IETF Logo Mail Archive

Re: [dmarc-ietf] Additions to draft - Security Considerations

Neil Anuskiewicz <neil@marmot-tech.com> Sun, 01 May 2022 23:25 UTC

Return-Path: <neil@marmot-tech.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D061C157902 for <dmarc@ietfa.amsl.com>; Sun, 1 May 2022 16:25:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=marmot-tech.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52Q-0sTTUH9p for <dmarc@ietfa.amsl.com>; Sun, 1 May 2022 16:25:39 -0700 (PDT)
Received: from mail-oa1-x2b.google.com (mail-oa1-x2b.google.com [IPv6:2001:4860:4864:20::2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A008EC14F74D for <dmarc@ietf.org>; Sun, 1 May 2022 16:25:39 -0700 (PDT)
Received: by mail-oa1-x2b.google.com with SMTP id 586e51a60fabf-e9027efe6aso12973177fac.10 for <dmarc@ietf.org>; Sun, 01 May 2022 16:25:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marmot-tech.com; s=google1; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=T2GyVq48I0h+9zVlu+RPz4zHujM+XfptXpqvFQeoN/M=; b=O2jN5bTclkvDTIutmkS6+HyNufCQIO+ZO3qcQKa7w8MErZgD8q1R5oiZYpfRXHHDpY Drbrg1zGsPv7Il58ihi0rIEks2SvqaAbX0Rr6XwizJmxn/aOlJTrKoOShqcFbe8HCNem FlhVZ4vCUrB6rOzhxynFFGgOntZCZQhPrp0hvYZmg6uchgR7i1WMFETBUezCi/32jisa 4ab3XtyRrQtUooenFQPgOR0n9fn/JSS1sFaOEzFWC0QVk76xbXwGLRRLBPBwKMeHF34i szF6iP3Kdh0I8ussVsLklmEH1ayiI+jcUyTZ4rNK76+tqG4uDSeFh1Vb8OpTZ+mi1vQz v3iQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=T2GyVq48I0h+9zVlu+RPz4zHujM+XfptXpqvFQeoN/M=; b=vPAjgey5djS21iMPpMLbAiyFY83p1qhIyuzYSYhq8csjtFJ0O/YjmUcB7qJZGXgTBs bR7WOkQthGCHinQdnJgzIcX27UcIAMppXMfoVSkQf8yKUpNB7LPZPwraDtjjGYi2ZjNr sbHHjx6aE2GVJDRc9vUidCvKP7kkF8CD1aSud8rRpzz5ks26KhZt4mH7ynlx0vZ71VaT fkdJwnAJuKKBXRIJ5Epc4+08aIZxUFN64U0solrGMXcD4EW7XRHU8CPUCJPR8GodPN8d qdAh0BYUCelMcBBT+18tpcpZXz4YWrOUUZleb2n0/8FzU+D/FhB60W0x1k8h7VhNp66J /8BA==
X-Gm-Message-State: AOAM531Oiqb8aKAGT9Si1ex/Xdw/b3KWahs5nqfKIz78p4d8GIFiioAG 4t2enLKxWVyc45cLrHD6hhQsBO6XH3wD+XbvkMWBy2YGeQzN1jiR
X-Google-Smtp-Source: ABdhPJzf9rvXVKHf+9jOtDD2lFoK5HK11KqUikmnZutvDLK1soIqux+YWls0Zwep7Xc13jyDa9N6xdzm3r/f5Xn7dl0=
X-Received: by 2002:a05:6870:61d4:b0:df:b74:8de5 with SMTP id b20-20020a05687061d400b000df0b748de5mr3717525oah.37.1651447538211; Sun, 01 May 2022 16:25:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com> <2934216.d6BrxOLGqM@zini-1880>
In-Reply-To: <2934216.d6BrxOLGqM@zini-1880>
From: Neil Anuskiewicz <neil@marmot-tech.com>
Date: Sun, 01 May 2022 16:25:02 -0700
Message-ID: <CAOPP4WE1RQqf3FMufg2DTabBFeEZkA6D3FUMD-hKFjsVjXVkDQ@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e1750405ddfb97df"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/J6YehTWSDk0LU4FMyS_l14w-dAk>
Subject: Re: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 May 2022 23:25:44 -0000

  On Apr 24, 2022, at 8:57 PM, Scott Kitterman <sklist@kitterman.com> wrote:
>
> For cases where strict alignment is not appropriate, this issue can be
> mitigated by periodically checking the DMARC records, if any, of PSDs
above
> the organization's domains in the DNS tree and (for legacy [RFC 7489]
checking
> that appropriate PSL entries remain present).  If a PSD domain publishes a
> DMARC record without the appropriate psd=y tag, organizational domain
owners
> can add psd=n to their organizational domain's DMARC record so that the
PSD
> record will not be incorrectly evaluated to be the organizational domain.

Though the risk’s low, “periodically checking the DMARC records, if any”
isn’t particularly reassuring. It’s like saying periodically give your
pilot a breathalyzer. :-)

v2.23.0 | Report a Bug | By Email