IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #1 - SPF alignment

Seth Blank <seth@valimail.com> Fri, 12 February 2021 18:08 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26EC93A184C for <dmarc@ietfa.amsl.com>; Fri, 12 Feb 2021 10:08:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cLLXsOYm3GWb for <dmarc@ietfa.amsl.com>; Fri, 12 Feb 2021 10:07:57 -0800 (PST)
Received: from mail-vs1-xe29.google.com (mail-vs1-xe29.google.com [IPv6:2607:f8b0:4864:20::e29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 600A13A1804 for <dmarc@ietf.org>; Fri, 12 Feb 2021 10:07:57 -0800 (PST)
Received: by mail-vs1-xe29.google.com with SMTP id l192so52978vsd.5 for <dmarc@ietf.org>; Fri, 12 Feb 2021 10:07:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bMkjcITV6QkXnsABw7z/fztkerKKQa/eurn0cL+3eHk=; b=AUcMTJALxxQa4dbP8WIEkQhxvChx3sPd4gAVhCatcxBOyF5dVeSgoiUjRTTd0YuHj1 Kx1AZjpnk8tS4vEZzUcNKNYXO6YnW88cGwe5AGFwpW1l/mdek8ONTLwjAubMf7M7dS3Y 3HsnVLmHqNyCuK4eKWyBWaXTv0flDk8nRc9KFbqhzIExGnkrGJhXrq8M2UAq5FE59vx6 6SuIR0fwg7L6IN6ebwEzYu8HRPZ8NMdzHgYVG+k0Ar1rdi/ZS+niMQKMePTwHRe3+915 MLUHCIE5yfVkl/yjRNaga8ggYXV3cM+re6XONtGK6sSSrNyWAN8xDjXiWlJ0BUi8Wbg4 07lA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bMkjcITV6QkXnsABw7z/fztkerKKQa/eurn0cL+3eHk=; b=Uu23LAyHom+X0NPn+ojbC9S4cvZbc5mTyyXtojgrbKa8t2GJlZhctDKJzeoLppsnb/ Wk5U1WQS4rzUrSL+/kcsh+lm9ogqHe4D1rH2DhKGV6vCgEzYvpwWfOUbzqwRZad5lbnT b8D2VEUQdYjTolu3wOAdH4P61RR622vf1A3lHQXAHGoZZ0FlVCuFA8ueiObgIYbwIMrU io/1tWjlxB8QL56WcXGJ0ZrAhHogx2h0i1j2x5/voeI8OZTUuxHp/gzWVTEzfecw/16e GFOQshatKJ3JePXZjuLg+/pfjBt5HKazKOyi7XER6T2o7OJrFY3G3gNvt+ZKf96HlYay fLXA==
X-Gm-Message-State: AOAM530FH37B5kUWstwmxK92SEmm8jcS7V3qCP46WFjLz9GtLqgdKGNi OKbdcVnMVktnI0NhTnhnGGaBx93IG7aEUahJk8zOmQ==
X-Google-Smtp-Source: ABdhPJw1c8qPbNtPkzpjdB23NsbsLJqOptzbckLJhODgAVBa6/t0yWhpj3PV96BoK7zJCEMVcIfDNDt3uDMpsbhk79w=
X-Received: by 2002:a67:ed84:: with SMTP id d4mr2552317vsp.52.1613153276215; Fri, 12 Feb 2021 10:07:56 -0800 (PST)
MIME-Version: 1.0
References: <20210203181226.9AB746D51182@ary.qy> <5450463.gl6gDTMLP0@zini-1880> <CAH48ZfwyMGCam8Mdk=vrYcFaEU6z0RMUoY9LD8n8JWeNi_hCLg@mail.gmail.com> <3044649.0BfFdxGTVy@zini-1880>
In-Reply-To: <3044649.0BfFdxGTVy@zini-1880>
From: Seth Blank <seth@valimail.com>
Date: Fri, 12 Feb 2021 10:07:44 -0800
Message-ID: <CAOZAAfM1yq9=iScEAwGzJT5bRMXT0VCCC1NLFBoQdtufvUmDHA@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>, Douglas Foster <dougfoster.emailstandards@gmail.com>, Alessandro Vesely <vesely@tana.it>
Cc: IETF DMARC WG <dmarc@ietf.org>, John Levine <johnl@taugh.com>
Content-Type: multipart/alternative; boundary="000000000000ff59e305bb27831f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/OTBQSju5ZxwJ1WzgzHmpBdfBMkc>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 18:08:00 -0000

As an individual, +1000 to Scott.

