Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 20 April 2023 10:34 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD610C1516E3 for <dmarc@ietfa.amsl.com>; Thu, 20 Apr 2023 03:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZsFIB_IIrvy for <dmarc@ietfa.amsl.com>; Thu, 20 Apr 2023 03:34:21 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AAF8C1516E2 for <dmarc@ietf.org>; Thu, 20 Apr 2023 03:34:20 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id 2adb3069b0e04-4eed764a10cso474051e87.0 for <dmarc@ietf.org>; Thu, 20 Apr 2023 03:34:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681986857; x=1684578857; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=BZ7HQW9L4Rho7gPC7uSzg0emzoy8znnpljhtvFkil80=; b=NNeXrnMu58GqjLFW43mYweQuVO32iopY2n8f5bu/OcF7XLeEeFzAFP5rJ8Xb1VIEtR UIrxFgVQ0NaTviBIzLHuB87TR1CLU9Tmbr48ULbI4YIitSBom5LTCnA1fJld5IY2oETk 8tPuw+9SZWdmEq/ddSnJEydeaFUboAlNMW40fJlACpTckyqgACbJGmkUKfr+bmxlFhit zxJhdUytMcSdXhTxAFYh9Fb5PaWtHvgPFAgZoiQ75QaeMqugHBadgPXWaAEdTb7vleFz OWyJldwL1gjHNZlDCBbuMLeLzFFipACLoxCGGp6gPZ3DhzTVzGQe30iwYG0251q9Xbzu ctIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681986857; x=1684578857; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BZ7HQW9L4Rho7gPC7uSzg0emzoy8znnpljhtvFkil80=; b=gT2PA0Vp2SJVwPK1ple+2wVQhQj2RJSnHSlLvOQjnfN8NCv1AaAPoLPEXOPpdGYpYl bX3xKzo3F+npLcqyXcOaRUY2MA+ud80LyrcGJzRlzD5YQWdsmYw6/2esQPl7hJDdIPCG c/AAqPGysKUEaKV8lEQbJd3zOrOT5yqEyYBwMibAnt18b+2Sy5DCJMmiWGzrxJ4taaEG Aft6EJ2GeYR5GWZsiparzYpCXUJhd3UxfnEG2QAtcIhLldI9LQLBAK9T8hSSaSuoqkqW BXJnqNUrQeGslj88Qa7Y09CeIjv3KFAMeWu7UthezWA53+pV60OPbpXopGFyeSh7f1iG UQZA==
X-Gm-Message-State: AAQBX9cC0Kpj9IENwvNtg1Zn/6s87LmNY/03lyEPs5a18OJy+GSF5rmb WiGnlnJpGFjPHv4xu2ilf+FgGNCuq+btG+mTGuEwNIH8
X-Google-Smtp-Source: AKy350Yh8Pulm5qrFlfHpOk1KBGTrdg80hB+iR+i9vwpt3frfjiqdYbwIHnlk+b0ih/pNrCivJNFWEPDYWWSLHSBjHU=
X-Received: by 2002:a19:a402:0:b0:4ed:c79e:790b with SMTP id q2-20020a19a402000000b004edc79e790bmr239212lfc.5.1681986857548; Thu, 20 Apr 2023 03:34:17 -0700 (PDT)
MIME-Version: 1.0
References: <20230419132048.50E0CC01C901@ary.qy> <CF4A2AA2-7EAC-4525-844F-530A12DEC065@wordtothewise.com> <0abf9711-ca1c-bfcf-afb2-15e16b9de149@tana.it> <f99522bf-3802-4a9d-b098-683be77de67c@app.fastmail.com>
In-Reply-To: <f99522bf-3802-4a9d-b098-683be77de67c@app.fastmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 20 Apr 2023 06:34:05 -0400
Message-ID: <CAH48ZfzMDLrz+nR-XaNpq+3xdvTg8FA+aF8iN-tFTE5UqvG_Pw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000029405d05f9c21568"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OIRIL42OLk2nflq2UMrK279iMpg>
Subject: Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2023 10:34:25 -0000
If a vendor wants to serve a customer, he needs to provide a product that the customer can use. I don't see that it is IETFs problem to worry about a vendor with an inadequate email platform, especially since DMARC has been around awhile. But I have been thinking further about the constrained delegation issue. The general goal, at least for a single mailing is: User2@Domain2 needs to be authorized to email for User1@Domain1. DKIM authorizes anyone with the private key to email for anyuser@Domain1. The domain owner has to worry about multiple things: - Unauthorized Use For: Will domain2 will use the key for any messages other then User1@Domain1? - Unauthorized Use By: Will Others@Domain2 use the key for User2@Domain2? - Theft: Will be stolen and used by HostileUser@HostileDomain. Adjusting delegation: - Hector's ATSP proposal limits the delegation to Domain2. @HostileDomain cannot steal the delegation, because the delegation only works if a domain is authenticated by @domain1 and has signed the message. For a high-sensitivity domain like @WhiteHouse.Gov, they may want to require both: @Domain2 must have a DKIM private key for @Domain1 AND @Domain2 must have an ATSP delegation from @Domin1. - DKIMs "I=" clause can be used to limit the "Use For". A signature configured with "d=domain1; i=user1@domain1" should only authenticate messages with "From: user1@domain1". This is an upward-compatible change in the way DMARC interprets