[dmarc-ietf] Rethinking DMARC for PSDs
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 08 April 2019 00:02 UTC
Return-Path: <btv1==0019ccb4d59==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC0B12021C for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2019 17:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1PXlt2zWiWzL for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2019 17:02:44 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02D8612004C for <dmarc@ietf.org>; Sun, 7 Apr 2019 17:02:43 -0700 (PDT)
X-ASG-Debug-ID: 1554681761-0990573e6338690001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id rsiGnh1QyvoiaUCm (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sun, 07 Apr 2019 20:02:41 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h= content-type:mime-version:message-id:reply-to:date:subject:to:from; bh=9t+uqiNnXGUGrHLRNDIrl8sXsN92TCLTLi95nRJW7f4=; b=W+Hr85GUmW1Xvd0HGI4sbfqAd04s88GisgFE2YHhmhxrF8zEf5fVrZH9M8VQoimYS 6k/zg/Fjlm0z6xkYNGPAMZThOwN30q8qeP8lAtKbF91SrpUxfOEIDP/Sn+LQuUN8z +H/6BYjHRBm5OwtuypPtJ4gv1GfzBeoMVXmpS1fHQ=
Received: by webmail.bayviewphysicians.com via HTTP; Sun, 7 Apr 2019 20:02:33 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Sun, 07 Apr 2019 20:02:33 -0400
X-ASG-Orig-Subj: Rethinking DMARC for PSDs
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <c588c5eeec224162bffd080693c703e1@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="9dc9cb119e5e494fb9c094f624cfefb4"
X-Originating-IP: [192.168.1.239]
X-Exim-Id: c588c5eeec224162bffd080693c703e1
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1554681761
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 12262
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/LoWmuWRTJrLyhV9V3vey0fyCH3s>
Subject: [dmarc-ietf] Rethinking DMARC for PSDs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2019 00:18:26 -0000
I understand how much work it takes to create consensus toward an IETF standard, but I suggest that the problem needs to be re-examined because DMARC for PSDs seems to be neither the sufficient solution nor the necessary one. The problem: Spammers use non-existent domains to achieve identity spoofing, such as tax.example.gov.uk This is primarily a reception problem, because many recipient mail filters are not equipped to block this type of fraud. However, domain owners are also concerned about protecting their reputation from fraudulent material sent using their identity. These two sender-receiver combinations are already protected from the problem: Recipients with DMARC enforcement enabled if the message comes from a parent domain with DMARC-enforcing policy. Recipients who filter for non-existent domains, regardless of parent domain or receiver DMARC capability. These three sender-receiver combinations currently have no protection: Any recipient when the sender does not request DMARC enforcement (and non-existent domain filtering is also off.) Any recipient who lacks both DMARC enforcement capability and non-existent domain filtering.. Any recipient when the parent domain is a PSD (and non-existent domain filtering is also off.) The DMARC for PSD standard will only protect the last category of unprotected recipients. What can we assume about legitimate usage of non-existent subdomains? Non-existent subdomains support application-generated messages, not personal ones. Some messages will be transactional, where the recipient expects the message and will whitelist as necessary to ensure delivery. Some message will be marketing related, as a tool to support data collection related to specific marketing campaigns. The recipient probably does not expect the traffic, and is not likely to whitelist the traffic. The sender relies on the probability that most recipients do not filter on non-existent domains, so their non-standard business practice has minimal consequences for the sender. Possibly, some government cyber-warfare or cyber-intelligence operations use this feature. Whether this is legitimate or not depends on the government involved. It is unlikely that the recipient will consider the usage appropriate. Is there justification for IETF to tolerate or tacitly permit messages from non-existent domains? No. Before SPF, there was no method for a sender to announce a transmit-only domain, but that problem was solved a long time ago. Based on existing IETF standards, it is reasonable to conclude that: If a domain has not published either an MX record or a SPF record, then it is not a legitimate source of email. Obviously, domains with no NS record are also included Given all of the above, I hope the real solution is clear: We need to encourage recipients to block messages from non-existent domains (any domain that has no MX or SPF record published.) Whitellisting should be used for exceptions. Domain registration is not difficult and involves minimal cost, so there is no real justification for legitimate senders to maintain sloppy business practices. Implementation methods: Obtain a quorum of major mail-receiving organizations to announce that they will no longer accept messages from domains that are non-existent or not mail-enabled via an MX or SPF record (effective no later than mm/dd/yyyy). Exceptions require application on their registered-sender site, with justification. I expect that Google GMail and Microsoft LiveMail would be sufficient to be considered a quorum, and I assume they are represented on this distribution list. .The government domains could decide whether the best political strategy is to join the initial announcement or to mimic it shortly thereafter. Encourage mail filter vendors to provide non-existent domain filtering capability in their products, with the ability to confirm whitelisting as requested by the system administrator. .The major cloud-based email filtering services can add this protection to their clients, if it is not already present in their products. This brings another large group of recipients under protection To ensure that every recipient can implement non-existent domain filtering, it would be beneficial if non-existent domain checking becomes implemented as a Reputation Block List: When an email filter requests an RBL check on the domain name, the RBL checks for existence of at least one MX or SPF record. If none is found a reject address is returned. Since every email filtering product that I have encountered has support for RBL checking, this provides potential coverage for all recipients everywhere, and quickly. If IETF wants to provide a standards-based mechanism for mail-enabling a non-existent subdomain, this could be done as follow-up, using TXT records in the parent domain. Once promulgated, it would only be useful for senders who know that their recipients have email filters which apply the new standard. Outside a limited distribution group, this is not something that the sender can ever know. Consequently, I do not see this as a particularly useful undertaking, but I have no objection to it. Those who do not want to depend on recipient whitelisting should register their domains and publish an SPF record. It seems like this approach should be able to solve the whole problem in less than 6 months. Have I misunderstood the problem, or misunderstood your solution to it? Doug Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Jeremy Harris
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John R Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Ken O'Driscoll
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Dotzero
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Kurt Andersen (b)
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- Re: [dmarc-ietf] Rethinking DMARC for PSDs John Levine
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Douglas E. Foster
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Scott Kitterman
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Murray S. Kucherawy
- Re: [dmarc-ietf] Rethinking DMARC for PSDs Tim Wicinski
- [dmarc-ietf] More rethinking on DMARC for PSDs Alessandro Vesely