IETF Logo Mail Archive

Re: [dmarc-ietf] auth-res vs. dmarc

Hector Santos <hsantos@isdg.net> Wed, 30 December 2020 17:12 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21CDE3A0A3B for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 09:12:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.308
X-Spam-Level:
X-Spam-Status: No, score=-1.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RDNS_NONE=0.793, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=GHq01HIM; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=k0yAhU4H
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFDh9Fj--gzU for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 09:12:32 -0800 (PST)
Received: from mail.winserver.com (unknown [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 984113A0A1E for <dmarc@ietf.org>; Wed, 30 Dec 2020 09:12:31 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4130; t=1609348342; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=Xxlw9E0RVIUDtaE798+SXzg9f1A7 P2Tx4QlnrCMN94A=; b=GHq01HIMNdmDYZ8oXOR/EyoiaPWXf97IZYC/JepKCund hYbDdjbL4tT0jl6mQAt4rW8QeteC4MLnSvG98RtPfLchkFNatifvNJZvT0vDHRDw k7UxUcAyKCCyw6QsWO6PhfgczUMeJxOCtjDRWLGe2jAp/gTwXkrIEULTQ5Hq/eo=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Wed, 30 Dec 2020 12:12:22 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2788406193.16935.2852; Wed, 30 Dec 2020 12:12:21 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4130; t=1609347969; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=Xxlw9E0 RVIUDtaE798+SXzg9f1A7P2Tx4QlnrCMN94A=; b=k0yAhU4HNDX8L12Yogvg3RI jyz7qDqWSddjd+TAsA3pP4QGmIVnLQVPh7tBPkCaZb4sbdZ+qvkrIddAPGX4vaOq DbQbPx3PK6N6FtvHHpF7T0gfjZXkxo8+YJqW+i8Om3Dd0ZcL06Xt4/rYqXGGArOu fmeptcznZqPaonYVM5Uw=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Wed, 30 Dec 2020 12:06:09 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2655274017.1.19316; Wed, 30 Dec 2020 12:06:08 -0500
Message-ID: <5FECB4F6.2020702@isdg.net>
Date: Wed, 30 Dec 2020 12:12:22 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <9f6782b1-e85b-1a9c-9151-98feff7e18ea@mtcc.com> <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com> <140485eb-020f-4406-3f2f-e2c475ea51e5@mtcc.com> <CAHej_8mApfoF2ORgL+DoYTanrdhMjvT9H27kORwLKCQc1C9sRw@mail.gmail.com> <5588dbbe-b876-ed80-c80f-792380e3718f@mtcc.com> <CAHej_8=kW_t_JkOxUud1Uz8+PrbMh5CfwfxZK=mhe0wjW8wQpw@mail.gmail.com> <54dd9978-bcd1-6757-ad27-dcef6db6e5f7@mtcc.com> <CAHej_8kCi=7oqojDH_rbjn7kRg-PTDJWLgcKTGK9z-baUnKeMw@mail.gmail.com> <ef32de1e-d47e-1d0f-3cec-5994c7fdb7ae@mtcc.com> <CAHej_8kjSsQK_XEbdjWzV5npa29YjGadzD06Fmx3QLB4p+n_Cg@mail.gmail.com> <937f1019-a028-308d-2a0f-1e720fd49dcd@mtcc.com> <d8014c2a-c1c9-9eac-e64a-5f285bab7fd3@tana.it> <CAHej_8mgYr9ERAxmup+keZT5u8L+qgCxcSLH7Z=BEuZLouttpg@mail.gmail.com> <72e20c17-e991-e82a-9120-a27097e3ac58@mtcc.com> <CAHej_8=6huc-N4ymDTOWZXHGjQQ-3RFDdomRzmGp4kOseHckMQ@mail.gmail.com> <7863d250-f56a-1fe1-44ee-fbc7486d48b4@mtcc.com>
In-Reply-To: <7863d250-f56a-1fe1-44ee-fbc7486d48b4@mtcc.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/L2_bT_l9BkOdZXaMUv7K3zLopHI>
Subject: Re: [dmarc-ietf] auth-res vs. dmarc
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 17:12:35 -0000

On 12/30/2020 10:41 AM, Michael Thomas wrote:

> DMARC != Auth-res. Auth-res provides all kinds of useful information
> than just pass/fail. For DMARC Auth-res should provide what the policy
> was at a bare minimum. But none of this seems to have any normative
> language anywhere which is a problem unto itself. DMARC in auth-res
> seems to be an orphan.

