Archive

Re: [dmarc-ietf] Ticket #1 - SPF alignment

Todd Herr <todd.herr@valimail.com> Mon, 25 January 2021 21:05 UTC

MIME-Version: 1.0
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <45b3df7-5c6-9744-2ca8-1542e1b33e7b@taugh.com> <478c7b56-f2b4-c7c1-7722-27fdce4bb8e9@tana.it> <CAHej_8=UTfpVBZJnP6anWshO+6ytU7jb4nybru2gmkFDHZwH5w@mail.gmail.com> <ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
In-Reply-To: <ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
From: Todd Herr <todd.herr@valimail.com>
Date: Mon, 25 Jan 2021 16:04:33 -0500
Message-ID: <CAHej_8nTCxAOZeT-3snPZ0c+pht=kLAX=J-cccUVHaY4c+cHCQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006d2e9705b9bfe312"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KEgXmhBimyn4sb_WYbDJtiR8hwY>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
Precedence: list

On Thu, Jan 21, 2021 at 4:24 AM Alessandro Vesely <vesely@tana.it> wrote

>
> I agree that the spec needs some text somewhere to counter the passage in
> Section 2.3 of RFC 7208.  This, methinks, is the intended semantics of the
> second paragraph of section 3.1.2 of dmarcbis:
>
> OLD:
>     Note that the RFC5321.HELO identity is not typically used in the
>     context of DMARC (except when required to "fake" an otherwise null
>     reverse-path), even though a "pure SPF" implementation according to
>     [RFC7208] would check that identifier.
>
> I'd rather replace that paragraph and leave item 4 of Section 6.6.2 as
> is.  For
> a possibly less confusing wording:
>
> NEW:
>
>     Even tough a "pure SPF" implementation, according to [RFC7208], would
>     avoid to check the RFC5321.MailFrom identity if the RFC5321.HELO was
>     conclusively determined to pass, DMARC authentication requires the
>     authenticated identity to be aligned.
>
>
May I propose that the section labeled "SPF-Authenticated Identifiers" be
rewritten as follows:

CURRENT:

   DMARC permits Identifier Alignment, based on the result of an SPF
   authentication, to be strict or relaxed.

   In relaxed mode, the [SPF
<https://tools.ietf.org/html/rfc7489#ref-SPF>]-authenticated domain
and RFC5322 <https://tools.ietf.org/html/rfc5322>.From
   domain must have the same Organizational Domain.  In strict mode,
   only an exact DNS domain match is considered to produce Identifier
   Alignment.

   Note that the RFC5321 <https://tools.ietf.org/html/rfc5321>.HELO
identity is not typically used in the
   context of DMARC (except when required to "fake" an otherwise null
   reverse-path), even though a "pure SPF" implementation according to
   [SPF <https://tools.ietf.org/html/rfc7489#ref-SPF>] would check
that identifier.

   For example, if a message passes an SPF check with an
   RFC5321 <https://tools.ietf.org/html/rfc5321>.MailFrom domain of
"cbg.bounces.example.com", and the address
   portion of the RFC5322 <https://tools.ietf.org/html/rfc5322>.From
field contains "payments@example.com".com",
   the Authenticated RFC5321
<https://tools.ietf.org/html/rfc5321>.MailFrom domain identifier and
the
   RFC5322 <https://tools.ietf.org/html/rfc5322>.From domain are
considered to be "in alignment" in relaxed

   mode, but not in strict mode.



NEW:

DMARC permits Identifier Alignment, based on the result of an SPF

authentication, to be strict or relaxed.


In relaxed mode, the [@!RFC3986]-authenticated domain and RFC5322.From

domain must have the same Organizational Domain.  In strict mode,

only an exact DNS domain match is considered to produce Identifier

Alignment.


For example, if a message passes an SPF check with an

RFC5321.MailFrom domain of "cbg.bounces.example.com", and the address

portion of the RFC5322.From field contains "payments@example.com".com",

the Authenticated RFC5321.MailFrom domain identifier and the

RFC5322.From domain are considered to be "in alignment" in relaxed

mode, but not in strict mode. In order for the two identifiers to

be considered "in alignment" in strict mode, the domain parts would

have to be identical.


The reader should note that SPF alignment checks in DMARC rely solely

on the RFC5321.MailFrom domain. This differs from section 2.3 of
[@!RFC7208],

which recommends that SPF checks be done on not only the "MAIL FROM"

but also on a separate check of the "HELO" identity.



-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.herr@valimail.com
*p:* 703.220.4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

[dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Michael Thomas
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
Re: [dmarc-ietf] Ticket #1 - SPF alignment Seth Blank
Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine