IETF Logo Mail Archive

Re: [dmarc-ietf] Policy Enforcement Considerations

Alessandro Vesely <vesely@tana.it> Tue, 19 September 2023 15:24 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BFD3C169535 for <dmarc@ietfa.amsl.com>; Tue, 19 Sep 2023 08:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.198
X-Spam-Level:
X-Spam-Status: No, score=-2.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.091, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="RhALJaoc"; dkim=pass (1152-bit key) header.d=tana.it header.b="AIPJcTAh"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iF6aPbCoL65N for <dmarc@ietfa.amsl.com>; Tue, 19 Sep 2023 08:24:27 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD044C16952E for <dmarc@ietf.org>; Tue, 19 Sep 2023 08:24:23 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1695137060; bh=THPFIBxldc2N3DE32LL+lMJ/1qCb2l02I6U69tseNTQ=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=RhALJaociJzuMUU4I4oGBYn7rBrjnDNL4exY79ySIG8S7K6E50+W9TolhdnrUNvcV L4djJef+/7lQOekvmFDBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1695137060; bh=THPFIBxldc2N3DE32LL+lMJ/1qCb2l02I6U69tseNTQ=; h=Date:Subject:To:References:From:In-Reply-To; b=AIPJcTAhdBFj7jheSDCfgnV9fxwcf31foahSNngxED6Rzd2zsGySUSpxcDTag0HBT +4hc3ZJxsX96/dCGCH1UF4Z3jf6LaJLFrwMT6q/6U79YYjQ6JyD2X67IFRNJEwrY/0 LZ9RbnOpHAeA/YyGF5DwnVNCgwl2BbTJTxR6JLAP+eJ1V/zjQ5XzdGCjvFNUE
Original-Subject: Re: [dmarc-ietf] Policy Enforcement Considerations
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.120] (pcale.tana [172.25.197.120]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0DF.000000006509BD24.000003C6; Tue, 19 Sep 2023 17:24:20 +0200
Message-ID: <a3b36b4b-a006-ec89-e376-758adc330e99@tana.it>
Date: Tue, 19 Sep 2023 17:24:19 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.15.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <c371f5b3-6133-1dc1-aa59-d3c6718a6ff2@tana.it> <92100200-55C3-47A2-9756-12A4AFD94E69@kitterman.com> <CALaySJJKT2LdZ2pDpNhhOwOcH2Otemd+h6c0dZxodJ1HPr85QA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CALaySJJKT2LdZ2pDpNhhOwOcH2Otemd+h6c0dZxodJ1HPr85QA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/M0xl5SEEcq7Sfjo8IToowXqkApg>
Subject: Re: [dmarc-ietf] Policy Enforcement Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2023 15:24:33 -0000

On Tue 19/Sep/2023 16:41:41 +0200 Barry Leiba wrote:
> Indeed.  Besides content filtering there could be knowledge that the
> message came from a mailing list, there could be ARC or another
> mechanism of that nature, there could be knowledge of the sending
> domain and its user base, there could be knowledge of the specific
> recipient and her preferences, there could be allow lists of various
> sorts based on sender or recipient, and I'm sure there are additional
> things I haven't thought of here.


My intention was to include all the cases you cite, except content filtering. 
Why did you have the impression that «additional knowledge and mechanisms» 
would exclude ARC or another mechanism of that nature?


> And how are we "respecting the semantics" if we're not rejecting as
> requested?

The semantics is respected when the forwarder checks DMARC and applies the 
policy, up to acceptable exceptions.  This list, for one, doesn't —as the 
innumerous example posted here prove.


> [...]
> On Tue, Sep 19, 2023 at 5:20 AM Scott Kitterman <sklist@kitterman.com> wrote:
>> [...]
>> "The combined effort of Mail Receivers and Forwarders ...", for example, leaves out mailing lists, which is one of the things you said you were trying to solve.


Uh, I meant «Forwarders» to cover any kind of forwarding, including mailing 
lists.  I had hoped that having said «Mailing lists, and forwarding in general» 
would have conveyed the idea.

My wording can certainly be improved.  Before denying the idea, please consider 
a couple of facts:

1) We want ARC to override DMARC, yet we don't say so.  Not in such a way that, 
when a receivers does so, he can say he's following the letter of the protocol.

2) Content filtering cannot override DMARC, can it?  By "override", I mean the 
author domain publishes a hard policy, both SPF and DKIM fail, and there is no 
deterministic sign (signature or IP) that the message comes from a recognized 
forwarder (including MLs).  What kind of content could ever suggest that a 
receiver conscientiously overrides DMARC?

"Other knowledge and analysis", as currently in the draft, certainly includes 
content filtering.  Do we mean it?  Can we think of an example?  In fact, 
receivers don't enforce the policy because they have no idea of who the 
legitimate forwarders are, which is neither content filtering nor additional 
knowledge.


Best
Ale
--

v2.23.0 | Report a Bug | By Email