A-R was a moving target for a long period and I am not sure it is 
completed for the task at hand.

It was why my own wcSMTP used name space field values and made use of 
for potential visual reports, wcAVS filters at the backend and 
potentially the MUA frontend.  That has always been a consideration 
since day one.

But it was also a consideration the MUA filter could only safely apply 
it to messages verified by the host, i.e. the A-R record MUST was 
created by the host by domain name which the MUA client trust.

This brings up the important fact, the most mail host have a 
responsibility to filter "bad" mail before the user gets it and not 
pass it on to potential phishable users. However, in this real market, 
like even in this WG, we have both camps; those who believe strongly 
in rejection at SMTP (system wide) and those who believe of accepting 
all and passing the buck to the user (user-level filters). IMO, you 
can't fight it. You accept both and program for both because both exist.

For example for Mike's message, its a simple A-R:

Authentication-Results: dkim.winserver.com;
  dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
  dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
  dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=mtcc.com 
header.s=fluffulence header.i=mtcc.com;

There are no DKIM-POLICY protocol records like ADSP or DMARC.  No A-R 
line for DMARC means the domain have NO record. It is not 
participating in DMARC, purposely or not. Having no A-R line avoids 
making erroneous interpretations by consumer like Mike has pointed out.

Any A-R evaluation looking for the specific DMARC verification bits as 
part of its algorithm, but sees none, MUST use the default input and 
output values for a domain that lacks a DMARC record.  For DMARC, when 
no record exist, the default values are (please confirm, I am going 
off my https://secure.winserver.com/public/wcDMARC wizard form values).

p=none
sp=none
adkim=relaxed
aspf=relaxed
pct=100%
rua=0
ruf=0
rf=afrf
ri=86400

The dmarc= value SHOULD not be dmarc=fail nor dmarc=pass because no 
DMARC record exist.  So if an A-R is written for a non-DMARC domain, 
it should be perhaps write:

   dmarc=unknown author.d=gmail.com signer.d=gmail.com (originating 
signer);

or

   dmarc=none author.d=gmail.com signer.d=gmail.com (originating signer);

Although the dmarc=none could erroneously suggest a DMARC record exist 
with a p=none policy, when a real policy exist, then a policy= tag 
used in our A-R, like:

   dmarc=dkim-fail policy=none author.d=gmail.com signer.d=gmail.com 
(originating signer);

which reads:

The author.d=gmail.com has a DMARC none policy. It has an aligned 
author and signer domain, but DMARC failed due to a dkim-fail 
signature which the A-R dkim line shows:

   dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=gmail.com 
header.s=20161025 header.i=gmail.com;

I am not suggesting this or no DMARC A-R line should be written when 
the domain lacks a DMARC record.

If a A-R dmarc line is recorded, it should be readable by humans. It 
should not erroneously misdirect an A-R evaluator routine when a DMARC 
does not exist. Using the comment field SHOULD be reserved for 
non-standard HUMAN readable data.  But some of used it to fill in the 
gaps we wanted A-R for verification results, i.e. for SPF, the ip name 
field.

Overall, I agree, resolving the A-R name space technical issue SHOULD 
be resolve in the WG for DMARC-bis. I think it is well worth the 
effort to define what we need and then use this for the update up the 
A-R specs to create a more common and useful name space to all.


-- 
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos

v2.23.0 | Report a Bug | By Email