DKIM, not a layer violation of DKIM. This could be used two ways: (a) possession of the private key permits use to send on behalf of "user1@domain1", and (b) ATSP could provide user-level delegation to only messages counter-signed by user2@domain2. - Subdomains can be used to limit scope: Issuing a key for @subdomain1.domain1 is more limited risk than issuing a key for @domain1. - Subdomains with p=none can be used to allow a subset of messages to be sent unauthenticated. In some cases, allowing @subdomain.domain1 to operate unauthenticated may be perceived as lower risk than issuing a DKIM private key. The UseF On Wed, Apr 19, 2023 at 10:30 PM Jesse Thompson <zjt@fastmail.com> wrote: > On Wed, Apr 19, 2023, at 12:35 PM, Alessandro Vesely wrote: > > On Wed 19/Apr/2023 15:37:25 +0200 Laura Atkins wrote: > > To me it’s not so much the company can’t delegate authentication - it’s > how > > many SaaS providers (some of which are ESPs and some of which are 3rd > parties > > that send through ESPs) are incapable of supporting DMARC alignment. Not > it’s > > hard, not it’s challenging, but simply … can’t. They cannot sign with > foreign > > DKIM domains, and they cannot support different domains for SPF > authentication. > > > > Should DMARCbis make the recommendation that if you are providing mail > services > > that you SHOULD be able to support corporate customers using DMARC? > > > IMHO at least an appendix should say that if you can't do anything better > you > have to rewrite From: with examples of legitimate display-phrase, > expanding a > bit the first bullet in Section 11.4. That can also be a good place to > explain > the kind of damage DMARC causes. > > > That's what I'm getting at. I don't really see any difference between a > mailing list and someone providing mail services (I won't use the word ESP > since that seems to be a loaded term) for corporate customers (I would also > add government customers, who are adhering to BOD 18-01 in droves and they > are also adopting said companies providing mail services) > > The choice for both the mailing list and mail-service company is to: > > 1) ignore DMARC and continue to emit mail as the original author intended > (the author might be ignorant of DMARC too) and assume the mailbox > providers are smart enough to understand that, like mailing lists, > mail-service companies and their mail emitting authors shouldn't be caught > up by a DMARC misdeployment by the domain owner > > 2) be cognisant of DMARC's effects, and in the interest of keeping the > author's mail flowing, use a different domain and put the author's address > in the friendly from or similar, or just refuse to accept the messages, > until delegation can be set up. > > I can say, anecdotally, that people really really want #1 to be true, but > they eventually learn #2 leads to a better long term outcome. I'd like that > "learning" to be less painful by having something unambiguous to point at > in DMARCbis. > > Jesse > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] Is From spoofing an interoperability… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Douglas Foster
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Jesse Thompson
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Laura Atkins
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Jesse Thompson
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Douglas Foster
- Re: [dmarc-ietf] Is From spoofing an interoperabi… John Levine
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Dotzero
- [dmarc-ietf] About UAID User Agent Identity. Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Hector Santos
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Scott Kitterman
- Re: [dmarc-ietf] Is From spoofing an interoperabi… Alessandro Vesely
- [dmarc-ietf] Two basic Issues to address to help … Hector Santos
- Re: [dmarc-ietf] Two basic Issues to address to h… Dotzero
- Re: [dmarc-ietf] Two basic Issues to address to h… Hector Santos
- Re: [dmarc-ietf] Two basic Issues to address to h… Alessandro Vesely
- Re: [dmarc-ietf] Two basic Issues to address to h… Hector Santos