IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)

Todd Herr <todd.herr@valimail.com> Thu, 14 March 2024 21:34 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D31BC151066 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 14:34:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qF001YoItDhH for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 14:34:32 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 543F7C151065 for <dmarc@ietf.org>; Thu, 14 Mar 2024 14:34:32 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id 3f1490d57ef6-dc6d8bd612dso1288670276.1 for <dmarc@ietf.org>; Thu, 14 Mar 2024 14:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1710452071; x=1711056871; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=8xJpKjO9VlsFs9lmyuBvhb8Elbh799hAX6v8ExaI5fg=; b=HeF/0n6HjxxHNtPwFtdPuyH/DNuzJiVI7fHHb0tSKrUzsY04MQ5PsucfYp9IluZT9c gXDfabFDYPEh8AsTS1+Gs+VXrDSZC0vuEkepgvR0wYv8E28i3xT/cIGD5L7QFsvMW1hz WCFJOSk4DWOsj3Oozt76+azjbmwYZXYO2r/Sx1kpkJcpuaAhkp1w4ChE1lMeh1nKI2j4 Rhh8rqzJ4fObpcVwbj984ORMi0jnF9/4XCw4y/xw7gbhi+iP5r25z5ppDQ8cgZIf8kBE +j9X+GXVybSjqL3YpW2Vs6yR575JRCfdG2dWpbY6DgKgZc8VEpBJ2B0yuuSicBGGE+eK Nkcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710452071; x=1711056871; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=8xJpKjO9VlsFs9lmyuBvhb8Elbh799hAX6v8ExaI5fg=; b=GsnnA2CkCSwLsmAPo1EdlIjCQBEUuqjUqTYLgoWY137uNCUU6nAm6sp5/vCWhxWp6n p3UL7eLLjRjn9Bx2dSBHmW4jDfndejCbkC/KjpF+94IDWdyWUwzGhdUu0ysX7tiz/t6u nCNuY+VLqgsTFTTAk9YQW6x6EStWQsQMgtFAM+9mWMjerrH1dW1DxGBNnrQEMDTx1GGs EtJe1CnAumyz17incdUp9sVuCh3Pofw/L6zzTU/CdP81SnTJxCJGl/8gfGpHxJOpkPsE CLz6cfIQE0SNLf3P1nYCyuYbxGimSS7a9+tSQoWJzqr7Q1DDuG5WKT8Gt8Td/u9n0BU4 iHww==
X-Gm-Message-State: AOJu0YzeEjURqk1zWjkqKvKS5TJd6HvfNCaX5aZH+9wow89stxyukWSN P/0jOhHV3qwIPcEfEopEF4UZ9zVfZKFTmTDaWiIcf3mrNyouRkW1HUEYuZxdLPzTRvxoQW2yHbz anoVu9MUEpTlzFUGbD/NAffK9NEVnqirV/Zvf9rXWdudY8pYG
X-Google-Smtp-Source: AGHT+IFynrbNjMNaP/OtIxjdWJpOAL8kIlBuP6WPNe6bN6jW8XutQ5GGB3qG1niOjY0NBSAWU2IjOfiB2NUuisAEj5A=
X-Received: by 2002:a25:ab2c:0:b0:dcd:b034:b500 with SMTP id u41-20020a25ab2c000000b00dcdb034b500mr451691ybi.43.1710452070707; Thu, 14 Mar 2024 14:34:30 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com> <09C7D830-5966-4EE5-AA86-003696B5ECEE@isdg.net> <CAHej_8=0QEmCazTuEDKASBBoVwfpsPLJMpN11y+fo8+XtPv1Bg@mail.gmail.com> <C5DEE535-7B6E-4D7E-83FE-59EF42ED9286@isdg.net>
In-Reply-To: <C5DEE535-7B6E-4D7E-83FE-59EF42ED9286@isdg.net>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 14 Mar 2024 17:34:14 -0400
Message-ID: <CAHej_8=BjZRHDxugrNQ5pXCb1vXj+Kbr6Y6sR+x86JtiGNwsRQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000148e9a0613a5a8cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/KwFPlR3SNjg7W45LdbVI5_dvJBk>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 21:34:36 -0000

