IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Scott Kitterman <sklist@kitterman.com> Mon, 18 March 2024 03:31 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28297C14F695 for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 20:31:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="tAlAcZts"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="InPgdGwg"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaWfgEyTceRB for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 20:31:14 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4D3FC14F6AC for <dmarc@ietf.org>; Sun, 17 Mar 2024 20:31:13 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 7112AF80270; Sun, 17 Mar 2024 23:31:03 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710732640; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=0FpfdhW3/84Me28PaKzqHqCzT1zyTr5fgRGoydKrwgE=; b=tAlAcZtsX/sXRZzEgCRRtCJ8Xsvur9UNltWuLkuUA9joM4dYaB7Ofnh34a4w41V7S2mqC bsaVDWr8K65Kjz2CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710732640; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=0FpfdhW3/84Me28PaKzqHqCzT1zyTr5fgRGoydKrwgE=; b=InPgdGwgGzp4noM5+2URMRXe5sf+rQl7LkPOEMX4HT0jq6uwV6tG2UBGQdsKr1CAZ4Syc VyRpLZmn2ykPkfZi7Uq1eCdBun6EcjPdi2Op7Ydjv0IAgn+qliyej84MbtLFJ4BvGWLbZnJ DX0dVq72P0F8CWWYt3pQBjYRIKf5HQSQfoxAcr29oAoi334/0OTjuOX9ynQlQVeLAX3i8B+ 2Yz1vrxgScoN8wueTRjJEqgek3Qbwtax2N+f/yIZC7PWjoAvf4e8/5BRgTE7+EylGlakFKQ FjNrPKOHDmilgFFxwAJMbYejfV3XfXNsL6C4br19JmO9l5zIKoSkQRHdMUnA==
Received: from [127.0.0.1] (unknown [24.248.18.5]) by interserver.kitterman.com (Postfix) with ESMTPSA id 41C38F801AA; Sun, 17 Mar 2024 23:30:40 -0400 (EDT)
Date: Mon, 18 Mar 2024 03:30:30 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <20240318013630.455118593233@ary.qy>
References: <20240318013630.455118593233@ary.qy>
Message-ID: <A09BF563-F0DF-4CA4-911D-43606805B3F9@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/JzPgQCqWentuuaze0HqBAQsEfKM>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 03:31:18 -0000


On March 18, 2024 1:36:29 AM UTC, John Levine <johnl@taugh.com> wrote:
>Tightened up a little, reworded in view of the fact that your own
>mail provider (M*r*s*ft) may let people spoof you through shared IP ranges.
>
>
>>11.X  External Mail Sender Cross-Domain Forgery
>
>Add this to 11.1 Authentication Methods
>
I agree about this.

>Both of the email authentication methods that underlie DMARC provide
>some assurance that an email was transmitted by an MTA which is
>authorized to do so. SPF policies map domain names to sets of
>authorized MTAs [ref to RFC 7208, section 11.4]. Verified DKIM
>signatures indicate that an email was transmitted by an MTA with
>access to a private key that matches the published DKIM key record.
>
>Whenever mail is sent, there is a risk that an overly permissive source
>may send mail which will receive a DMARC pass result that was not, in
>fact, authorized by the Domain Owner. These false positives may lead
>to issues when systems interpret DMARC pass results to indicate
>a message is in some way authentic. They also allow such unauthorized
>senders to evade the Domain Owner's requested message handling for
>authentication failures.
>
>The only method to avoid this risk is to ensure that no unauthorized
>source can add DKIM signatures to the domain's mail or transmit mail
>which will evaluate as SPF pass. If nonetheless domain owner wishes to
>include a permissive source in a domain's SPF record, the source can
>be excluded from DMARC consideration by using the '?' qualifier on the
>SPF record mechanism associated with that source.

I'm fine with this.

Thanks,

Scott K

v2.23.0 | Report a Bug | By Email