IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Dotzero <dotzero@gmail.com> Sat, 15 April 2023 03:24 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E321EC14CE33 for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:24:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXIXCHAGB-zF for <dmarc@ietfa.amsl.com>; Fri, 14 Apr 2023 20:24:40 -0700 (PDT)
Received: from mail-vs1-xe33.google.com (mail-vs1-xe33.google.com [IPv6:2607:f8b0:4864:20::e33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12173C14CEFE for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:24:40 -0700 (PDT)
Received: by mail-vs1-xe33.google.com with SMTP id y17so18434068vsd.9 for <dmarc@ietf.org>; Fri, 14 Apr 2023 20:24:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681529078; x=1684121078; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=EwGAuIZL1Dk/LUf3IWyQH0VgVHaPGGOz0FxbcM64SCk=; b=GWplj6fFfrJkiXBSslvEgVi6vzfaTaEpJOtc5JzadfP69zq2JtFIdGaWuWAgya1c3N DsvMutK/rFTSfIJMhBSs+ANFnZ7wMaPQrOu7iaDjUb6lpTBdGhN54b36RrgkmaQhva3q KAKUgZBs7ugFe+TBpFdq2p0w+4Q4RcpMuQpPFhEy30DZZPUb10Gwp73rwmfB3F9jTsZn +adgPwpTg1zXEWe1zrhX2mjWxOiWeJSjgEqyX3dCFeZhit2O+9I1W2JkGi8pC6YzKqp4 rEM1H+i/A6BmcnEJdl5eXcFUXlcQvVOt4CtP9thajwiYWkgSRKAD9Qbx0DNqY7DFO1x/ n/Tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681529078; x=1684121078; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=EwGAuIZL1Dk/LUf3IWyQH0VgVHaPGGOz0FxbcM64SCk=; b=MvuCxWWio+CMVSvQyBW5Ozvz1onA15AeKXLUGVDOdwuvtfvyJ+o6SAsP5/DVmPtaNH N9Bq9cVknp5DkYMX5dU9eIHkDLKFt8fhAvpZILyDvI170kFmA1YuQiz9XW1kzV374O9a o6aFe43uE/3Ztcd0uktTMCayWdNh6dmUvAv3uMkZnonMV6oUCJwjkPFk6oSnAQllS/Dp MvkE3cnDkV9bkDmkSGbmRpFFVZRXSZVVHoRqfML0N/0teiKSRWrAq3pwhIIOdToCPDRc nYq2339y7O5JGD6TndG2dbX633Yx06UKrEPh3DuLBQHjv8lTxzYn/en49PxNRmyQr6Ri vSJw==
X-Gm-Message-State: AAQBX9c6jHQ5QxJnmjd8XSyKOAdvseuh+fwvP6fyZO+b0L1Wcs8b+Wux 9LA9AjQ0qomTxwzEunqD2IW9MzRIt9d4GnmzdRH6ztrn
X-Google-Smtp-Source: AKy350ZeFRSJIYsCFrQEf1jsylghdIwVEdt8Uo7efJj4rfW/9ADAnMikiAB6uGLyO1Ad4UgQywCgY/E54ZMEsZ6RH2M=
X-Received: by 2002:a67:ca94:0:b0:425:d096:fd42 with SMTP id a20-20020a67ca94000000b00425d096fd42mr4225915vsl.5.1681529078326; Fri, 14 Apr 2023 20:24:38 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com> <CALaySJLY-9O1Wauk50WMMobNs3cKUzmB+=np080nYCHEZa32UA@mail.gmail.com> <3129648.WqDQmVRvLn@localhost> <CAJ4XoYe3Z8=G8H6hQFuiMMwfZQt1JvLpK3bQmrtGCz=b-w=CJA@mail.gmail.com> <86E22FA6-759F-40F3-AEA3-119EE90F64A0@kitterman.com> <80086446-effa-7ee2-91c7-1f44449d92fb@tekmarc.com> <CAL0qLwaKO5A_OSjod00msw+8EALOUqYzeXb_aPjVhQ2R1wZKJg@mail.gmail.com> <def03c2f-25ec-d3f1-1ea5-678b16369f61@tana.it> <8D2F4B6A-2E72-4763-8B1F-719236B21D1E@wordtothewise.com> <CAH48ZfxP3F0jueQwsFyXBUojQryO2NOhCZzKxbLiZMHW3h10Zg@mail.gmail.com> <5ABFFAF7-4B03-4CCC-81C2-303A6B6F506E@wordtothewise.com> <f5a510b6-553c-e07c-c249-03a68c3cc60e@tana.it> <899E29E9-71E0-49DC-A3C4-746766C7EC67@wordtothewise.com> <CAJ4XoYftxv21D7mhXdRzg+f4Qo99Y=qcZ+eK5_PvPv62hVbM_A@mail.gmail.com> <CAL0qLwZKNWuFgrLvPfP=qxviYZuiUq1EMaL-QG=xe1AA4_Tg2g@mail.gmail.com> <CAH48ZfzyeAYBg=eFOw0aHcusDLA=QQ7CTp5P_S5VWwmdQDmqOA@mail.gmail.com>
In-Reply-To: <CAH48ZfzyeAYBg=eFOw0aHcusDLA=QQ7CTp5P_S5VWwmdQDmqOA@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Fri, 14 Apr 2023 23:24:27 -0400
Message-ID: <CAJ4XoYfkZTvWu9nsPNiNdH_FC9GExHU70Arf+a1cA7TvkV_FbQ@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, Laura Atkins <laura@wordtothewise.com>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000064ac0405f9577f08"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/MGRA_fo8x0rY5WdkFBqq_DD5cKw>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 03:24:41 -0000

