Re: [dmarc-ietf] ARC vs reject

John Levine <johnl@taugh.com> Sat, 05 December 2020 21:03 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283DB3A0D2F for <dmarc@ietfa.amsl.com>; Sat, 5 Dec 2020 13:03:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.851
X-Spam-Level:
X-Spam-Status: No, score=-1.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=jp93sHWc; dkim=pass (2048-bit key) header.d=taugh.com header.b=hQjFMaOF
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WywG9NQYSr3A for <dmarc@ietfa.amsl.com>; Sat, 5 Dec 2020 13:03:55 -0800 (PST)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C7163A0D2C for <dmarc@ietf.org>; Sat, 5 Dec 2020 13:03:55 -0800 (PST)
Received: (qmail 75881 invoked from network); 5 Dec 2020 21:03:52 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=12867.5fcbf5b8.k2012; bh=tBcey6NcYNlhor1YjA49KQTjTtkPJxdPyRaPrUFKreI=; b=jp93sHWcFWpB5zV18kcfPWYENP3kesfsFyWFtHnOtQ4xqZhtGDWFy3FayZjnpwwcqVo5LoWj9t8LZDt+FFFNtTT0AtiLD6WZBk44wUEQLWyG+FpGp649Z3xZE4YfmQCW4RtfFol5fsVnc7vKu7LrLXLikj42eOm9kB66HDYM77ftzSghllT2CGYdeC5QYsAyTil3fXJ8cNiGZU93O4ZJAjGNGetTR/eHAlojTi4Fn3CjpKbAudXUt2j7lXcW9mQg5bWjzeOSnz6zVeY51wbIVRUkOY5SnZbh3y7QfbtDM+eqT+xX2R2kxZHFqEzbbs13gjvTv0BcDImKGOC0RYLrFQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=12867.5fcbf5b8.k2012; bh=tBcey6NcYNlhor1YjA49KQTjTtkPJxdPyRaPrUFKreI=; b=hQjFMaOFE8DTdLFK4SrPQPxSf2KGadu02Eth4VZ7Ln9ytfdrsMrs6zx08jk8/5qISFtzws1KKsiKiZYkpe7w8ItEni7dhsuF2B8Qg/ODJcTHZqqxaOsxUbGgBaV53sRgic+rJpZuJngI6rXvCAv5re89gvYId8gR2qCznVPu/LVTzXLsSx4dO6S9CyELZQp6uZ5Tehd9a21GrRTmuUr4IWBrf3teVN2RyT2ZESuia32rKOMg7FZuNPz+YXHvItnkcqhU2ZxqZTkKkBNntORYg+xPpUdiWHBM60v3vJMGOzMsdu1/ID6mqUctoO4cLdGFg4ly3bfIXhFa8DUNnJfCYA==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 05 Dec 2020 21:03:52 -0000
Received: by ary.qy (Postfix, from userid 501) id DB78E2904420; Sat, 5 Dec 2020 16:03:51 -0500 (EST)
Date: 5 Dec 2020 16:03:51 -0500
Message-Id: <20201205210351.DB78E2904420@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: mike@mtcc.com
In-Reply-To: <4f2d2e0e-c773-95df-0958-12344e963b7a@mtcc.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/NcM3_NzaZxKAIE6I0sQTsDvV6Xs>
Subject: Re: [dmarc-ietf] ARC vs reject
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Dec 2020 21:03:57 -0000

In article <4f2d2e0e-c773-95df-0958-12344e963b7a@mtcc.com> you write:
>
>As I understand ARC, it is means of transporting the original auth-res 
>to the destination in case the origin signature is broken by an 
>intermediary. From there the destination can decide one way or the other 
>to override the DMARC policy of, say, reject. 

Right.

>There are, however, use 
>cases where that is exactly wrong and in no case does the originating 
>domain want such an override to happen. Consider my bank sending me 
>transactional email. If somehow somebody managed to get that mail 
>through a mailing list and arc-resigned it, my bank does *not* want that 
>mail to be delivered regardless of the reputation of the mailing list 
>because something weird and wrong is happening on its face.
 
If you get a message from a bank via a trustworthy mailing list with a
valid ARC chain that starts with a DMARC pass, that means someone at
the bank really did send the message to the list. I don't think it's
our job to try to guess whether the bank's users are following some
internal policy we can't see.

In practice, I can tell you that many organizations publish p=reject
because it is "more secure" and have no clue about mailing lists, so
it's a feature that ARC lets their users participate in mailing lists
without totally ignoring their DMARC policy. 

Ditto organizations that publish p=reject and only have SPF, no DKIM,
so all of their mail fails when it's forwarded. I can tell you this
latter situation happens a lot, particularly in US government
organiations where DMARC is just another checklist item.

R's,
John