Re: [dmarc-ietf] Ticket #39 - remove p=quarantine

[Дилян Палаузов <dilyan.palauzov@aegee.org>]

Post Scriptum: DMARC can say one of two things:
-- all mails for a domain are DKIM-signed and aligned, according to the
domain owner
-- not all mails for a domain are DKIM-signed and aligned (e.g. when
the DMARC policy is absent, or p=none) according to the domain owner

Does the DMARC specification need to propose what to do with emails in
the first case above, when the DKIM-signature is not-valid/aligned? 
Some people will say yes.  I say no: there is no need to give one of
two possible advices on this (and there is no means to enforce the
advice)

Anyway, as I said I do not expect any consensus on this.

Please consider including in the DMARC specificaiton a discussion on
what is reasonable, e.g as outlined in the email below, and elaborate
pros and cons on r=reject and r=quarantine.

As the topic is controversal, it shall be presented as controversal in
the specification.

I do not follow the discussions here, I suppose that by now is
addressed, that „p=quarantine;pct=0“ should be interperted as „do MLM-
mungling”, and p=none to mean „no MLM mungling”.

⇐⇐⇐⇐⇐
From: Vladimir Dubrovin <dubrovin@corp.mail.ru>
To: Dotzero <dotzero@gmail.com>, Vladimir Dubrovin
<dubrovin=40corp.mail.ru@dmarc.ietf.org>
CC: IETF DMARC WG <dmarc@ietf.org>, Дилян Палаузов
<dilyan.palauzov@aegee.org>
Subject: Re: [dmarc-ietf] Abolishing DMARC policy quarantine
Date: Fri, 14 Jun 2019 19:25:02 +0300

Nope, I mean 2 different things. 

1. Why quarantine is useful (with pct=0).  

For example this mailing list (dmarc@ietf.org) performs From rewrite
(aka From munging), e.g. dubrovin@corp.mail.ru is replaced with
dubrovin=40corp.mail.ru@dmarc.ietf.org. It's because corp.mail.ru has a
strict DMARC policy (reject). dotzero@gmail.com is not overwritten,
because gmail.com has p=none and ietf.org only overwrites From only for
domains with "quarantine" and "reject" policies. It's quite common
behavior.

If you are implementing DMARC for a new domain (let's say example.org),
you usually start with "p=none". With p=none you receive reports for
failed DMARC for different lists, like ietf.org. Before switching to
stronger policy (p=reject), you may want to know which mailing list
will still fail DMARC, and which lists perform From munging and, as a
result, do not fail DMARC. For this purpose, before switching to
"p=reject" it's useful to switch to "p=quarantine;pct=0". After this,
you will only see mailing lists without From munging in DMARC reports.

2. Why quarantine should not be used with pct different from 0

If you start enforsing strong DMARC policy with "p=reject" and you have
some previously uncatched misconfiguration (e.g. wrong envelope-from
address in some once-in-the-month mailing), you see DMARC failures  in
your logs and you can react to this failures and even re-send the
messages affected. 
If you start with "p=quarantine" you have no feedback except reports,
and reports are received with a huge lag (up to 2 days) and do not
provide sufficient information to catch the exact problem and you can
not re-send the quarantined messages.

⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒⇒





On Wed, 2020-12-02 at 13:15 +0200, Дилян Палаузов wrote:
> Hello,
> 
> On Tue, 2020-12-01 at 15:55 -0800, Dave Crocker wrote:
> > On 12/1/2020 3:17 PM, John R Levine wrote:
> > > #39 proposes that we remove p=quarantine.  I propose we leave it
> > > in, 
> > > even if it
> > > is not very useful, because trying to remove it would be too
> > > confusing. 
> > 
> > process, I suggest this issue gets some meaningful discussion.  My
> > email 
> > archive indicates it hasn't gotten any discussion at all.
> 
> This was discussed under the subject “Abolishing DMARC policy
> quarantine” in June 2019.  There was no consensus.  SMTP offers this
> distinciton and this is mirrored in DMARC.  In particular, senders
> are
> free to publish p=quarantine and receipients are free to interpret it
> as p=reject.  Senders can publish p=reject and receivers are free to
> interpret it as p=quarantine.
> 
> Moreover, some destination addresses do not have the concepts of a
> quarantine.  E.g an address that accepts commands for mailing lists
> managements.  Such addresses can either accept or reject the message
> -
> there is no quarantine, so interpreting published p=quarantine as
> p=reject is feasible.
> 
> Recalling the discussion from June 2019 I do not count on any
> different
> consensus, if it the discussion happens here again now.
> 
> Greetings
>   Дилян