Re: [dmarc-ietf] Proposed text to close out Ticket 96
Scott Kitterman <sklist@kitterman.com> Wed, 05 April 2023 21:57 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22E8CC1522CD for <dmarc@ietfa.amsl.com>; Wed, 5 Apr 2023 14:57:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="YEJGnJeH"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="DjVGjx8g"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4R3NKe1RaKcS for <dmarc@ietfa.amsl.com>; Wed, 5 Apr 2023 14:57:14 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEF47C151B3C for <dmarc@ietf.org>; Wed, 5 Apr 2023 14:57:13 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id EE5CBF8027F; Wed, 5 Apr 2023 17:57:02 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1680731808; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=0M4RpJSQWALDkrv4C7FLIg7s6sgPMSN3FvuY2AXbCTc=; b=YEJGnJeHTbSX3TKq230y1bDb1ir+jLyAADE8UdK3hG0JOk94ZvvtVa1ZRWHtrlcCd7cb5 qxwaLHnJ0qBSwvbAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1680731808; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=0M4RpJSQWALDkrv4C7FLIg7s6sgPMSN3FvuY2AXbCTc=; b=DjVGjx8gZwATDRO9mvZryt/ZdUI4kt0ES54U0hLBkgBPgmNK+bUJU02FEXqmI+B12Eowu VGWJwp3Q7i8KJxk01N3hakTWwBSOOo2RPSOk/dhes2SaA4tcHYTMtSzXH0zXfGUsNYRodFV Zm1OALqFYGcpp1bhdO+UIfbJ+Aqivx2HMfEJ240K5tVgYez0Kc3xp9kZqYbQ49kJ7+FHhbc ip4WPxC7Z+j9m8ewbTryGfMWyAwAXm1lneFPgznPtwqzB9CdrOTdkqgXwUpeoYlaLTa2V6u aB1iTTZDK7H9uyN2tRBjK7Hy++DrqTMautQ0JQLggncouJEVBSUvGzOtu2DA==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 16831F8016D; Wed, 5 Apr 2023 17:56:48 -0400 (EDT)
Date: Wed, 05 Apr 2023 21:56:45 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <CAOZAAfPOA19CGgyL_O98U++rkZLdHmzscS+_WM1HYgXWi2Qp3A@mail.gmail.com>
References: <CAOZAAfPOA19CGgyL_O98U++rkZLdHmzscS+_WM1HYgXWi2Qp3A@mail.gmail.com>
Message-ID: <F787FEBE-BF89-4E17-B835-4D0419C79A93@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PL8JDAfyChnGYbgOw9_wmO3Zmu4>
Subject: Re: [dmarc-ietf] Proposed text to close out Ticket 96
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 21:57:18 -0000
My understanding is that the IETF doesn't do implementation specifications. I'm not sure what problem that's related to interoperability this is meant to address. I think the ticket should be closed without action If you really think we need this, I think the Enforcement definition needs something about the domains (and subdomain) at issue either aren't affected by the interoperability issues discussed in 5.5.6 or has accepted the associated interoperability risk. It needs to be Barry's version of 5.5.6 that's the starting point for the new definitions (if we are going to have them at all, which I think we shouldn't). Scott K On April 5, 2023 9:34:51 PM UTC, Seth Blank <seth=40valimail.com@dmarc.ietf.org> wrote: >https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/96 > >I tried to write up an INFORMATIONAL paragraph, for ticket #96, and it kept >on coming out strangely and did not feel appropriate in the document as a >section unto itself. > >However, I think we can meet the intent of this ticket by condensing it >into two definitions for section 3.2, an added sentence to 5.5.4 and a new >paragraph in 5.5.6 (that stands regardless of the output of the other >thread in process on 5.5.6), as follows: > >3.2. > >Monitoring Mode: At p=none with a valid reporting address, the domain owner >receives reports that showcase authorized and unauthorized mail streams, as >well as gaps pertaining to authentication information pertaining to both >streams. > >Enforcement: When the Organizational Domain and all subdomains below it are >covered by a policy that is not none. This means that the domain and its >subdomains can only be used to send mail that is properly authenticated, >and mail using the domain name that is unauthenticated will not reach the >inbox of a mail receiver that validates DMARC. > >5.5.4 OLD > >Once SPF, DKIM, and the aggregate reports mailbox are all in place, it's >time to publish a DMARC record. For best results, Domain Owners usually >start with "p=none", (see Section 5.5.5) with the rua tag containing a URI >that references the mailbox created in the previous step. If the >Organizational Domain is different from the Author Domain, a record also >needs to be published for the Organizational Domain. > >5.5.4 NEW > >Once SPF, DKIM, and the aggregate reports mailbox are all in place, it's >time to publish a DMARC record. For best results, Domain Owners usually >start with "p=none", (see Section 5.5.5) with the rua tag containing a URI >that references the mailbox created in the previous step. This is commonly >referred to as putting the Author Domain into Monitoring Mode. If the >Organizational Domain is different from the Author Domain, a record also >needs to be published for the Organizational Domain. > >5.5.6 OLD > >Once the Domain Owner is satisfied that it is properly authenticating all >of its mail, then it is time to decide if it is appropriate to change the >p= value in its DMARC record to p=quarantine or p=reject. Depending on its >cadence for sending mail, it may take many months of consuming DMARC >aggregate reports before a Domain Owner reaches the point where it is sure >that it is properly authenticating all of its mail, and the decision on >which p= value to use will depend on its needs. > >5.5.6 NEW > >Once the Domain Owner is satisfied that it is properly authenticating all >of its mail, then it is time to decide if it is appropriate to change the >p= value in its DMARC record to p=quarantine or p=reject. Depending on its >cadence for sending mail, it may take many months of consuming DMARC >aggregate reports before a Domain Owner reaches the point where it is sure >that it is properly authenticating all of its mail, and the decision on >which p= value to use will depend on its needs. > >Some Domain Owners may wish to ensure a policy exists for the >Organizational Domain and all its subdomains, which is known as the >Organizational Domain being at Enforcement. This prevents the entire >Organizational domain's hierarchy from exact-domain spoofing. This is >difficult for many Domain Owners to achieve, as they must repeat the above >process to ensure mail is properly authenticated for each subdomain. Being >at Enforcement means an Organizational Domain has no recourse if Mediators >modify authentication information as outlined in section 8.5. >
- [dmarc-ietf] Proposed text to close out Ticket 96 Seth Blank
- Re: [dmarc-ietf] Proposed text to close out Ticke… Scott Kitterman
- Re: [dmarc-ietf] Proposed text to close out Ticke… Seth Blank
- Re: [dmarc-ietf] Proposed text to close out Ticke… Scott Kitterman
- Re: [dmarc-ietf] Proposed text to close out Ticke… Jesse Thompson
- Re: [dmarc-ietf] Proposed text to close out Ticke… John Levine