IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

John Levine <johnl@taugh.com> Mon, 18 March 2024 01:36 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1AEAC14F610 for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 18:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.859
X-Spam-Level:
X-Spam-Status: No, score=-6.859 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="Beq5Wt9d"; dkim=pass (2048-bit key) header.d=taugh.com header.b="qu5zE0Mq"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWGbAeueUaLP for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 18:36:33 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9BAEC14F604 for <dmarc@ietf.org>; Sun, 17 Mar 2024 18:36:32 -0700 (PDT)
Received: (qmail 22507 invoked from network); 18 Mar 2024 01:36:31 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=57e965f79a9f.k2403; bh=s2cfwU+nCFFQ3BWHZUY1AfuzTtRk2GEPQN2J1GWc87g=; b=Beq5Wt9d9hfvdMKuLKLRcE7cFP08ArAC1krKg6Hj4sNX7hjlWCVPUrC1W+gDTlVJK/51KI9r3meyguv375Icpgsy/U+dIdq9xc8IUNNOx3Now+bg724RGJqhgDnCC6JmFCtjJHuZjU8nG++WqdyX84jesrcov8QnN6o4TQBwaeENpIFtaDa1qsT/dLaqJQuVm29WC81MgZm0PbL2uHdndgfc1SFrLt64y9+AJcPzyesnJvSAZt/TV4FhdLggWVdt196h3xzlm3ERXfWDtMjoH0DShJiJf8SHJoL/rEcG23YGzr3P4vR8cKyJNmdGom0mcvO9e8gR02m9Y5A3c0KpZw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=57e965f79a9f.k2403; bh=s2cfwU+nCFFQ3BWHZUY1AfuzTtRk2GEPQN2J1GWc87g=; b=qu5zE0MqYjSW+jiu9FA5ZWtcZNiCLWzcZq27QGpft02fn+AN8OjERWsXZDiUnFeo7YebRGfPcE3JtfjauGmeRte5vD9JhqUEUZB+KohdTB8TbvJpyZPLoNJ3k1FNXUANBB817HtoERA6eZJ26Pc2SHCm2OzKigJxt/5FlUKlO0EfH2HncJhMZRpw6y0jMFRdxNbcs9ddnr3Oj1ScJnFFVmbVO2rxcomJgZt5a0VvaPdfMUgAcT94LIX6oHenqJGww2cRbB0GhdUiQoXxyBQ5PphrlxBIrSKZZ3LcXaeVFZ4T59HG/WzQ7SQMTG6ZDtqGxsTGGMoqxozNtMMzzXZZOQ==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 18 Mar 2024 01:36:30 -0000
Received: by ary.qy (Postfix, from userid 501) id 455118593233; Sun, 17 Mar 2024 21:36:29 -0400 (EDT)
Date: Sun, 17 Mar 2024 21:36:29 -0400
Message-Id: <20240318013630.455118593233@ary.qy>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
Cc: sklist@kitterman.com
In-Reply-To: <2068150.yCtiIVWOOC@zini-1880>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/JDISmKLjiYidRdOw9kND4QPKVj8>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 01:36:38 -0000

Tightened up a little, reworded in view of the fact that your own
mail provider (M*r*s*ft) may let people spoof you through shared IP ranges.


>11.X  External Mail Sender Cross-Domain Forgery

Add this to 11.1 Authentication Methods


Both of the email authentication methods that underlie DMARC provide
some assurance that an email was transmitted by an MTA which is
authorized to do so. SPF policies map domain names to sets of
authorized MTAs [ref to RFC 7208, section 11.4]. Verified DKIM
signatures indicate that an email was transmitted by an MTA with
access to a private key that matches the published DKIM key record.

Whenever mail is sent, there is a risk that an overly permissive source
may send mail which will receive a DMARC pass result that was not, in
fact, authorized by the Domain Owner. These false positives may lead
to issues when systems interpret DMARC pass results to indicate
a message is in some way authentic. They also allow such unauthorized
senders to evade the Domain Owner's requested message handling for
authentication failures.

The only method to avoid this risk is to ensure that no unauthorized
source can add DKIM signatures to the domain's mail or transmit mail
which will evaluate as SPF pass. If nonetheless domain owner wishes to
include a permissive source in a domain's SPF record, the source can
be excluded from DMARC consideration by using the '?' qualifier on the
SPF record mechanism associated with that source.

R's,
John

v2.23.0 | Report a Bug | By Email