On Fri, Apr 14, 2023 at 9:47 PM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> These decisions are made in the light of ransomware attacks that have shut
> down critical social infrastructure like city governments and hospital
> systems.
>
> The proceeds from Internet-based fraud are funding groups like Boko Haram
> that kidnaps girls into sex slavery, boys into child soldiering, and then
> uses their weapons to burn Christians inside their churches.
>
> This is not about money for fat cats, it is about trying to stave off the
> darkness.
>
> Unless a mailing list has controls in place to ensure that EVERY post
> comes from the asserted participant, it is the height of hypocrisy to ask
> an evaluator to assume that the post is from the asserted participant.
>  IETF cannot do even the easiest part of that task, so I have no reason to
> expect better elsewhere.
>
> Societies depend on trust.   Impersonation in all it's forms undermines
> trust.
>
>
> Doug
>
>
>
>
> On Fri, Apr 14, 2023, 9:17 PM Murray S. Kucherawy <superuser@gmail.com>
> wrote:
>
>> On Fri, Apr 14, 2023 at 12:37 PM Dotzero <dotzero@gmail.com> wrote:
>>
>>> While the you part of "we" may not see any advantages, quite a few
>>> financials, greeting card sites, retailers AND many receivers have seen the
>>> advantages, including p=reject. One thing I've learned over the years is
>>> that it is presumptuous to speak on behalf of "everyone" when you don't
>>> actually have their authorization to speak on their behalf. It's kind of
>>> like sending email claiming to be from someone else's domain without their
>>> permission.
>>>
>>
>> We need to tread carefully here.  Standards are supposed to improve
>> things for everyone, not just quite a few financials, greeting card sites,
>> retailers AND many receivers.  Presented that way, it sounds a lot like
>> we're saying these decisions should be biased in favor of those with
>> money.  I know we don't mean that.
>>
>> -MSK, participating
>>
>

Seeing the advantage does not mean that it only benefits the ones I listed.
I'm aware they see the advantage because people from those types of
organizations were involved in the original creation and testing and over
the years I've seen the data on abuse reduction. Not just the DMARC numbers
but the downstream impacts on abuse. Unfortunately organizations tend not
to provide data about its efficacy publicly because it involves providing
data about their business. It works. It could have been kept a private club
of "big boys" but people involved in the effort believed there was (is) an
ecosystem benefit in it being an open standard that anyone could implement.
>From start to publication, DMARC took roughly 18 months including testing.
The participating organizations spent a lot of resources and  money during
that period writing code and testing, including various meetings and
interop events. I'm not confident it would have happened and especially in
that time frame if it were a public effort. Now that also doesn't include
the initial time and work it took for the private parties to figure out how
to interact with each other.  It's smaller organizations and the average
person who benefits from that initial effort. If it weren't a published
standard, how could they take advantage and be able to participate? It was
handed over to IETF because of a belief that IETF would be the best steward
in moving it forward.

And yes, I fully recognize that there are tradeoffs DMARC involves. If only
transactional domains publish p=reject then I'd argue the benefits far
outweigh the downsides. The calculus changes with broader implementation
for other types of domains, but as others have pointed out, no death
penalty is imposed in those circumstances.

I've seen people suggest that policy should be gotten rid of but keep
reporting. Policy was/is the incentive for receivers to do reporting. It
allows sending domains to have visibility into mail flows claiming to be
theirs, whether theirs or not, from the receiver's perspective.This
presumably enables them to take steps to correct things they perceive to be
problematic if they so choose. And yes, that can include publishing
quarantine or reject as a policy request.

If it weren't for companies like !Yahoo and AOL pulling the trigger on
p=reject, we wouldn't be having this conversation. I'm not saying this to
blame them, rather I'm just recognizing facts. But we are where we are.

Michael Hammer

v2.23.0 | Report a Bug | By Email