IETF Logo Mail Archive

Re: [dmarc-ietf] p=quarantine

Hector Santos <hsantos@isdg.net> Fri, 11 December 2020 16:10 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F31F3A0CEB for <dmarc@ietfa.amsl.com>; Fri, 11 Dec 2020 08:10:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=QT6hGwFg; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=UgZc3Awr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1hlvsnj3oVNm for <dmarc@ietfa.amsl.com>; Fri, 11 Dec 2020 08:10:57 -0800 (PST)
Received: from mail.winserver.com (news.winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20C573A0CEA for <dmarc@ietf.org>; Fri, 11 Dec 2020 08:10:56 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4120; t=1607703051; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=KZZbd110SxH7k5sO35/J0Td3Eqpe uCv9hHeW9EedW6w=; b=QT6hGwFgkQQRLY0yr7mtTUZOFh20V2VHn7x0vODwNhN1 bBeUBw6l2lwfSPt+k2LO5RKX2BZrIpp+XtifAHjhPLVLsYktHUHXVtviA/+Q/0QT u9FgHT8HJrAxWPdBfYg4F2hvRBHT7rW/EfNB4Rokm/otVaGCKqPRYw8w7fra+aw=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Fri, 11 Dec 2020 11:10:51 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1143134223.6153.1260; Fri, 11 Dec 2020 11:10:51 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4120; t=1607702710; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=KZZbd11 0SxH7k5sO35/J0Td3EqpeuCv9hHeW9EedW6w=; b=UgZc3AwrA9cq+UzQN4uNSf1 bOd+CP6j+ebwb5LBqMZpuGwqHz4JQmYKAa8Ng4OcIJTUBY/kGIipGMjk8YqBQX47 0BwfMi0Nm+DG9a7G2OK3kaBWcD+GZsGEM4WEHf+hI4M95O2SuArDF5fyjztcc95+ xGrJ2x5RGPLljDXP6zlU=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Fri, 11 Dec 2020 11:05:10 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1010014439.1.2976; Fri, 11 Dec 2020 11:05:09 -0500
Message-ID: <5FD39A0E.5000300@isdg.net>
Date: Fri, 11 Dec 2020 11:10:54 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Dave Crocker <dcrocker@gmail.com>, "Kurt Andersen (b)" <kboth@drkurt.com>
CC: IETF DMARC WG <dmarc@ietf.org>
References: <923de33f-3707-facf-389e-371f6ee64008@gmail.com> <16B0B820-7080-4937-8642-3A6B84B441AA@gmail.com> <c1a8c519-8d2e-f287-48d1-00ac74d22b49@gmail.com> <CABuGu1rCHRofp+M7uQXhEYuTLJiL94nwY-9icwQrNiLiA=anaQ@mail.gmail.com> <1f5b3e62-e6f4-0bc2-221e-362667536727@gmail.com> <CABuGu1pC3FyMKi-6UZJTNUvGXF9u5qX84fUm=OzKvYcO-gRYsQ@mail.gmail.com> <8e0ff141-2842-606c-91e9-e588edab7ef1@gmail.com>
In-Reply-To: <8e0ff141-2842-606c-91e9-e588edab7ef1@gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KYOO885sAyhwN3L7UNpjIwuqolM>
Subject: Re: [dmarc-ietf] p=quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Dec 2020 16:11:00 -0000

On 12/10/2020 9:26 PM, Dave Crocker wrote:
> On 12/10/2020 6:01 PM, Kurt Andersen (b) wrote:
>> I think that is much closer to the right semantic but highlights a
>> problem that the mail coming from a particular domain probably
>> doesn't rate a single broad-brush characterization of seriousness.
>
> I've assumed the none, quarantine, reject choices are meant to
> indicate just how certain the domain owner is that the mail is
> problematic.
>
> Perhaps:
>+
>      none: not certain at all
>
>      quarantine: I believe I've got control of all my sending, but am
> not 100% positive
>
>      reject: I have control of all my sending; if it doesn't pass
> DMARC, it's use of the domain is bogus.


When it comes to keeping focus with the purpose of SPF and DKIM-POLICY 
protocols and its implementation out of the box, default behavior:

1) The main purpose is Receiver Abuse Control.

2) Special attention to Port 25 Unsolicited Anonymous Senders and 
Message Authors.

3) For authenticated, authorized, white listed clients, SPF and DKIM 
do not apply, mail is always accepted.

Hard policies with SPF and DKIM-POLICY are honored aggressively. 
Softer policies are processed, classified and passed through to next 
filters, if any remaining, i.e. GreyListing.

* SPF -ALL, REJECT - Receiver rejects at MAIL FROM state with a 550 
response.

* ADSP DKIM=DISCARDABLE, Receiver rejects at SMTP DATA state with a 
negative 550 DATA response.

* DMARC p=reject, Receiver rejects at SMTP DATA state with a negative 
550 DATA response.

* DMARC p=quarantine, Receiver accepts at SMTP. Mail is moved outside 
targeted users' main inbox mail stream, i.e. can not be picked up by 
user's POP3 or normal mail pickup process. The user has to login in 
online to see the mail in another non-inbox folder, i.e. spam box.

Thats it.  No reporting. Period.

The domain should be grateful their public mail policy instructions is 
being honored for strict operations at compliant receivers. I hope 
their compliant receivers are also honoring our strict public mail 
policies as well to help protect fraudulent usage. I really do not 
need a report for the expected action when fraudulent mail is detected.

Overall, the receiver is doing the domain a favor by helping them 
protect their domain reputation from possible fraudulent usage of 
their domains, and at the same time, it is helping its own system and 
the target hosted user from potential abuse as well -- a win win 
situation.

For List-related situations, the receiver follows the 2006 DSAP 
recommendations:

https://tools.ietf.org/html/draft-santos-dkim-dsap-00

1) If a new subscribing domain has a restrictive public mail policy 
with ADSP and/or DMARC, the subscription is denied.

2) Incoming messages are checked for mailing list destinations. If the 
submitter's domain have restrictive public mail policies with ADSP or 
DMARC, the submission is rejected with a 550.

With these two simple peripheral filters, there was no need to modify 
the legacy list server source code for Rewriting or anything else 
related to the "in-direct" mail problem.

The DMARCbis codification/changes I am looking for are:

1) Improvements in the DNS lookup algorithm, optional additional 
lookups should be provided or referenced.

2) Recognition and support for ATPS to cover 3rd party authorization.

and other fine tunning, clarifications, for example, in another 
thread, it was stated:

"When you switch to p=quarantine pct=0, no one should apply quarantine 
(so it's equivalent to p=none),"

I thought the "pct=" was related to when reporting should be applied. 
I apparently read it wrong.  This needs to be code reviewed and 
corrected on our end, if needed.  We are not doing reporting at this 
time.  Not the main focus.  That can come later as an augmented 
feature, in fact, we might consider it as a paid service to be sending 
thousands report out to domains.

Keep it simple folks.  Be safe and have a great weekend.

Thanks

-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos

v2.23.0 | Report a Bug | By Email