IETF Logo Mail Archive

[dmarc-ietf] Overall last-call comments on DMARC

Jim Fenton <fenton@bluepopcorn.net> Mon, 01 April 2024 02:00 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B68B0C14F60F for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 19:00:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yWVcqBlOwvGQ for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 19:00:08 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FA70C14F602 for <dmarc@ietf.org>; Sun, 31 Mar 2024 19:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bluepopcorn.net; s=supersize; h=Content-Type:MIME-Version:Message-ID:Date: Subject:To:From:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=66Em5uo2ThBFQHoaTR+djdl8zXnOEIRSI3xQmbFGE9A=; b=ugdN1VbPScY47qW0OxSEUVqmcG jtJiS20hx892UZfCuZfJ35vQqQPzz0hP87w+4uYwRunKOfbXVz5R9cUaK21Xl2qR4EU0Jpq69P2vl CR06t+2I3OK7E2HxtkpKHzLcff05tFx6LafjF5ykXA5IqLVOuh7ktSlgafLUswbnNL5I=;
Received: from [2601:647:6801:6430:75ef:9993:d6a1:7356] (helo=[10.10.20.233]) by v2.bluepopcorn.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <fenton@bluepopcorn.net>) id 1rr6xo-00023W-Dw for dmarc@ietf.org; Sun, 31 Mar 2024 19:00:07 -0700
From: Jim Fenton <fenton@bluepopcorn.net>
To: IETF DMARC WG <dmarc@ietf.org>
Date: Sun, 31 Mar 2024 19:00:03 -0700
X-Mailer: MailMate (1.14r5852)
Message-ID: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_39CC36B7-B284-4DC5-BE7F-992778B7C856_="
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Jt8E9WPOi7R9gzbVKk1cG5WxFUE>
Subject: [dmarc-ietf] Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 02:00:12 -0000

In addition to the editorial review I have provided, I have significant 
concerns regarding the standardization of DMARC-bis. I do not expect 
that the working group rough consensus will necessarily agree with these 
concerns, but I want to state them for the working group and will 
probably restate them for a different audience at IETF last call.

I like to use the health care industry “safe and effective” analogy 
here.

## Safety

Deployment of the first iteration of DMARC has resulted in significant 
deployment problems, interfering with the delivery of some email from 
domains with a p=strict or p=quarantine policy. Examples are:

* Inappropriate use of p=reject and p=quarantine — Many domains 
publish restrictive policies in an effort to suppress misuse of their 
domain names, without regard for usage patterns. A number of online 
tools warn users and domain administrators that their domains aren’t 
fully protected if they don’t have a restricted policy, without regard 
to how the domain is used. Blanket policies, like DHS [BOD 
18-01](https://www.cisa.gov/news-events/directives/bod-18-01-enhance-email-and-web-security), 
require restrictive policies for a wide range of domains (in this case 
for all US Government agencies). It is unlikely that the publication of 
DMARC-bis will rectify either of these things.

* Mailing lists — Mailing list operators, including ietf.org, have had 
to implement rewriting of From addresses such as user@example.com 
becomes user=40example.com@dmarc.ietf.org when a p=strict or 
p=quarantine policy is in place. This works to some extent for IETF, but 
there is an enormous number of mailing list operators, each of whom 
would need to implement address rewriting. While address rewriting is 
not the recommended solution, it is widely used because of the 
widespread inappropriate use described above.

* Receive-side forwarders — Many receive-side forwarders (e.g. alumni 
and organizational domains providing affinity email addresses) preserve 
the integrity of DKIM signatures, but not all do. This is similar to the 
mailing list problem, except that it is more likely to occur even with 
domains used only for transactional email, which is otherwise one of the 
more promising use cases for DMARC.

## Effectiveness

There are also factors that call into question whether DMARC(-bis) does 
what it purports to do (protecting the domain name), or whether that is 
valuable:

* Visibility of domain names — One of the justifications given for 
DMARC deployment is to protect the sender’s domain name: to prevent 
attackers from spoofing the From address of addresses in that domain. 
But many mail user agents (an increasing number, it seems) do not 
display the sender’s email address, only the friendly name. In some 
cases, the recipient can request to see the message header or source, 
but this requires specific effort and would normally only be done when 
the user considers a message to be suspicious. I regularly receive 
messages claiming to be from a bank, a well-known brand ,or even from 
myself, but with a completely unrelated email address. These messages 
pass DMARC (because the domain in the From address is controlled by them 
or has no DMARC record) but are still effective as potential phishing 
messages. These are considered out of scope for DMARC.

* Normalization of rewriting — The rewriting of From addresses 
described above might serve to accustom users to From address rewriting. 
Messages with email addresses that look like they have been rewritten 
can easily be used by attackers to bypass DMARC policies and reporting.

## General

In 2013, a similar protocol, ADSP [RFC5617], was 
[changed](https://datatracker.ietf.org/doc/status-change-adsp-rfc5617-to-historic/) 
from standards track to historic, citing limited use and harm caused by 
incorrect configuration very similar to the inappropriate use of 
p=reject described above. While DMARC has had considerably more use than 
ADSP, the harm that has been caused is correspondingly higher.

Based on the above problems, I do not think DMARC-bis should be 
published as a standards track document by IETF.

-Jim

v2.23.0 | Report a Bug | By Email