[dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis

Wei Chuang <weihaw@google.com> Fri, 04 August 2023 16:17 UTC

Return-Path: <weihaw@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B72EBC1782AC for <dmarc@ietfa.amsl.com>; Fri, 4 Aug 2023 09:17:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.607
X-Spam-Level:
X-Spam-Status: No, score=-17.607 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 36zzzBEgxNac for <dmarc@ietfa.amsl.com>; Fri, 4 Aug 2023 09:17:04 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1DD1C1782A2 for <dmarc@ietf.org>; Fri, 4 Aug 2023 09:17:04 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-3458e2c3218so45ab.0 for <dmarc@ietf.org>; Fri, 04 Aug 2023 09:17:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1691165823; x=1691770623; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=pE1gzRgx4hv/crXCA7ZoLr028f10Vo/mJ28tsAHx8/w=; b=NnoktB10WP4qvKxNTsD4JkDtJMu3e315XHKSS6UZ7g5UIGg+56NjqyfoFhKfrb88w0 UTKW4wteRWWYczaA899I1F3tirraY+48UlK+j0ALNDr1weOPNCcniUTccJ7A4fBJ8/pV kIFrwietPip0waANZxnp4LxvCuMTt0M+SNKidNZj8QbK8xNe0uye+uSKcrckA3wllFkt hEKWkIz/yfF47cDqHld95OmcAqqjJsn+kCrl0vYav0e0+PArWmQb6/jxh3fsj+BrLXDl u2ZR5ldQVZTto7SMVC8ixztFIdVYn3qj8z+wP5xKKfZr9hBD/9zpmQ/MJ9oXcJfsCrct gcZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691165823; x=1691770623; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=pE1gzRgx4hv/crXCA7ZoLr028f10Vo/mJ28tsAHx8/w=; b=KP3PGCzhvHV12O0WHthqSXeZkOjUp/p9CN4m5aUNjdGHsxKYcKoz5+hZ/VPhHBlZWH XCGGxkxmdLZ1P3aEXyzTlqvmlYa0mrfhYYfNCdg0yXArZ+7UQlQ2VvbUf3d9t07EMH21 3mpvOrAXWqMF2Dd920yg3p523/FLeDtAOoMd5nq12wSg9FpL7nN7YoDT+iFj45N1RRQt pkODrkTdJiiEelT+1OHbkZcwRS5giNndtEAA88YmReS3tW3Zt3lNl0bbXOHK1OMIxQpK pLSS+fi2TVg2z8dqGgDCvMOwuJ2SZhJBM1d1PUYdgZGiodemcXLOr6uqbjwLoZFXkR43 aLSw==
X-Gm-Message-State: AOJu0YxlxGbEQdPrZyOIf8CIl0zAF67TDDiI69TbJb5RHvn4EFEpuM9T kh6bMXJFW7BRaBRKAoQo6zhC9mnRpPFJA2nOeWan6F5jUCjAtqK071PRDOKB
X-Google-Smtp-Source: AGHT+IG7FT+uDZeyEc7nCzFJ2qtVLTCJ4b2slVur/fO/KX8ADbT+5LYy59zLBGddhZF3owte9ji3dNe94CwLBbS9c3w=
X-Received: by 2002:a05:6e02:1a6d:b0:345:c3b4:d617 with SMTP id w13-20020a056e021a6d00b00345c3b4d617mr37423ilv.2.1691165822542; Fri, 04 Aug 2023 09:17:02 -0700 (PDT)
MIME-Version: 1.0
From: Wei Chuang <weihaw@google.com>
Date: Fri, 04 Aug 2023 09:16:39 -0700
Message-ID: <CAAFsWK1JGFRvFzSB-wcKk6NM1HvJFDiKB-_zhnitvJfV4P9bcg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001dd7e506021b3ade"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PDktxOYkB28k6ukLDgDqlp6NEGw>
Subject: [dmarc-ietf] Proposal for auth policy tag in draft-ietf-dmarc-dmarcbis
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2023 16:17:08 -0000

At IETF-117, I restarted the proposal for a policy "auth=" tag based on the
proposal here
<https://mailarchive.ietf.org/arch/msg/dmarc/KeGbMfX91WJk_aziKsrRfI6AYkI/>.
The "auth=" policy allows for restriction of SPF in scenarios where it
might be problematic but still retains its availability in DMARC by
default.  I didn't hear objections at 117, so below is some proposed
language for "auth=" for dmarc-ietf-dmarc-dmarcbis.

-Wei

=====

1. Introduction, 3rd paragraph insert after first sentence:

In addition, the choice of permitted authentication methods, SPF or DKIM,
method MAY be explicitly specified, potentially to restrict the supported
authentication methods.

4.3 Authentication Mechanisms append:

Domain Owners and PSOs MAY explicitly specify the supported authentication
methods via the "auth=" tag.  The value is a colon ':' separated list of
supported authentication methods without whitespace.  The order of the list
isn't any significant,  and unknown methods are ignored. An aligned passing
result for any listed method indicates a DMARC pass.  An empty list
indicates no authentication method is specified and DMARC is disabled.  If
unspecified with a policy tag "auth=",  this indicates that both DKIM and
SPF are supported.

5.3 General Record Format insert:

auth: Indicates the supported authentication methods.  If more than one
method is specified, they are colon ':' separated without whitespace.  The
order of the list is not significant and unknown methods are ignored.  An
empty list indicates no authentication method is specified and DMARC is
disabled.
  dkim: Authenticate with DKIM
  spf: Authenticate with SPF

5.4. Formal Definition insert:

dmarc-auth = <empty> / "dkim" / "spf" / "dkim:spf" / "spf:dkim"

Table:
Tag Name   Value Rule
auth             dmarc-auth