IETF Logo Mail Archive

Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 20 April 2023 10:34 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD610C1516E3 for <dmarc@ietfa.amsl.com>; Thu, 20 Apr 2023 03:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aZsFIB_IIrvy for <dmarc@ietfa.amsl.com>; Thu, 20 Apr 2023 03:34:21 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AAF8C1516E2 for <dmarc@ietf.org>; Thu, 20 Apr 2023 03:34:20 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id 2adb3069b0e04-4eed764a10cso474051e87.0 for <dmarc@ietf.org>; Thu, 20 Apr 2023 03:34:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681986857; x=1684578857; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=BZ7HQW9L4Rho7gPC7uSzg0emzoy8znnpljhtvFkil80=; b=NNeXrnMu58GqjLFW43mYweQuVO32iopY2n8f5bu/OcF7XLeEeFzAFP5rJ8Xb1VIEtR UIrxFgVQ0NaTviBIzLHuB87TR1CLU9Tmbr48ULbI4YIitSBom5LTCnA1fJld5IY2oETk 8tPuw+9SZWdmEq/ddSnJEydeaFUboAlNMW40fJlACpTckyqgACbJGmkUKfr+bmxlFhit zxJhdUytMcSdXhTxAFYh9Fb5PaWtHvgPFAgZoiQ75QaeMqugHBadgPXWaAEdTb7vleFz OWyJldwL1gjHNZlDCBbuMLeLzFFipACLoxCGGp6gPZ3DhzTVzGQe30iwYG0251q9Xbzu ctIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681986857; x=1684578857; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BZ7HQW9L4Rho7gPC7uSzg0emzoy8znnpljhtvFkil80=; b=gT2PA0Vp2SJVwPK1ple+2wVQhQj2RJSnHSlLvOQjnfN8NCv1AaAPoLPEXOPpdGYpYl bX3xKzo3F+npLcqyXcOaRUY2MA+ud80LyrcGJzRlzD5YQWdsmYw6/2esQPl7hJDdIPCG c/AAqPGysKUEaKV8lEQbJd3zOrOT5yqEyYBwMibAnt18b+2Sy5DCJMmiWGzrxJ4taaEG Aft6EJ2GeYR5GWZsiparzYpCXUJhd3UxfnEG2QAtcIhLldI9LQLBAK9T8hSSaSuoqkqW BXJnqNUrQeGslj88Qa7Y09CeIjv3KFAMeWu7UthezWA53+pV60OPbpXopGFyeSh7f1iG UQZA==
X-Gm-Message-State: AAQBX9cC0Kpj9IENwvNtg1Zn/6s87LmNY/03lyEPs5a18OJy+GSF5rmb WiGnlnJpGFjPHv4xu2ilf+FgGNCuq+btG+mTGuEwNIH8
X-Google-Smtp-Source: AKy350Yh8Pulm5qrFlfHpOk1KBGTrdg80hB+iR+i9vwpt3frfjiqdYbwIHnlk+b0ih/pNrCivJNFWEPDYWWSLHSBjHU=
X-Received: by 2002:a19:a402:0:b0:4ed:c79e:790b with SMTP id q2-20020a19a402000000b004edc79e790bmr239212lfc.5.1681986857548; Thu, 20 Apr 2023 03:34:17 -0700 (PDT)
MIME-Version: 1.0
References: <20230419132048.50E0CC01C901@ary.qy> <CF4A2AA2-7EAC-4525-844F-530A12DEC065@wordtothewise.com> <0abf9711-ca1c-bfcf-afb2-15e16b9de149@tana.it> <f99522bf-3802-4a9d-b098-683be77de67c@app.fastmail.com>
In-Reply-To: <f99522bf-3802-4a9d-b098-683be77de67c@app.fastmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 20 Apr 2023 06:34:05 -0400
Message-ID: <CAH48ZfzMDLrz+nR-XaNpq+3xdvTg8FA+aF8iN-tFTE5UqvG_Pw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000029405d05f9c21568"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OIRIL42OLk2nflq2UMrK279iMpg>
Subject: Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Apr 2023 10:34:25 -0000

If a vendor wants to serve a customer, he needs to provide a product that
the customer can use.   I don't see that it is IETFs problem to worry about
a vendor with an inadequate email platform, especially since DMARC has been
around awhile.

