Re: [dmarc-ietf] p=quarantine
Hector Santos <hsantos@isdg.net> Fri, 11 December 2020 16:10 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F31F3A0CEB for <dmarc@ietfa.amsl.com>; Fri, 11 Dec 2020 08:10:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=QT6hGwFg; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=UgZc3Awr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hlvsnj3oVNm for <dmarc@ietfa.amsl.com>; Fri, 11 Dec 2020 08:10:57 -0800 (PST)
Received: from mail.winserver.com (news.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C573A0CEA for <dmarc@ietf.org>; Fri, 11 Dec 2020 08:10:56 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4120; t=1607703051; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=KZZbd110SxH7k5sO35/J0Td3Eqpe uCv9hHeW9EedW6w=; b=QT6hGwFgkQQRLY0yr7mtTUZOFh20V2VHn7x0vODwNhN1 bBeUBw6l2lwfSPt+k2LO5RKX2BZrIpp+XtifAHjhPLVLsYktHUHXVtviA/+Q/0QT u9FgHT8HJrAxWPdBfYg4F2hvRBHT7rW/EfNB4Rokm/otVaGCKqPRYw8w7fra+aw=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Fri, 11 Dec 2020 11:10:51 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1143134223.6153.1260; Fri, 11 Dec 2020 11:10:51 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4120; t=1607702710; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=KZZbd11 0SxH7k5sO35/J0Td3EqpeuCv9hHeW9EedW6w=; b=UgZc3AwrA9cq+UzQN4uNSf1 bOd+CP6j+ebwb5LBqMZpuGwqHz4JQmYKAa8Ng4OcIJTUBY/kGIipGMjk8YqBQX47 0BwfMi0Nm+DG9a7G2OK3kaBWcD+GZsGEM4WEHf+hI4M95O2SuArDF5fyjztcc95+ xGrJ2x5RGPLljDXP6zlU=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Fri, 11 Dec 2020 11:05:10 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1010014439.1.2976; Fri, 11 Dec 2020 11:05:09 -0500
Message-ID: <5FD39A0E.5000300@isdg.net>
Date: Fri, 11 Dec 2020 11:10:54 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Dave Crocker <dcrocker@gmail.com>, "Kurt Andersen (b)" <kboth@drkurt.com>
CC: IETF DMARC WG <dmarc@ietf.org>
References: <923de33f-3707-facf-389e-371f6ee64008@gmail.com> <16B0B820-7080-4937-8642-3A6B84B441AA@gmail.com> <c1a8c519-8d2e-f287-48d1-00ac74d22b49@gmail.com> <CABuGu1rCHRofp+M7uQXhEYuTLJiL94nwY-9icwQrNiLiA=anaQ@mail.gmail.com> <1f5b3e62-e6f4-0bc2-221e-362667536727@gmail.com> <CABuGu1pC3FyMKi-6UZJTNUvGXF9u5qX84fUm=OzKvYcO-gRYsQ@mail.gmail.com> <8e0ff141-2842-606c-91e9-e588edab7ef1@gmail.com>
In-Reply-To: <8e0ff141-2842-606c-91e9-e588edab7ef1@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KYOO885sAyhwN3L7UNpjIwuqolM>
Subject: Re: [dmarc-ietf] p=quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 16:11:00 -0000
On 12/10/2020 9:26 PM, Dave Crocker wrote: > On 12/10/2020 6:01 PM, Kurt Andersen (b) wrote: >> I think that is much closer to the right semantic but highlights a >> problem that the mail coming from a particular domain probably >> doesn't rate a single broad-brush characterization of seriousness. > > I've assumed the none, quarantine, reject choices are meant to > indicate just how certain the domain owner is that the mail is > problematic. > > Perhaps: >+ > none: not certain at all > > quarantine: I believe I've got control of all my sending, but am > not 100% positive > > reject: I have control of all my sending; if it doesn't pass > DMARC, it's use of the domain is bogus. When it comes to keeping focus with the purpose of SPF and DKIM-POLICY protocols and its implementation out of the box, default behavior: 1) The main purpose is Receiver Abuse Control. 2) Special attention to Port 25 Unsolicited Anonymous Senders and Message Authors. 3) For authenticated, authorized, white listed clients, SPF and DKIM do not apply, mail is always accepted. Hard policies with SPF and DKIM-POLICY are honored aggressively. Softer policies are processed, classified and passed through to next filters, if any remaining, i.e. GreyListing. * SPF -ALL, REJECT - Receiver rejects at MAIL FROM state with a 550 response. * ADSP DKIM=DISCARDABLE, Receiver rejects at SMTP DATA state with a negative 550 DATA response. * DMARC p=reject, Receiver rejects at SMTP DATA state with a negative 550 DATA response. * DMARC p=quarantine, Receiver accepts at SMTP. Mail is moved outside targeted users' main inbox mail stream, i.e. can not be picked up by user's POP3 or normal mail pickup process. The user has to login in online to see the mail in another non-inbox folder, i.e. spam box. Thats it. No reporting. Period. The domain should be grateful their public mail policy instructions is being honored for strict operations at compliant receivers. I hope their compliant