Re: [dmarc-ietf] Ticket #1 - SPF alignment

Todd Herr <todd.herr@valimail.com> Mon, 25 January 2021 21:05 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA0FC3A18E8 for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 13:05:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DyknzZtqxgVH for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 13:05:08 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com [IPv6:2607:f8b0:4864:20::f2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63EBC3A196C for <dmarc@ietf.org>; Mon, 25 Jan 2021 13:04:50 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id h21so6879432qvb.8 for <dmarc@ietf.org>; Mon, 25 Jan 2021 13:04:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=1XhCfLF6C0q2CciXPc4HWRaQEUUT/DMQkMxgseywUDA=; b=ABoo2lApYEzSJeQOXSgqKvGZgy9gITT9w5Gzs2qJgRKcxXhLTgIr/gi/ijBNopcM0L RKfALM9n8sos9N62XSu30FKucQubz/msnavv9S8Q8I1nWppu82Lx55h2+Bhg1tlcrYsN LVsuppxggtyZaYPq6e9x3u7lCgooUCRGSYIhF8FgQJuX7IjJh4+lyRChu6U7slM11pn0 Msh1pNEsi+mcTwJclqpwC1S0VBd2dvcNn/4fHk1StB2tFEXob2GczelETO+4x0s/U23E e250grWESvhA6h9qTrfsRp9pNWyjPw7s1k1OtTim5O4iE4gnREkhUr77VaPucNDosQnC YRmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=1XhCfLF6C0q2CciXPc4HWRaQEUUT/DMQkMxgseywUDA=; b=PHsfguczAOwO8W6YM6dbW6y2zv9LzwpygzUm/mp21924rf6zlOFAT2CJ0OfTKHnmLg 0ABnR7wEYNxobvVTAOG9T2l8h1FXUJc1fsQ8SXW6J5IrpR7bp7hsHAKyLtYigQTjBMQO 74XXDm51fQcT1xVRptifIVxg3S+f8/eOUKTGp7wx454Sn6nu9Yj8cho/bnSLglt5pv2W AScAXmIBKhW+0o3+llR5taUDDelp9c1HtUpjfBdBLCuPqM1Cm8iicrr3UQqJSBnhQ/3J IYIheGv9YAJ6KWqTUnr9m4DSCLwi8K9Es/LeUztL74ieWFd28LtOOIVf+28NiKnlOGnh OmRA==
X-Gm-Message-State: AOAM530+7sc4iCcBHY0VIKM884w4nlM2qViGfj5hAkT6+7XaoS2d1OwP +XorA1ejYPrudjEGWmyY1kfq3ccwxAzWzGwiIIZHn6yVx6I/Hg==
X-Google-Smtp-Source: ABdhPJw4w5xOnhvsz8hp9VYIVKAa/oLICGKP3WCSZAzRflSe9/0D+WUs1f993ND+/4w8Fo2HXf8aRuvQCBROP7+iOmY=
X-Received: by 2002:a0c:fe0b:: with SMTP id x11mr2694648qvr.18.1611608689022; Mon, 25 Jan 2021 13:04:49 -0800 (PST)
MIME-Version: 1.0
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <45b3df7-5c6-9744-2ca8-1542e1b33e7b@taugh.com> <478c7b56-f2b4-c7c1-7722-27fdce4bb8e9@tana.it> <CAHej_8=UTfpVBZJnP6anWshO+6ytU7jb4nybru2gmkFDHZwH5w@mail.gmail.com> <ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
In-Reply-To: <ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
From: Todd Herr <todd.herr@valimail.com>
Date: Mon, 25 Jan 2021 16:04:33 -0500
Message-ID: <CAHej_8nTCxAOZeT-3snPZ0c+pht=kLAX=J-cccUVHaY4c+cHCQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d2e9705b9bfe312"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KEgXmhBimyn4sb_WYbDJtiR8hwY>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 21:05:11 -0000

On Thu, Jan 21, 2021 at 4:24 AM Alessandro Vesely <vesely@tana.it> wrote

>
> I agree that the spec needs some text somewhere to counter the passage in
> Section 2.3 of RFC 7208.  This, methinks, is the intended semantics of the
> second paragraph of section 3.1.2 of dmarcbis:
>
> OLD:
>     Note that the RFC5321.HELO identity is not typically used in the
>     context of DMARC (except when required to "fake" an otherwise null
>     reverse-path), even though a "pure SPF" implementation according to
>     [RFC7208] would check that identifier.
>
> I'd rather replace that paragraph and leave item 4 of Section 6.6.2 as
> is.  For
> a possibly less confusing wording:
>
> NEW:
>
>     Even tough a "pure SPF" implementation, according to [RFC7208], would
>     avoid to check the RFC5321.MailFrom identity if the RFC5321.HELO was
>     conclusively determined to pass, DMARC authentication requires the
>     authenticated identity to be aligned.
>
>
May I propose that the section labeled "SPF-Authenticated Identifiers" be
rewritten as follows:

CURRENT:

   DMARC permits Identifier Alignment, based on the result of an SPF
   authentication, to be strict or relaxed.

   In relaxed mode, the [SPF
<https://tools.ietf.org/html/rfc7489#ref-SPF>]-authenticated domain
and RFC5322 <https://tools.ietf.org/html/rfc5322>.From
   domain must have the same Organizational Domain.  In strict mode,
   only an exact DNS domain match is considered to produce Identifier
   Alignment.

   Note that the RFC5321 <https://tools.ietf.org/html/rfc5321>.HELO
identity is not typically used in the
   context of DMARC (except when required to "fake" an otherwise null
   reverse-path), even though a "pure SPF" implementation according to
   [SPF <https://tools.ietf.org/html/rfc7489#ref-SPF>] would check
that identifier.

   For example, if a message passes an SPF check with an
   RFC5321 <https://tools.ietf.org/html/rfc5321>.MailFrom domain of
"cbg.bounces.example.com", and the address
   portion of the RFC5322 <https://tools.ietf.org/html/rfc5322>.From
field contains "payments@example.com".com",
   the Authenticated RFC5321
<https://tools.ietf.org/html/rfc5321>.MailFrom domain identifier and
the
   RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain are
considered to be "in alignment" in relaxed

   mode, but not in strict mode.



NEW:

DMARC permits Identifier Alignment, based on the result of an SPF

authentication, to be strict or relaxed.


In relaxed mode, the [@!RFC3986]-authenticated domain and RFC5322.From

domain must have the same Organizational Domain.  In strict mode,

only an exact DNS domain match is considered to produce Identifier

Alignment.


For example, if a message passes an SPF check with an

RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address

portion of the RFC5322.From field contains "payments@example.com".com",

the Authenticated RFC5321.MailFrom domain identifier and the

RFC5322.From domain are considered to be "in alignment" in relaxed

mode, but not in strict mode. In order for the two identifiers to

be considered "in alignment" in strict mode, the domain parts would

have to be identical.


The reader should note that SPF alignment checks in DMARC rely solely

on the RFC5321.MailFrom domain. This differs from section 2.3 of
[@!RFC7208],

which recommends that SPF checks be done on not only the "MAIL FROM"

but also on a separate check of the "HELO" identity.



-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.herr@valimail.com
*p:* 703.220.4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.