But I have been thinking further about the constrained delegation issue.
 The general goal, at least for a single mailing is:
User2@Domain2 needs to be authorized to email for User1@Domain1.

DKIM authorizes anyone with the private key to email for anyuser@Domain1.
 The domain owner has to worry about multiple things:

   - Unauthorized Use For:   Will domain2 will use the key for any messages
   other then User1@Domain1?
   - Unauthorized Use By:   Will Others@Domain2 use the key for
   User2@Domain2?
   - Theft:  Will be stolen and used by HostileUser@HostileDomain.

Adjusting delegation:

   - Hector's ATSP proposal limits the delegation to Domain2.
    @HostileDomain cannot steal the delegation, because the delegation only
   works if a domain is authenticated by @domain1 and has signed the message.
    For a high-sensitivity domain like @WhiteHouse.Gov, they may want to
   require both:   @Domain2 must have a DKIM private key for @Domain1
   AND @Domain2 must have an ATSP delegation from @Domin1.

   - DKIMs "I=" clause can be used to limit the "Use For".   A signature
   configured with "d=domain1; i=user1@domain1" should only authenticate
   messages with "From: user1@domain1".   This is an upward-compatible
   change in the way DMARC interprets DKIM, not a layer violation of DKIM.
    This could be used two ways:  (a) possession of the private key permits
   use to send on behalf of "user1@domain1", and (b) ATSP could provide
   user-level delegation to only messages counter-signed by user2@domain2.

   - Subdomains can be used to limit scope:   Issuing a key for
   @subdomain1.domain1 is more limited risk than issuing a key for @domain1.
   - Subdomains with p=none can be used to allow a subset of messages to be
   sent unauthenticated.  In some cases, allowing @subdomain.domain1 to
   operate unauthenticated may be perceived as lower risk than issuing a DKIM
   private key.


The UseF


On Wed, Apr 19, 2023 at 10:30 PM Jesse Thompson <zjt@fastmail.com> wrote:

> On Wed, Apr 19, 2023, at 12:35 PM, Alessandro Vesely wrote:
>
> On Wed 19/Apr/2023 15:37:25 +0200 Laura Atkins wrote:
> > To me it’s not so much the company can’t delegate authentication - it’s
> how
> > many SaaS providers (some of which are ESPs and some of which are 3rd
> parties
> > that send through ESPs) are incapable of supporting DMARC alignment. Not
> it’s
> > hard, not it’s challenging, but simply … can’t. They cannot sign with
> foreign
> > DKIM domains, and they cannot support different domains for SPF
> authentication.
> >
> > Should DMARCbis make the recommendation that if you are providing mail
> services
> > that you SHOULD be able to support corporate customers using DMARC?
>
>
> IMHO at least an appendix should say that if you can't do anything better
> you
> have to rewrite From: with examples of legitimate display-phrase,
> expanding a
> bit the first bullet in Section 11.4.  That can also be a good place to
> explain
> the kind of damage DMARC causes.
>
>
> That's what I'm getting at. I don't really see any difference between a
> mailing list and someone providing mail services (I won't use the word ESP
> since that seems to be a loaded term) for corporate customers (I would also
> add government customers, who are adhering to BOD 18-01 in droves and they
> are also adopting said companies providing mail services)
>
> The choice for both the mailing list and mail-service company is to:
>
> 1) ignore DMARC and continue to emit mail as the original author intended
> (the author might be ignorant of DMARC too) and assume the mailbox
> providers are smart enough to understand that, like mailing lists,
> mail-service companies and their mail emitting authors shouldn't be caught
> up by a DMARC misdeployment by the domain owner
>
> 2) be cognisant of DMARC's effects, and in the interest of keeping the
> author's mail flowing, use a different domain and put the author's address
> in the friendly from or similar, or just refuse to accept the messages,
> until delegation can be set up.
>
> I can say, anecdotally, that people really really want #1 to be true, but
> they eventually learn #2 leads to a better long term outcome. I'd like that
> "learning" to be less painful by having something unambiguous to point at
> in DMARCbis.
>
> Jesse
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email