IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling MLMs

Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 15 April 2023 14:25 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF03C14CF1D for <dmarc@ietfa.amsl.com>; Sat, 15 Apr 2023 07:25:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V5J8Nl-gtp41 for <dmarc@ietfa.amsl.com>; Sat, 15 Apr 2023 07:25:23 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2B94C14CEED for <dmarc@ietf.org>; Sat, 15 Apr 2023 07:25:22 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-4ec816d64afso1970703e87.1 for <dmarc@ietf.org>; Sat, 15 Apr 2023 07:25:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681568720; x=1684160720; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=rNIITxXBpgEdsQy37kNJ9WL8rh4CePKZYOS5KRiFY3Y=; b=RXULiKe28I5puW9EHf7UcIhzgMJzdN/3r3zYP/MN01umKOVwS75jQzFGqmQu6bnp05 4njl1Vwuj/WnkTnSqOQOVOPvOPWklzLWHi6RrbpCnrgcnhb9GZa7DHEnemOGLpeQ+Lzp BX+hIbwrrsnPiJN+kcggl7TZT8LG4j0dnUujRA+dtn0yxsdU0eW0BsbpBb4U8REXUmTe FYU7Qx+j6ntWHT4ECPu+CRRIq8hiiUDA9rr4a1ihKNtuByy2DHWV4aOb22GSswZmYAoU EO8wQXlcBELWh+DtqxXJc6Y/tMUjrpSEwl7OcGjMkWidYaIK6V2NqaD2+vfZ1BFkfLHo Cg8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681568720; x=1684160720; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rNIITxXBpgEdsQy37kNJ9WL8rh4CePKZYOS5KRiFY3Y=; b=KPzm+rI8hRiFqucq1jUrJV/eEdFuSlY0ETmAJyU+SVt19y4J842T6RicJosHoW1tjW ftPOvtAatMX4Z/TkvAsV5XL5v7UYGf6nYFYsbUul7fdWUh2t1BZxfo1HsNA8i3vwLPrm ISbzj6PiZc4ZmfaWGqICQidkAiPjz4HQSPdNJ5YIrni26bEyo/hct/SWfHleUQ2PjFRD Ms7CO3c19DoWCf7e9h49lIa3X+PI3wM38XC1c4v9XwPwwV2TGFHCp/L6Y9EHTzRwiU22 VRl5/o9uetB43iUTeqy3jmB1pdmL0Rva/IbBUv/vibIBqU5ggJ9+oO7I4bK8Sgzve6Po oBaw==
X-Gm-Message-State: AAQBX9ekM7xqgiO5k3JY96MQO+2PF+v6gEgF6/HxT11220CRx9kr9rGB WQBIEdua//vd8WBDCo32ZsBczIW1Mt9vNN09V/fecNza
X-Google-Smtp-Source: AKy350YDwRBTOlPjmipnPK0urHcuOKzxzfGPoqKTHLYSz+EngKHqWU/5J9R9W7VBNJfwapD6H5B5CjNAicTGP3fk4QQ=
X-Received: by 2002:ac2:532c:0:b0:4e9:717a:e60c with SMTP id f12-20020ac2532c000000b004e9717ae60cmr707968lfh.1.1681568720253; Sat, 15 Apr 2023 07:25:20 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwZc2X7tyP+_8vvL3Yb7uJk6td3XGbsXUB68BNUEMhV4yQ@mail.gmail.com> <CAL0qLwZToWMh3cO-1zvvMZBFvo2o_PF+aRD58kAEZ0OObOcQNA@mail.gmail.com> <4b5aa1d9-dcb0-4abd-a149-b6bae30349f7@app.fastmail.com> <19178820.EVbMYgQtk6@localhost> <4e33f615-d8c9-49db-af77-a937180ad83f@app.fastmail.com>
In-Reply-To: <4e33f615-d8c9-49db-af77-a937180ad83f@app.fastmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sat, 15 Apr 2023 10:25:08 -0400
Message-ID: <CAH48ZfxHG8oWRx3kGsoZx6Xs=Qon9fHz00_RE5q-G1MBy1N_bg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003c7d8b05f960ba24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OOthR5SqTt0FuLLZ4KccLYdkq6k>
Subject: Re: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Apr 2023 14:25:27 -0000

I can support Todd's language:

"Domain Owner MUST provide a domain with p=none for mailing list
participants"

because it presupposes participation with a mailing list, in particular a
mailing list that presumes a right to modify content in transit.

Mailing lists are not the only cause of non-malicious DMARC violations, but
they are apparently the most significant.   Another potential cause is
forwarding after a content-altering spam filter.    The use of "external
sender" disclaimers has become pretty common as part of cyber-insurance
contracts.   Appropriate language would be:

   - Domains that allow forwarding to external sources should not allow
   spam filters to add or alter content.   Similarly, domains that allow spam
   filters to add or alter content should not allow forwarding outside of the
   organization.