As Chair, this thread is unproductive, and two months passed due date to
resolve. Consensus seems clear that there isn't an issue here. If there's a
clear use case that hasn't been communicated, share it now or move on.

Seth

On Fri, Feb 12, 2021 at 10:02 AM Scott Kitterman <sklist@kitterman.com>
wrote:

> I didn't miss it.  I don't think it's meaningful.
>
> In the real world, outside the IETF one of three things happens:
>
> 1.  Everything works fine.
>
> 2.  Someone depends on HELO evaluation of SPF and discovers from
> evaluating
> the feedback reports that's it's a problem and then doesn't to that
> anymore.
>
> 3.  Someone depends on HELO evaluation of SPF and doesn't discover it's a
> problem because they don't look at their feedback reports.
>
> For case 1 and 2, there's no issue.
>
> Case 3 doesn't care if their mail gets delivered, so its fine.
>
> This excessive focus on irrelevant minutia is harmful to the IETF.  It
> makes
> participation less interesting for technically capable contributors and
> reduces the overall value of the discourse.
>
> Many people have suggested we move on.  My prediction is you won't, but
> this
> is my last email on the topic.
>
> Scott K
>
> On Thursday, February 11, 2021 11:24:16 PM EST Douglas Foster wrote:
> > You missed my main point.   I will restate it, and then address your
> threat
> > question.
> >
> > If there are N ways to establish authentication, then a recipient only
> > needs to choose one of them, but a sender who wants to be validated by
> all
> > recipients must implement all of them.   One purpose of the specification
> > is to constrain that complexity.
> >
> > So the convenient solution would be to say that SPF HELO must be ignored,
> > except for null sender, because doing so reduces the number of variables
> > that must be considered by senders.   It is also probably consistent with
> > the logic of many current implementations.   I just do not believe that
> it
> > is justified to tell recipients that they MUST NOT evaluate SPF HELO when
> > MAILFROM is present.
> >
> > An alternative would be to say that SPF HELO and SPF MAILFROM should both
> > be evaluated.   In the long run, this is arguably the best theoretical
> > solution, but the fear of short-term pain from false positives probably
> > makes this unattractive.
> >
> > So, I am back to the only solution that seems justifiable:    Senders
> > SHOULD comply with both MAILFROM and HELO policies because SOME
> recipients
> > may evaluate both criteria, but many will only evaluate MAILFROM because
> > the incremental theoretical benefit seems less than the incremental cost.
> >
> > - - -
> >
> > To your point about threat vectors:  DMARC alignment is based on nested
> > layers of trust, and the trust is broken if you skip layers.  The server
> > operator provides a mail server environment to a mail domain, and the
> mail
> > domain provides delivery services for an author.
> >
> > SPF proves that the mail domain (indicated by the MAILFROM address)
> really
> > uses the services of the server domain, and therefore the server
> (indicated
> > by IP address, HELO, and possibly ReverseDNS) is authorized to send
> > messages on behalf of the mail domain.
> >
> > DMARC proves that the source server for the message was authorized to
> speak
> > on behalf of the author (indicated by the From address).
> >
> > You suggest that if SPF HELO passes, and aligns with FROM, then we have
> > established that the server is authorized to speak for the author.   This
> > is true, but it does not establish that the mail domain in the MAILFROM
> > address has that right.
> >
> > When the MAILFROM domain is different from the HELO domain, this implies
> > that that MAILFROM domain is a client of the server domain.   The server
> > domain has the right to emit messages for the client, but the client
> domain
> > does not have the right to email messages claiming to be from the server
> > domain.
> >
> > - - -
> >
> > It can be asserted that the server domain should be able to use its
> > firewall to prevent unauthorized servers from emitting mail, and should
> be
