7208 is about /cross-user/ forgery, not cross-domain.

The second paragraph doesn't mention SPF.  Couldn't it be more direct?  For 
example:

     Domain Owners who set up SPF records which include sources outside their
     Administrative Management Domain run the risk that an overly permissive
     source may allow its users to send scam mail which will receive a DMARC
     pass results that were not intended by the Domain Owner.  These false
     positives [...]

The third paragraph is also longer than needed.  There's no need to mention 
DKIM if we're talking SPF forgery.  I'd also point out that the neutral 
qualifier prevents quick rejection of the message, and is probably useless for 
those who have ~all.  (Are there MTAs who distinguish between neutral and 
softfail?  Are we prompting them to do so?)  Perhaps mention that this is a 
compromise between striking the SPF record tout-court and allowing false positives.

Most important, write "?include:example.com".  An example is worth a thousand 
words.


Best
Ale
--

v2.23.0 | Report a Bug | By Email