Many of the other problems involve the From user being set to match the
recipient address, because the message was triggered by the recipient using
the sender's website.   This problem is more contained and probably not
worthy of our mention, since those senders should behave differently.

Doug Foster




On Sat, Apr 15, 2023 at 9:56 AM Jesse Thompson <zjt@fastmail.com> wrote:

> On Fri, Apr 14, 2023, at 10:24 PM, Scott Kitterman wrote:
>
> On Friday, April 14, 2023 10:31:33 PM EDT Jesse Thompson wrote:
> > On Fri, Apr 14, 2023, at 7:17 PM, Murray S. Kucherawy wrote:
> > > The Sender's users being denied the ability to participate in a list
> due
> > > to its policies seems to me like it puts this customer service problem
> > > where it belongs.
> > Let's say, tomorrow, IETF configures this list to reject Todd's mail (as
> > well as for every other member with p=reject) and/or disables from
> > rewriting. Does Todd's domain owner care? No. Todd cares. Todd can't
> argue
> > with his CISO and IT security team and biz dev team and public relations
> > team and legal team and all of the other forces that caused his domain
> > owner to publish p=reject. But he can argue with IETF for making the
> > decision to make the change, because he feels like the IETF considers him
> > an important stakeholder.
> >
> > It's this list's customer service problem, like it or not.
> >
> > After calling IETF customer service, Todd finds out his options are:
> > 1. Create an email address in a domain that houses members of the general
> > public, instead of one that represents his identity as a member of a
> > company. 2. Don't participate in the list.
> >
> > But Todd is really important to this list, and doesn't like these
> options.
> > Surely something can be done for an old friend? John, having been
> escalated
> > this customer service dilemma seeks DMARCbis for guidance and finds:
> >
> > ...MUST NOT p=reject...
> > (Todd's company is pretty clearly stating Todd mustn't be representing
> his
> > company on any mailing list.)
> >
> > ...Domain Owner MUST provide a different domain with p=none for mailing
> list
> > participants. (Maybe they do, maybe they don't, but it's worth asking.)
> >
> > ...Mailbox providers MUST NOT reject or quarantine email based solely on
> a
> > DMARC policy violation. (John could ask each mailbox provider to create
> an
> > exception to their DMARC policy enforcement)
> >
> > and he also finds something like:
> >
> > ...If a mailing list would like to provide the best customer experience
> for
> > authors within domains that violate the "MUST NOT p=reject" and to
> deliver
> > the author's mail to mailbox providers violate their "MUST NOT solely
> > enforce", for those authors the mailing list MUST rewrite the From header
> > to use a different domain. This is a new mode of interoperability the
> > mailing list may choose to adhere to.
> >
> > John now knows what he MUST do to provide the best customer experience
> given
> > the reality he finds himself in with an important stakeholder. He can
> > choose to ignore that MUST as much as the domain owners and mailbox
> > providers will choose to ignore their MUST NOTs.
> >
> > I feel like there will be very few mailing lists that will ever stop
> > rewriting (among those who are doing it), especially if DMARC adoption
> > (publishing and enforcement) continues to rise. This is the new way of
> > interoperating, in reality.
> >
> > Throw them a bone so that they have a MUST to justify the things they
> had to
> > do to interoperate all this time. It's not as easy for them to justify
> > their reality with only this page
> > <
> https://wiki.asrg.sp.am/wiki/Mitigating_DMARC_damage_to_third_party_mail>
> > to lean on.
>
> Or Todd gets a Gmail account for his IETF work and doesn't bother tilting
> at
> windmills.
>
>
> That was the first option in the customer service dilemma, and it is the
> option I have chosen for now. I do not carry my company's brand in anything
> I say here. All opinions expressed are my own, [but maybe my opinions carry
> less weight as a result?]
>
> Why not turn off rewriting on this list, as an experiment? The hypothesis
> is that everyone will switch to Gmail and not tilt at IETF, but instead
> they will tilt at their domain owners.
>
> Earlier it was accused that no one is offering alternative language
> proposals.
>
> I feel like "Domain Owner MUST provide a domain with p=none for mailing
> list participants" was a reasonable suggestion, and isn't incompatible with
> "MUST NOT p=reject for domains with members of the general public". A
> couple of people found it acceptable when I suggested it before, and no one
> else rejected it (or read it). That kind of language makes it more clear
> that the domain owner must work to sort out their mixed-use domains (by
> adopting all of the great subdomain/treewalk/psd additions in DMARCbis).
>
> And the "If a mailing list would like to provide the best customer
> experience...MUST rewrite" suggestion seems like a reasonable way out of
> this "interoperability vs reality" standoff.  How about if I soften it up
> further:
>
> "Any sender (mailing list, forwarder, ESP, or otherwise) which is tasked
> to send unauthenticated email from an address within a p=reject|quarantine
> domain it MUST refuse to send the message or send the message using an
> RFC5322.from address in a different domain."
>
> Jesse
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email