> > able to use its outbound gateway to prevent client domains from emitting
> > messages from the server domain, other clients, or any unrelated domain.
> > These commonly implemented measures could eliminate the need for checking
> > SPF HELO.   Why should others check what the sender should be able to do
> > for themselves?
> > Are we prepared to make this argument?   If so, then the existing wording
> > stands, but needs a solid justification.
> >
> > DF
> >
> > On Thu, Feb 11, 2021 at 8:50 AM Scott Kitterman <sklist@kitterman.com>
> >
> > wrote:
> > > What problem are you purporting to solve?
> > >
> > > By problem, I mean a case were a bad actor can get a DMARC pass result
> if
> > > SPF
> > > HELO results are allowed to be used that they couldn't already get
> with a
> > > mail
> > > from result.
> > >
> > > I don't think such a case exists which is why I think this entire line
> of
> > > argument is a waste of time.
> > >
> > > Scott K
> > >
> > > On Thursday, February 11, 2021 6:35:49 AM EST Douglas Foster wrote:
> > > > Applying SPF to DMARC could become out of scope, if we choose to
> remove
> > >
> > > SPF
> > >
> > > > from DMARC and make it dependent only on DKIM.   Until then, we need
> to
> > > > have a shared understanding of how SPF is applied.  This question
> asks
> > > > whether that shared understanding exists.
> > > >
> > > > SPF involves two tests, which can be used together.   This WG can
> insist
> > > >
> > > > that for DMARC purposes, only one can be used:
> > > >     "When the sender is not null, DMARC-evaluation only considers the
> > > >     SPF
> > > >
> > > > evaluation of the MAILFROM Address.   SPF evaluation of HELO MUST
> NOT be
> > > > considered for DMARC purposes."
> > > >
> > > > This wording seems implied by the current language, and by those who
> > > > want
> > > > to leave it untouched.  Implication is different from specification,
> so
> > >
> > > our
> > >
> > > > document should make this explicit.   Unfortunately, an explicit MUST
> > > > NOT
> > > > requirement is hard to justify.   When two domains are involved, and
> > > > both
> > > > domains have published policy information, what justification exists
> for
> > > > ignoring some of the available security-related information?
> > > >
> > > > If we back away from MUST NOT, then we have to consider that some
> > > > recipients MAY evaluate SPF HELO and SPF MAILFROM together, just as
> the
> > >
> > > SPF
> > >
> > > > RFC expected them to be used, and as outlined in one of my examples.
> > >
> > > If
> > >
> > > > some recipients MAY evaluate HELO, then senders SHOULD take care to
> > >
> > > ensure
> > >
> > > > that HELO will generate a PASS.   Our language becomes something like
> > >
> > > this:
> > > >     "When the sender is not null, DMARC-evaluation always uses the
> SPF
> > > >
> > > > evaluation of the MAILFROM Address.   Some recipients may evaluate
> SPF
> > >
> > > HELO
> > >
> > > > as well.   To maximize recipient trust, senders SHOULD publish an SPF
> > > > policy which ensures that both MAILFROM and HELO will produce SPF
> PASS
> > > > results."
> > > >
> > > > DF
> > > >
> > > > On Wed, Feb 10, 2021 at 6:29 PM Dave Crocker <dcrocker@gmail.com>
> wrote:
> > > > > On 2/10/2021 3:24 PM, Douglas Foster wrote:
> > > > > > Huh?  Are you asserting that SPF MAILFROM and SPF HELO are
> > > > > > interchangeable?   They are not, but they can work together.
> > > > >
> > > > > Perhaps I misread, but I thought I saw that this really is out of
> > > > > scope
> > > > > for this working group.
> > > > >
> > > > >
> > > > > d/
> > > > >
> > > > > --
> > > > > Dave Crocker
> > > > > dcrocker@gmail.com
> > > > > 408.329.0791
> > > > >
> > > > > Volunteer, Silicon Valley Chapter
> > > > > American Red Cross
> > > > > dave.crocker2@redcross.org
> > >
> > > _______________________________________________
> > > dmarc mailing list
> > > dmarc@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dmarc
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>


-- 

*Seth Blank* | VP, Standards and New Technologies
*e:* seth@valimail.com
*p:* 415.273.8818

`

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email