Re: [dmarc-ietf] auth-res vs. dmarc
Hector Santos <hsantos@isdg.net> Wed, 30 December 2020 17:12 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21CDE3A0A3B for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 09:12:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.308
X-Spam-Level:
X-Spam-Status: No, score=-1.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RDNS_NONE=0.793, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=GHq01HIM; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=k0yAhU4H
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wFDh9Fj--gzU for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 09:12:32 -0800 (PST)
Received: from mail.winserver.com (unknown [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 984113A0A1E for <dmarc@ietf.org>; Wed, 30 Dec 2020 09:12:31 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4130; t=1609348342; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=Xxlw9E0RVIUDtaE798+SXzg9f1A7 P2Tx4QlnrCMN94A=; b=GHq01HIMNdmDYZ8oXOR/EyoiaPWXf97IZYC/JepKCund hYbDdjbL4tT0jl6mQAt4rW8QeteC4MLnSvG98RtPfLchkFNatifvNJZvT0vDHRDw k7UxUcAyKCCyw6QsWO6PhfgczUMeJxOCtjDRWLGe2jAp/gTwXkrIEULTQ5Hq/eo=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Wed, 30 Dec 2020 12:12:22 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2788406193.16935.2852; Wed, 30 Dec 2020 12:12:21 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4130; t=1609347969; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=Xxlw9E0 RVIUDtaE798+SXzg9f1A7P2Tx4QlnrCMN94A=; b=k0yAhU4HNDX8L12Yogvg3RI jyz7qDqWSddjd+TAsA3pP4QGmIVnLQVPh7tBPkCaZb4sbdZ+qvkrIddAPGX4vaOq DbQbPx3PK6N6FtvHHpF7T0gfjZXkxo8+YJqW+i8Om3Dd0ZcL06Xt4/rYqXGGArOu fmeptcznZqPaonYVM5Uw=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Wed, 30 Dec 2020 12:06:09 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 2655274017.1.19316; Wed, 30 Dec 2020 12:06:08 -0500
Message-ID: <5FECB4F6.2020702@isdg.net>
Date: Wed, 30 Dec 2020 12:12:22 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: dmarc@ietf.org
References: <9f6782b1-e85b-1a9c-9151-98feff7e18ea@mtcc.com> <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com> <140485eb-020f-4406-3f2f-e2c475ea51e5@mtcc.com> <CAHej_8mApfoF2ORgL+DoYTanrdhMjvT9H27kORwLKCQc1C9sRw@mail.gmail.com> <5588dbbe-b876-ed80-c80f-792380e3718f@mtcc.com> <CAHej_8=kW_t_JkOxUud1Uz8+PrbMh5CfwfxZK=mhe0wjW8wQpw@mail.gmail.com> <54dd9978-bcd1-6757-ad27-dcef6db6e5f7@mtcc.com> <CAHej_8kCi=7oqojDH_rbjn7kRg-PTDJWLgcKTGK9z-baUnKeMw@mail.gmail.com> <ef32de1e-d47e-1d0f-3cec-5994c7fdb7ae@mtcc.com> <CAHej_8kjSsQK_XEbdjWzV5npa29YjGadzD06Fmx3QLB4p+n_Cg@mail.gmail.com> <937f1019-a028-308d-2a0f-1e720fd49dcd@mtcc.com> <d8014c2a-c1c9-9eac-e64a-5f285bab7fd3@tana.it> <CAHej_8mgYr9ERAxmup+keZT5u8L+qgCxcSLH7Z=BEuZLouttpg@mail.gmail.com> <72e20c17-e991-e82a-9120-a27097e3ac58@mtcc.com> <CAHej_8=6huc-N4ymDTOWZXHGjQQ-3RFDdomRzmGp4kOseHckMQ@mail.gmail.com> <7863d250-f56a-1fe1-44ee-fbc7486d48b4@mtcc.com>
In-Reply-To: <7863d250-f56a-1fe1-44ee-fbc7486d48b4@mtcc.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/L2_bT_l9BkOdZXaMUv7K3zLopHI>
Subject: Re: [dmarc-ietf] auth-res vs. dmarc
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 17:12:35 -0000
On 12/30/2020 10:41 AM, Michael Thomas wrote: > DMARC != Auth-res. Auth-res provides all kinds of useful information > than just pass/fail. For DMARC Auth-res should provide what the policy > was at a bare minimum. But none of this seems to have any normative > language anywhere which is a problem unto itself. DMARC in auth-res > seems to be an orphan. A-R was a moving target for a long period and I am not sure it is completed for the task at hand. It was why my own wcSMTP used name space field values and made use of for potential visual reports, wcAVS filters at the backend and potentially the MUA frontend. That has always been a consideration since day one. But it was also a consideration the MUA filter could only safely apply it to messages verified by the host, i.e. the A-R record MUST was created by the host by domain name which the MUA client trust. This brings