On Thu, Mar 14, 2024 at 4:52 PM Hector Santos <hsantos=
40isdg.net@dmarc.ietf.org> wrote:

>
> On Mar 14, 2024, at 4:02 PM, Todd Herr <todd.herr=
> 40valimail.com@dmarc.ietf.org> wrote:
>
> On Thu, Mar 14, 2024 at 3:25 PM Hector Santos <hsantos=
> 40isdg.net@dmarc.ietf.org> wrote:
>
>> On Mar 14, 2024, at 10:09 AM, Todd Herr <todd.herr=
>> 40valimail.com@dmarc.ietf.org> wrote:
>>
>> To configure SPF for DMARC, the Domain Owner MUST choose a domain to use
>> as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail
>> that aligns with the Author Domain, and then publish an SPF policy in DNS
>> for that domain. The SPF record MUST be constructed at a minimum to ensure
>> an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom
>> domain.
>>
>>
>> A major consideration, Todd, is receivers will process SPF for SPF
>> without DMARC (payload) considerations.  IOW, if SPF is a hardfail, we have
>> SMTP processors who will not continue to transmit a payload (DATA).
>>
>> DMARCBis is making a major design presumption receivers will only use SPF
>> as a data point for a final DMARC evaluation where a potentially high
>> overhead payload was transmitted only to be rejected anyway,
>>
>
> I don't necessarily think your assertion is true here, or at least I'd
> submit that DMARCbis and RFC 7489 aren't approaching this subject any
> differently.
>
> Section 10.1 from RFC 7489, titled "Issues Specific to SPF" had two
> paragraphs, the second of which reads:
>
>    Some receiver architectures might implement SPF in advance of any
>    DMARC operations.  This means that a "-" prefix on a sender's SPF
>    mechanism, such as "-all", could cause that rejection to go into
>    effect early in handling, causing message rejection before any DMARC
>    processing takes place.  Operators choosing to use "-all" should be
>    aware of this.
>
>
> Yes, I agree.  I am only reminding the community SPF can preempt DMARC
> with a restrictive hardfail policy.   Does DMARCBis integrate the tag to
> delay SPF failures?
>

Perhaps some additional cautionary text for Mail Receivers, either added to
the above paragraph or just after it, warning against rejecting solely due
to SPF -all unless the SPF record is simply "v=spf1 -all"? Such text would
be consistent, for example, with M3AAWG's Email Authentication Best
Practices
<https://www.m3aawg.org/sites/default/files/m3aawg-email-authentication-recommended-best-practices-09-2020.pdf>
document.


>
>
> DMARCbis contains the same two paragraphs with no change to the text,
> other than the section is now numbered 8.1.
>
>
>> In the ticket, I propose the following new text:
>>
>> ==================================================
>> To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing
>> domain (i.e., the d= domain in the DKIM-Signature header) that aligns with
>> the Author Domain.
>> ==================================================
>>
>>
>> In order to maximize security, the Domain Owner is REQUIRED to choose a
>> …..
>>
>> Is REQUIRED the same as MUST?   I think SHOULD or MUST is fine as long as
>> we specify the reason it is required,
>>
>
> I'm not understanding the comment you're making here, as I don't see the
> word "REQUIRED" in anything I wrote.
>
>
> For any protocol, there are “Protocol Requirements,”   A MUST or SHOULD is
> a “Requirement” for proper support,  So I just wanted to just note that it
> can stated another way.  Developers need a Requirements Section that allow
> us to code the logic,
>
> Its getting pretty confusing for implementors.
>
>
>
I'm sorry but I'm still not understanding the source of your confusion
here. The text we're discussing is pulled from the Domain Owners section,
and while it's not explicitly stated, "choosing a DKIM-signing domain"
would essentially involve indicating to the sending platform what domain
the Domain Owner wants to use in DKIM signing and then publishing a public
key in DNS. It is presumed that the sending platform has already built into
it the ability to DKIM sign messages based on the Domain Owner's choices.

What logic must be coded to support this?

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.herr@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email