receivers are also honoring our strict public mail policies as well to help protect fraudulent usage. I really do not need a report for the expected action when fraudulent mail is detected. Overall, the receiver is doing the domain a favor by helping them protect their domain reputation from possible fraudulent usage of their domains, and at the same time, it is helping its own system and the target hosted user from potential abuse as well -- a win win situation. For List-related situations, the receiver follows the 2006 DSAP recommendations: https://tools.ietf.org/html/draft-santos-dkim-dsap-00 1) If a new subscribing domain has a restrictive public mail policy with ADSP and/or DMARC, the subscription is denied. 2) Incoming messages are checked for mailing list destinations. If the submitter's domain have restrictive public mail policies with ADSP or DMARC, the submission is rejected with a 550. With these two simple peripheral filters, there was no need to modify the legacy list server source code for Rewriting or anything else related to the "in-direct" mail problem. The DMARCbis codification/changes I am looking for are: 1) Improvements in the DNS lookup algorithm, optional additional lookups should be provided or referenced. 2) Recognition and support for ATPS to cover 3rd party authorization. and other fine tunning, clarifications, for example, in another thread, it was stated: "When you switch to p=quarantine pct=0, no one should apply quarantine (so it's equivalent to p=none)," I thought the "pct=" was related to when reporting should be applied. I apparently read it wrong. This needs to be code reviewed and corrected on our end, if needed. We are not doing reporting at this time. Not the main focus. That can come later as an augmented feature, in fact, we might consider it as a paid service to be sending thousands report out to domains. Keep it simple folks. Be safe and have a great weekend. Thanks -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos
- [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Dotzero
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Dotzero
- Re: [dmarc-ietf] p=quarantine Benny Pedersen
- Re: [dmarc-ietf] p=quarantine John Levine
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine tjw ietf
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Kurt Andersen (b)
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Kurt Andersen (b)
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Hector Santos
- Re: [dmarc-ietf] p=quarantine Dotzero
- Re: [dmarc-ietf] p=quarantine Hector Santos
- Re: [dmarc-ietf] p=quarantine Kurt Andersen (b)
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Laura Atkins
- Re: [dmarc-ietf] p=quarantine John Levine
- Re: [dmarc-ietf] p=quarantine Hector Santos
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine John R Levine
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Douglas Foster
- Re: [dmarc-ietf] p=quarantine Dotzero
- Re: [dmarc-ietf] p=quarantine Laura Atkins
- Re: [dmarc-ietf] p=quarantine Douglas Foster
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Douglas Foster
- Re: [dmarc-ietf] p=quarantine Laura Atkins
- Re: [dmarc-ietf] p=quarantine Laura Atkins
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Dave Crocker
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Tim Wicinski
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Douglas Foster
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Dotzero
- Re: [dmarc-ietf] p=quarantine Alessandro Vesely
- Re: [dmarc-ietf] p=quarantine Todd Herr
- Re: [dmarc-ietf] p=quarantine Douglas Foster
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Alessandro Vesely
- Re: [dmarc-ietf] ARC vs p=quarantine John Levine
- Re: [dmarc-ietf] ARC vs p=quarantine Dotzero
- Re: [dmarc-ietf] ARC vs p=quarantine Alessandro Vesely
- Re: [dmarc-ietf] p=quarantine Todd Herr
- Re: [dmarc-ietf] ARC vs p=quarantine John R Levine
- Re: [dmarc-ietf] p=quarantine Douglas Foster
- Re: [dmarc-ietf] ARC vs p=quarantine Benny Pedersen
- Re: [dmarc-ietf] ARC vs p=quarantine Michael Thomas
- Re: [dmarc-ietf] ARC vs p=quarantine Benny Pedersen
- Re: [dmarc-ietf] ARC vs p=quarantine Alessandro Vesely
- Re: [dmarc-ietf] p=quarantine Alessandro Vesely
- Re: [dmarc-ietf] ARC vs p=quarantine Benny Pedersen
- Re: [dmarc-ietf] ARC vs p=quarantine Alessandro Vesely
- Re: [dmarc-ietf] p=quarantine Todd Herr
- Re: [dmarc-ietf] p=quarantine Michael Thomas
- Re: [dmarc-ietf] p=quarantine Alessandro Vesely