up the important fact, the most mail host have a responsibility to filter "bad" mail before the user gets it and not pass it on to potential phishable users. However, in this real market, like even in this WG, we have both camps; those who believe strongly in rejection at SMTP (system wide) and those who believe of accepting all and passing the buck to the user (user-level filters). IMO, you can't fight it. You accept both and program for both because both exist. For example for Mike's message, its a simple A-R: Authentication-Results: dkim.winserver.com; dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org; dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org; dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=mtcc.com header.s=fluffulence header.i=mtcc.com; There are no DKIM-POLICY protocol records like ADSP or DMARC. No A-R line for DMARC means the domain have NO record. It is not participating in DMARC, purposely or not. Having no A-R line avoids making erroneous interpretations by consumer like Mike has pointed out. Any A-R evaluation looking for the specific DMARC verification bits as part of its algorithm, but sees none, MUST use the default input and output values for a domain that lacks a DMARC record. For DMARC, when no record exist, the default values are (please confirm, I am going off my https://secure.winserver.com/public/wcDMARC wizard form values). p=none sp=none adkim=relaxed aspf=relaxed pct=100% rua=0 ruf=0 rf=afrf ri=86400 The dmarc= value SHOULD not be dmarc=fail nor dmarc=pass because no DMARC record exist. So if an A-R is written for a non-DMARC domain, it should be perhaps write: dmarc=unknown author.d=gmail.com signer.d=gmail.com (originating signer); or dmarc=none author.d=gmail.com signer.d=gmail.com (originating signer); Although the dmarc=none could erroneously suggest a DMARC record exist with a p=none policy, when a real policy exist, then a policy= tag used in our A-R, like: dmarc=dkim-fail policy=none author.d=gmail.com signer.d=gmail.com (originating signer); which reads: The author.d=gmail.com has a DMARC none policy. It has an aligned author and signer domain, but DMARC failed due to a dkim-fail signature which the A-R dkim line shows: dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=gmail.com header.s=20161025 header.i=gmail.com; I am not suggesting this or no DMARC A-R line should be written when the domain lacks a DMARC record. If a A-R dmarc line is recorded, it should be readable by humans. It should not erroneously misdirect an A-R evaluator routine when a DMARC does not exist. Using the comment field SHOULD be reserved for non-standard HUMAN readable data. But some of used it to fill in the gaps we wanted A-R for verification results, i.e. for SPF, the ip name field. Overall, I agree, resolving the A-R name space technical issue SHOULD be resolve in the WG for DMARC-bis. I think it is well worth the effort to define what we need and then use this for the update up the A-R specs to create a more common and useful name space to all. -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos
- [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Hector Santos
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Laura Atkins
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Douglas Foster
- Re: [dmarc-ietf] auth-res vs. dmarc Kurt Andersen (b)
- Re: [dmarc-ietf] auth-res vs. dmarc Douglas Foster
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Dotzero
- Re: [dmarc-ietf] auth-res vs. dmarc Laura Atkins
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Dotzero
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Dotzero
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Hector Santos
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Todd Herr
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Michael Thomas
- Re: [dmarc-ietf] auth-res vs. dmarc Seth Blank
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc Alessandro Vesely
- Re: [dmarc-ietf] auth-res vs. dmarc John Levine
- Re: [dmarc-ietf] auth-res vs. dmarc Murray S. Kucherawy