Re: [dmarc-ietf] Ticket #1 - SPF alignment
Todd Herr <todd.herr@valimail.com> Mon, 25 January 2021 21:05 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id BA0FC3A18E8
for <dmarc@ietfa.amsl.com>; Mon, 25 Jan 2021 13:05:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5
tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id DyknzZtqxgVH for <dmarc@ietfa.amsl.com>;
Mon, 25 Jan 2021 13:05:08 -0800 (PST)
Received: from mail-qv1-xf2d.google.com (mail-qv1-xf2d.google.com
[IPv6:2607:f8b0:4864:20::f2d])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 63EBC3A196C
for <dmarc@ietf.org>; Mon, 25 Jan 2021 13:04:50 -0800 (PST)
Received: by mail-qv1-xf2d.google.com with SMTP id h21so6879432qvb.8
for <dmarc@ietf.org>; Mon, 25 Jan 2021 13:04:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=valimail.com; s=google2048;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=1XhCfLF6C0q2CciXPc4HWRaQEUUT/DMQkMxgseywUDA=;
b=ABoo2lApYEzSJeQOXSgqKvGZgy9gITT9w5Gzs2qJgRKcxXhLTgIr/gi/ijBNopcM0L
RKfALM9n8sos9N62XSu30FKucQubz/msnavv9S8Q8I1nWppu82Lx55h2+Bhg1tlcrYsN
LVsuppxggtyZaYPq6e9x3u7lCgooUCRGSYIhF8FgQJuX7IjJh4+lyRChu6U7slM11pn0
Msh1pNEsi+mcTwJclqpwC1S0VBd2dvcNn/4fHk1StB2tFEXob2GczelETO+4x0s/U23E
e250grWESvhA6h9qTrfsRp9pNWyjPw7s1k1OtTim5O4iE4gnREkhUr77VaPucNDosQnC
YRmA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=1XhCfLF6C0q2CciXPc4HWRaQEUUT/DMQkMxgseywUDA=;
b=PHsfguczAOwO8W6YM6dbW6y2zv9LzwpygzUm/mp21924rf6zlOFAT2CJ0OfTKHnmLg
0ABnR7wEYNxobvVTAOG9T2l8h1FXUJc1fsQ8SXW6J5IrpR7bp7hsHAKyLtYigQTjBMQO
74XXDm51fQcT1xVRptifIVxg3S+f8/eOUKTGp7wx454Sn6nu9Yj8cho/bnSLglt5pv2W
AScAXmIBKhW+0o3+llR5taUDDelp9c1HtUpjfBdBLCuPqM1Cm8iicrr3UQqJSBnhQ/3J
IYIheGv9YAJ6KWqTUnr9m4DSCLwi8K9Es/LeUztL74ieWFd28LtOOIVf+28NiKnlOGnh
OmRA==
X-Gm-Message-State: AOAM530+7sc4iCcBHY0VIKM884w4nlM2qViGfj5hAkT6+7XaoS2d1OwP
+XorA1ejYPrudjEGWmyY1kfq3ccwxAzWzGwiIIZHn6yVx6I/Hg==
X-Google-Smtp-Source: ABdhPJw4w5xOnhvsz8hp9VYIVKAa/oLICGKP3WCSZAzRflSe9/0D+WUs1f993ND+/4w8Fo2HXf8aRuvQCBROP7+iOmY=
X-Received: by 2002:a0c:fe0b:: with SMTP id x11mr2694648qvr.18.1611608689022;
Mon, 25 Jan 2021 13:04:49 -0800 (PST)
MIME-Version: 1.0
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com>
<45b3df7-5c6-9744-2ca8-1542e1b33e7b@taugh.com>
<478c7b56-f2b4-c7c1-7722-27fdce4bb8e9@tana.it>
<CAHej_8=UTfpVBZJnP6anWshO+6ytU7jb4nybru2gmkFDHZwH5w@mail.gmail.com>
<ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
In-Reply-To: <ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
From: Todd Herr <todd.herr@valimail.com>
Date: Mon, 25 Jan 2021 16:04:33 -0500
Message-ID: <CAHej_8nTCxAOZeT-3snPZ0c+pht=kLAX=J-cccUVHaY4c+cHCQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d2e9705b9bfe312"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KEgXmhBimyn4sb_WYbDJtiR8hwY>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting,
and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>,
<mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>,
<mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jan 2021 21:05:11 -0000
On Thu, Jan 21, 2021 at 4:24 AM Alessandro Vesely <vesely@tana.it> wrote > > I agree that the spec needs some text somewhere to counter the passage in > Section 2.3 of RFC 7208. This, methinks, is the intended semantics of the > second paragraph of section 3.1.2 of dmarcbis: > > OLD: > Note that the RFC5321.HELO identity is not typically used in the > context of DMARC (except when required to "fake" an otherwise null > reverse-path), even though a "pure SPF" implementation according to > [RFC7208] would check that identifier. > > I'd rather replace that paragraph and leave item 4 of Section 6.6.2 as > is. For > a possibly less confusing wording: > > NEW: > > Even tough a "pure SPF" implementation, according to [RFC7208], would > avoid to check the RFC5321.MailFrom identity if the RFC5321.HELO was > conclusively determined to pass, DMARC authentication requires the > authenticated identity to be aligned. > > May I propose that the section labeled "SPF-Authenticated Identifiers" be rewritten as follows: CURRENT: DMARC permits Identifier Alignment, based on the result of an SPF authentication, to be strict or relaxed. In relaxed mode, the [SPF <https://tools.ietf.org/html/rfc7489#ref-SPF>]-authenticated domain and RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment. Note that the RFC5321 <https://tools.ietf.org/html/rfc5321>.HELO identity is not typically used in the context of DMARC (except when required to "fake" an otherwise null reverse-path), even though a "pure SPF" implementation according to [SPF <https://tools.ietf.org/html/rfc7489#ref-SPF>] would check that identifier. For example, if a message passes an SPF check with an RFC5321 <https://tools.ietf.org/html/rfc5321>.MailFrom domain of "cbg.bounces.example.com", and the address portion of the RFC5322 <https://tools.ietf.org/html/rfc5322>.From field contains "payments@example.com".com", the Authenticated RFC5321 <https://tools.ietf.org/html/rfc5321>.MailFrom domain identifier and the RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain are considered to be "in alignment" in relaxed mode, but not in strict mode. NEW: DMARC permits Identifier Alignment, based on the result of an SPF authentication, to be strict or relaxed. In relaxed mode, the [@!RFC3986]-authenticated domain and RFC5322.From domain must have the same Organizational Domain. In strict mode, only an exact DNS domain match is considered to produce Identifier Alignment. For example, if a message passes an SPF check with an RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address portion of the RFC5322.From field contains "payments@example.com".com", the Authenticated RFC5321.MailFrom domain identifier and the RFC5322.From domain are considered to be "in alignment" in relaxed mode, but not in strict mode. In order for the two identifiers to be considered "in alignment" in strict mode, the domain parts would have to be identical. The reader should note that SPF alignment checks in DMARC rely solely on the RFC5321.MailFrom domain. This differs from section 2.3 of [@!RFC7208], which recommends that SPF checks be done on not only the "MAIL FROM" but also on a separate check of the "HELO" identity. -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.herr@valimail.com *p:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Michael Thomas
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Seth Blank
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine