IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)

Hector Santos <hsantos@isdg.net> Thu, 14 March 2024 20:52 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CDC7C151063 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:52:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="j5SOb1Zb"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="JBY90QGm"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H5Z4pHG19E23 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:52:17 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7C7AC14F706 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:52:17 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=10091; t=1710449534; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=k3NUqUQxa+rR07hfov3PkWg90QJMfry 63vyOW0b96Y8=; b=j5SOb1ZbsMp+t5NPBpx+Q7s/OwUypTE7zZXlt/tJFWx1bEj 6F7PUlZAdIPW2NaLKYVXhrTVjwRqBIA8pwzKGttxhfw1/X9B/+GXwWj9owCCzrN7 kPt5/CTXbWo55WSYeTUsdinpM6Tcmev6N1GuGWQ4Oq5QY33LoGoofNlc7bGg=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.14) for dmarc@ietf.org; Thu, 14 Mar 2024 16:52:14 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.14) with ESMTP id 776913166.1318.5656; Thu, 14 Mar 2024 16:52:13 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=10091; t=1710449532; h=Received:Received: From:Message-Id:Subject:Date:To:Organization:List-ID; bh=k3NUqUQ xa+rR07hfov3PkWg90QJMfry63vyOW0b96Y8=; b=JBY90QGmKtNAk89hiIdz5qg ENeItpneEklSkgItvHfyr7JiinmDZUmlV8QabL97vxfukm2N94vAGm80xECQTPcq hRFLfQCjObzwXjxvyv42NCGBWE6bqlBfEyMjTwzMp9Ge3OlkZXEVa+tUN0JBQ3En sytbS7cvoweFa0pUsP+k=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Thu, 14 Mar 2024 16:52:12 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 1223175823.1.9836; Thu, 14 Mar 2024 16:52:11 -0400
From: Hector Santos <hsantos@isdg.net>
Message-Id: <C5DEE535-7B6E-4D7E-83FE-59EF42ED9286@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_222D90BF-432F-42A3-8F74-79B0D089A9D0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Thu, 14 Mar 2024 16:52:00 -0400
In-Reply-To: <CAHej_8=0QEmCazTuEDKASBBoVwfpsPLJMpN11y+fo8+XtPv1Bg@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
References: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com> <09C7D830-5966-4EE5-AA86-003696B5ECEE@isdg.net> <CAHej_8=0QEmCazTuEDKASBBoVwfpsPLJMpN11y+fo8+XtPv1Bg@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.400.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/K3TW-XMktmmvgt087C-hZtf_Jvc>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:52:22 -0000

> On Mar 14, 2024, at 4:02 PM, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> 
> On Thu, Mar 14, 2024 at 3:25 PM Hector Santos <hsantos=40isdg.net@dmarc.ietf.org <mailto:40isdg.net@dmarc.ietf.org>> wrote:
>>> On Mar 14, 2024, at 10:09 AM, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org <mailto:40valimail.com@dmarc.ietf.org>> wrote:
>>> To configure SPF for DMARC, the Domain Owner MUST choose a domain to use as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail that aligns with the Author Domain, and then publish an SPF policy in DNS for that domain. The SPF record MUST be constructed at a minimum to ensure an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom domain.
>> 
>> A major consideration, Todd, is receivers will process SPF for SPF without DMARC (payload) considerations.  IOW, if SPF is a hardfail, we have SMTP processors who will not continue to transmit a payload (DATA).
>> 
>> DMARCBis is making a major design presumption receivers will only use SPF as a data point for a final DMARC evaluation where a potentially high overhead payload was transmitted only to be rejected anyway,  
> 
> I don't necessarily think your assertion is true here, or at least I'd submit that DMARCbis and RFC 7489 aren't approaching this subject any differently.
> 
> Section 10.1 from RFC 7489, titled "Issues Specific to SPF" had two paragraphs, the second of which reads:
> 
>    Some receiver architectures might implement SPF in advance of any
>    DMARC operations.  This means that a "-" prefix on a sender's SPF
>    mechanism, such as "-all", could cause that rejection to go into
>    effect early in handling, causing message rejection before any DMARC
>    processing takes place.  Operators choosing to use "-all" should be
>    aware of this.

Yes, I agree.  I am only reminding the community SPF can preempt DMARC with a restrictive hardfail policy.   Does DMARCBis integrate the tag to delay SPF failures?


> 
> DMARCbis contains the same two paragraphs with no change to the text, other than the section is now numbered 8.1.
> 
>> 
>>> In the ticket, I propose the following new text:
>>> 
>>> ==================================================
>>> To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain.
>>> ==================================================
>> 
>> In order to maximize security, the Domain Owner is REQUIRED to choose a ….. 
>> 
>> Is REQUIRED the same as MUST?   I think SHOULD or MUST is fine as long as we specify the reason it is required,
> 
> I'm not understanding the comment you're making here, as I don't see the word "REQUIRED" in anything I wrote.

For any protocol, there are “Protocol Requirements,”   A MUST or SHOULD is a “Requirement” for proper support,  So I just wanted to just note that it can stated another way.  Developers need a Requirements Section that allow us to code the logic,

Its getting pretty confusing for implementors.

—
HLS

v2.23.0 | Report a Bug | By Email