Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Bron Gondwana <brong@fastmailteam.com> Thu, 17 August 2017 08:09 UTC
Return-Path: <brong@fastmailteam.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 898F6132397 for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 01:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=ijTlmPse; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=get+2NJ4
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TqlIr1qkgtUO for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 01:09:04 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6639132386 for <dmarc@ietf.org>; Thu, 17 Aug 2017 01:09:04 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 906D420B48; Thu, 17 Aug 2017 04:09:03 -0400 (EDT)
Received: from web1 ([10.202.2.211]) by compute6.internal (MEProxy); Thu, 17 Aug 2017 04:09:03 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=dkpLaw8ArcBXW6EY7UCNPI1yxPStu c+nV26dz294F1w=; b=ijTlmPse8wEyxqNkb18s3yr0jGHdjpcdt57eo2YQ9I6gA iJHjjy/ZEoUWdrWef0lECWAbsncSydseHRs7V+8CrDH22XEAbBHRkZIXIEYA991m PakKvlhNcUPgAEcuEoD1WfeshFA1EnkmbF0ud5j9kZgrBM9uJqEpNB2BTz+sh2YE h36xPWRaQKV/r6iqLK6yH31Omgwm0Y/84dCjw2VyhIrbi2HnxP0VRFbyPRZEWxfE uLl3ZAribIXJLtx6+XV/rZdkGREF5+ux3FhT+LLLu4k3/gQ3YPsofxySCrHd6sWH pxPBPcrhjPfOWXoHk9zM1UJPaEAaiURO9JnwlTnxg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:message-id:mime-version:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm1; bh=dkpLaw8ArcBXW6EY7UCNPI1yxPStu c+nV26dz294F1w=; b=get+2NJ4dwW192UDfk1r/b4IPRkAH9JqabyTHe7ZKTEnB 5EC7c1TE09v/aQ1EYa0SwujljCCuNKEJoZFOUgrv+/1clogo5vkGdETVzykOYb0m 9i4QgTxqO6rqSCPzX8RBEtKlHeFyYs/0+Pxk/efpUS20hGyNeugJ1DSp9u2L06O/ jvQ+MB3nXeetJL3U86qEtlL2s5RlD0K7Gwto6F1s+EB3yFJMs2f3VRdomBj4kMcr iDb/Nj4CLJWLFV8bzoaYroA+hGft1OKSdXQwLUkXCHp4XwvtdzNUzk1i/LzrdQCd SMJfj5si/nU5DF5l9fZav+iEydg5pipdfhl5j7Hjg==
X-ME-Sender: <xms:H0-VWe9NTqetOtdQHfSw5kzGMhVPLIc0pvdDpZPlFLCRMS1PeUy0sw>
Received: by mailuser.nyi.internal (Postfix, from userid 99) id 72BBA9571D; Thu, 17 Aug 2017 04:09:03 -0400 (EDT)
Message-Id: <1502957343.3548792.1076152832.1FEB1A8C@webmail.messagingengine.com>
From: Bron Gondwana <brong@fastmailteam.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: dmarc@ietf.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: multipart/alternative; boundary="_----------=_150295734335487920"
X-Mailer: MessagingEngine.com Webmail Interface - ajax-21c69044
Date: Thu, 17 Aug 2017 18:09:03 +1000
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Kml7c3buO3rxQ90F4fY9j9qD8Mo>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 08:09:06 -0000
On Thu, 17 Aug 2017, at 15:28, Murray S. Kucherawy wrote: > On Wed, Aug 16, 2017 at 5:47 PM, Bron Gondwana > <brong@fastmailteam.com> wrote:>> While there exists A SINGLE SITE which is ARC-unaware and DMARC >> p=reject aware, you can't use ARC on a DMARC p=reject domain without >> rewriting the sender. Otherwise that site will bounce the email.>> >> > Goodness, it's a wonder that we've ever successfully deployed anything > incremental around here. ;-)> -MSK I laugh as well, but it's more than p=reject isn't enough in the ARC world, because it doesn't distinguish between:a) I'm OK with email from my domain being sent via mailing lists; and b) no, this domain is only ever used for direct messages, it should never appear in ARC chains that don't also pass DKIM. The existing behaviour of p=reject is (b) for receivers that don't support ARC - so the question becomes: are we defining ARC to changing the behaviour of p=reject to (a)? If so, will we define a different (b) later, when we could instead havedefined a different p= for (a). The interesting question is what happens at non-updated sites in each case, because the answer is either "valid emails that should have been accepted are rejected by old policy engine" or "spoofed emails that should have been rejected are accepted by old policy engine" That's a worthwhile question. Maybe it's already been asked and answered and I just missed that. Bron. -- Bron Gondwana, CEO, FastMail Pty Ltd brong@fastmailteam.com
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos