IETF Logo Mail Archive

Re: [dmarc-ietf] Mailing List message authentication

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 25 August 2022 22:36 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2808C152566 for <dmarc@ietfa.amsl.com>; Thu, 25 Aug 2022 15:36:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.082
X-Spam-Level:
X-Spam-Status: No, score=-1.082 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MISSING_HEADERS=1.021, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Vitcv7H-lOj for <dmarc@ietfa.amsl.com>; Thu, 25 Aug 2022 15:36:09 -0700 (PDT)
Received: from mail-ot1-x32b.google.com (mail-ot1-x32b.google.com [IPv6:2607:f8b0:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C56DC1524CF for <dmarc@ietf.org>; Thu, 25 Aug 2022 15:36:09 -0700 (PDT)
Received: by mail-ot1-x32b.google.com with SMTP id q39-20020a056830442700b0063889adc0ddso14903452otv.1 for <dmarc@ietf.org>; Thu, 25 Aug 2022 15:36:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=esF3SbXoUCV67ZqB+3a+btBJPd7806gmNwlhwOv0bYw=; b=D0evczSVJQn7UpLg2xvh8DboMQEcw4Viz2MqR7Kh1erDdwm/5ItK9dV+QrScOupa+0 XSpCx9VU+6nXlXYw8FKzjmVWT8CmCqAmrt1OFyTAysQNIhIJpdHOvmI5C8FR1nSYsx+5 tn7oBCpyqZ9Lwt9K2FE7AwhpYVUk43GM6A+IH9qtHI3ptpmZn4Jb2I9xWAX9zYRPOnG8 0GHawIqgEFR4p1nFheTlshtor8l2lK/vHfVA29DkwIvwE2tmbfsDlMENE99p+CAc170S GkgboLz3uJdrVo1qYed9/ypDPi13QSgNo9p0ubDS9mJXegUZ4w7ZZ9ttRhd+IqNatL/J qJ9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=esF3SbXoUCV67ZqB+3a+btBJPd7806gmNwlhwOv0bYw=; b=wa1z0turIt0Bvbru8dnaStOAOxSQgfVL/kxFJoJYsKE/aVezYDYCwQFQ8gTWNwUsPV V/GChLccopvVc2TH/rObBToMmz3EJbQm4DU1uO689K7TSOQ9LSLb+c+xTNb3adiOOmR7 yozHd2TuC1pjSwlscVtL4DtJNUc6brMMSwqZtc+qWwbYde+hjbuL/pfpdTa/KfHLpsx/ suENZAOxYk8t0gdAP3DmVeVNlYzBPmVcSa7d79qlH//sWZqAb+Z5hyktKpmo7n3h4Wa0 VcPEQeE80i9232P2UcW4TlQFjg0sdyNmbdk3AltybPhczZRc7zicsektXgg1J9YFsZN0 jwAQ==
X-Gm-Message-State: ACgBeo0EOZDLay2MlOWYBshGlCe/30M1NKQFMqXFIkuezWXrej3wAHDM ueHXUDfbPSbHYrO5F/WL4ByV+ox9AUzxJ8aXX5AEsDm33dY=
X-Google-Smtp-Source: AA6agR4KesUc9ChwB3f/7cmYPD8aYh7qkusvuDKlFlgGaI5RLFMsRjp6EsmJlnDOf12TyulxbOG8dx25VcbOheffTFA=
X-Received: by 2002:a05:6830:1445:b0:638:fbe4:c917 with SMTP id w5-20020a056830144500b00638fbe4c917mr441641otp.82.1661466968202; Thu, 25 Aug 2022 15:36:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfwZ3y+GYsL=8rBn8DOYVyhKiNY37MsRT4SrfAJwUJawvA@mail.gmail.com> <CALaySJLd1uEGjzjLCG=fvtzCFsWdv3tGTWboK2kWBSWxj2gJww@mail.gmail.com> <CAAFsWK3LiPDGEJ8ipZFkvHKF8gt0F1pfRvbsQ8hor7Cm7yzWPw@mail.gmail.com> <CAH48Zfyxz5BakoKz42SLhMe6Bxj+opGnqB+_k7rpgKLUcrGavQ@mail.gmail.com> <CA+Wg=gtUZg_BHomB74Kp3NZkfvg72_6hzPzn_hUL1LiAJfU41Q@mail.gmail.com> <CAH48ZfxeU_qkyoaV_1h1shj4zXrAv9Fs=K=1z16t2caRSZZdZg@mail.gmail.com> <CAL0qLwbOoH55WG3LuspAknbR=UnRpDWo2NUQx2q6W9-EszAV-Q@mail.gmail.com> <a9d5008e-9e03-5433-058f-db0418673a49@tana.it> <CAH48ZfyUjZF1TVJFkWE+E8z64iMGZ-BeT-34oHSaE2cRqgvLXA@mail.gmail.com> <CAHej_8ne6SsV9wTKv4Pp4GRrv_5QUBuay1Y5r5EZwniCL08Cvw@mail.gmail.com>
In-Reply-To: <CAHej_8ne6SsV9wTKv4Pp4GRrv_5QUBuay1Y5r5EZwniCL08Cvw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 25 Aug 2022 18:35:56 -0400
Message-ID: <CAH48ZfxF_Hdint5qOV=xA_GbE6LZKbN5Gj-qVXO=7g1wpo+ESg@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000072231f05e7186c10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/MGMCBlzRKGJJDIMtg_QhCxMu-z0>
Subject: Re: [dmarc-ietf] Mailing List message authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2022 22:36:11 -0000

Yes Todd, this is the problem language:

"If the set produced by the DNS Tree Walk contains no DMARC policy record
(i.e., any indication that there is no such record as opposed to a
transient DNS error), Mail Receivers MUST NOT apply the DMARC mechanism to
the message."

There are really two issues involved:  "What is DMARC?" and "What does MUST
NOT mean?"

My concept of DMARC has been that it includes everything which can be
elucidated by using SPF and DKIM to validate or repudiate the RFC5322.From
address.   I have probably been alone in that state, but when Barry first
said "That's not DMARC," I had no reference point with which to understand
his assertion.

[When I quibbled, I was told that DMARC without the policy is not a
protocol, and IETF only does protocols.   That answer did not settle the
issue because IETF did SPF, which is only a unidirectional information
flow, but is apparently a protocol.   This red herring hindered my ability
to grasp what you do want DMARC to be.]

If DMARC is simply one application of how SPF and DKIM are used to
authenticate RFC5322.From, then other strategies are excluded for
convenience of scope, not excluded on principle.   When it is understood in
those terms, I can go along with the limited scope definition that you
want.  Maybe I am the only one who needs the explicit scope definition that
I proposed, but in a world of 7 billion people, I am willing to guess that
I will not be the only one who needs this clarification.  In particular, I
don't want to come back with a proposal like this Mailing List
Authentication idea, and have it dismissed as a layer violation, because
"DMARC says that if you don't have a policy you cannot do RFC5322.From
authentication."   Maybe that is paranoid, but I would appreciate having
the possibility of other uses stated explicitly rather than presumed.

About MUST / MUST NOT
I have raised this issue before.   I expect MUST or MUST NOT to be used
where failure to comply will cause harm, most likely to the person
violating the directive.   For example, a mail sender MUST start an SMTP
session with HELO or EHLO.  If they do not, they will not send any email
via SMTP.  In this document, I find no place which meets that level of
importance.   On the contrary, evaluators can do whatever they want, with
whatever information that they have available, to reach a disposition
decision that seems to be in their self interest.    In this particular
paragraph, my point is that evaluators can sometimes use SPF and DKIM to
make an intelligent disposition decision, even when the policy is lacking.
 Our document should not be saying MUST NOT when it is likely to be in the
evaluator's best interest to do the exact opposite.

My remaining quibble
We have these situations where the verification result is unambiguous, with
or without a DMARC policy:
- A verified identifier that has the same domain as the RFC5322.From
address is always a PASS.
- A verified identifier that does not match at least the two right-most two
labels is always not aligned.  If there are no verified identifiers, or
there are no identifiers that align on at least two labels, then the result
is always FAIL.

I think it is a disservice to press the scope definition so severely that
we cannot find a couple of sentences to include these exceptions in the
document.   But as long as the reader understands that these cases are not
relevant because they do not fit the strict scope definition, then so be it.

Doug





On Wed, Aug 24, 2022 at 2:38 PM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Wed, Aug 24, 2022 at 2:09 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> I understand the need to limit scope, if DMARC limits its claims to what
>> it covers.  This complaint was triggered largely with the "MUST NOT" claim
>> in the draft, which implied that DMARC is the all-inclusive tool for
>> validating the RFC5322.From address using SPF and DKIM.  If it is all
>> inclusive, it needs to be comprehensive.  If not, it should be clear that
>> other options are possible.  I would be satisfied with changing the "MUST
>> NOT" into a reference to local policy, and including this language in the
>> scope and goals section.
>>
>
> This is the text in question, yes?
>
> "If the set produced by the DNS Tree Walk contains no DMARC policy record
> (i.e., any indication that there is no such record as opposed to a
> transient DNS error), Mail Receivers MUST NOT apply the DMARC mechanism to
> the message."
>
>
> That's from section 4.7 in DMARCbis, and updates RFC 7489 by changing
> "SHOULD NOT" to "MUST NOT".
>
> Please help me understand how you arrived at the conclusion that this
> statement declared DMARC "the all-inclusive tool for validating the
> RFC5322.From address using SPF and DKIM", because I don't take that
> meaning. Rather, it reads to me as "If there's a DMARC policy found, do
> DMARC validation. If there's no DMARC policy found, don't do DMARC
> validation."
>
> I don't see anything there declaring DMARC to be the only way to validate
> the RFC5322.From domain (DMARC doesn't validate the RFC5322.From address);
> I would expect your interpretation (i.e., DMARC is the one true way) to be
> supported by text that read as follows:
>
> "If the set produced by the DNS Tree Walk contains no DMARC policy record
> (i.e., any indication that there is no such record as opposed to a
> transient DNS error), Mail Receivers MUST apply the DMARC mechanism to the
> message anyway."
>
>
>
>> "The combination of SPF and DKIM provide a concept for validating the
>> RFC5322.From address.  DMARCbis defines a protocol for using this concept
>> with bi-directionaoll communication between the recipient and the domain
>> owner, using SPF, DKIM, a DMARC policy, and a reporting framework.
>>  Validation strategies which do not use a DMARC policy, use different
>> alignment strategies, or do not include reporting are considered out of
>> scope."
>>
>>
>> About Decisonmaking
>> Both DMARC FAIL and NO POLICY create concern that the message might be a
>> malicious impersonation.  FAIL probably adds greater weight than NO POLICY,
>> and .FAIL with "p=reject" adds even more weight.  A reasonable solution is
>> to proceed with content filtering.   Messages which die in that filter
>> provide confirmation that the message is unwanted.  For messages that
>> survive content filtering, the decision is how to disposition the message
>> given the DMARC result.
>>
>
> I will agree that DMARC FAIL probably adds further weight than NO POLICY,
> and I'll also say that the DMARC result should be independent of whether or
> not a message is subject to content filtering. Put another way, DMARC PASS
> says nothing about the content of the message and whether or not it might
> be wanted; it only says that the use of the domain in the RFC5322.From
> header was authorized by the domain owner based on the results of the SPF
> and/or DKIM checks.
>
>
>>  DMARC PASS means that the message is judged free of impersonation risk.
>>  This improves the probability of acceptance by any disposition system
>> based on risk weighting which is why I asserted that a PASS may increase
>> delivery rates for a sender.)
>>
>
> DMARC PASS does not mean that the content is wanted mail. It only means
> that the domain in the RFC5322.From header wasn't impersonated. Any domain
> can achieve a DMARC PASS.
>
>>
>> If a particular domain is trusted and configured for whitelisting,
>> eliminating impersonation risk becomes essential.  Since any domain may be
>> selected for whitelisting, the system administrator needs to be able to
>> validate any trusted message source.   Much of my desire to maximize DMARC
>> PASS results is to minimize the complexity of providing validation via
>> other strategies.
>>
>
>  DMARC PASS does not mean that the content is wanted mail. It only means
> that the domain in the RFC5322.From header wasn't impersonated. Any domain
> can achieve a DMARC PASS.
>
>
>> Finally, PASS simplifies risk management by reducing the volume of
>> messages that need to be evaluated for malicious impersonation risk.
>>
> I'm sorry, but I don't understand this statement. DMARC PASS is achieved
> through applying the DMARC mechanism to a message, which is evaluating the
> message for impersonation, is it not?
>
>>
>> In sum, PASS is more useful than FAIL because the result is more
>> certain.   Tthe value of DMARC PASS seems poorly understood by the vendor
>> community.
>>
>
> DMARC PASS means that the domain in the RFC5322.From header wasn't
> impersonated. Any domain can achieve a DMARC PASS.
>
> --
>
> *Todd Herr * | Technical Director, Standards and Ecosystem
> *e:* todd.herr@valimail.com
> *m:* 703.220.4153
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email