IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)

Todd Herr <todd.herr@valimail.com> Thu, 14 March 2024 20:02 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36155C14F6A2 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:02:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IccZQ68ufaQG for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 13:02:50 -0700 (PDT)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB8CC14F5F9 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:02:50 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-dcd7c526cc0so1239380276.1 for <dmarc@ietf.org>; Thu, 14 Mar 2024 13:02:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1710446569; x=1711051369; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=dGbWH9+ASwryrTJ8VzigRqOTtewGO/BMUGvJ3PMhPW0=; b=etsrJElcv7bWpybOz/WosX9ahdm/y1Hiwdl543eLVzh1DhO/idA8kybTv2zrutXf3T omnveVvKa+ESNL2M23aXnUnrtNVu1TFDuVm+0GrjkvMeexbCaseFurEOBL9HMDjaC3Jy 0u+w9+q+4+yZI2xRYFBA18C1JO06cb+dvoKOEMdTalyesFJ+Pwh7ffPiFvwBzHfW6Wic EYn8h+CqMKcK8mC8iPHUDp0EeJhrvXbMhBACgUv8Mru3HPs0qwWU91Vjb6OfgjyCiAf/ VEj6bChwmTImaGMJ5wbmPuaeJJcfaZdyrwJSG1u32PKEYO5ocqqj1SZJ/x8+BSA2A9hx EfTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710446569; x=1711051369; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dGbWH9+ASwryrTJ8VzigRqOTtewGO/BMUGvJ3PMhPW0=; b=vJrkC+71XtuVx/1CKx3fSCuZDKRryGHkscxNQ+Ty08FJNInvauUngSiRESADse5xQh pM53sGCUiQfEfu3kaXRKgHfMPw3bQR/SmzbfekPpFyE0+1F0TNB3tg9yRpk6ydo8NOKe z13pBRtfGRJluDZGPJXyS0eVGviIDqvj0vm7cNonsL/Zy76Hq865miUCjqZruk2zC5wK Nj2WLZW4J7qUWTf6T1W1DzE5HLVK7ntvMBJn0+rLQzfacfyUdubNKy6uU29cT6GOqy9Y zXH9Vo0L6qmfTdBTKSYudWE3d60EPs+oKmVo33RnquXHmAAiht3crdgYpEKFtczdGo0a UkFQ==
X-Gm-Message-State: AOJu0YziYX+nI9m/NDecz8XkVpY9IbqL9cqsZV/VIZtJEcpbXHE3L0qd Wcbj9G8+ytgC6LgGDGOGydhFild5hCNpCatwUTtEtfrbNB4qR9dgSbgUog1daNmmoeH6/0Kpvuy TjPmK8JSCPYLJZoaE/zng6yCFwpPr1LF+HzKodFdUWNN1bkDSd44=
X-Google-Smtp-Source: AGHT+IHgaHHHIfOZFdQM2rxhOeTUtId//i6edFn2MXTyRVvKiPFS0Uj8IKROi/wsAKzScXt226W9LYFa8+J/DmDCqpU=
X-Received: by 2002:a25:b10f:0:b0:dc6:ff66:87a8 with SMTP id g15-20020a25b10f000000b00dc6ff6687a8mr2645677ybj.51.1710446568902; Thu, 14 Mar 2024 13:02:48 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com> <09C7D830-5966-4EE5-AA86-003696B5ECEE@isdg.net>
In-Reply-To: <09C7D830-5966-4EE5-AA86-003696B5ECEE@isdg.net>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 14 Mar 2024 16:02:32 -0400
Message-ID: <CAHej_8=0QEmCazTuEDKASBBoVwfpsPLJMpN11y+fo8+XtPv1Bg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025aeed0613a460ac"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PNyz6qFx1i6MrllEquq9tbXuNgY>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 20:02:54 -0000

On Thu, Mar 14, 2024 at 3:25 PM Hector Santos <hsantos=
40isdg.net@dmarc.ietf.org> wrote:

> On Mar 14, 2024, at 10:09 AM, Todd Herr <todd.herr=
> 40valimail.com@dmarc.ietf.org> wrote:
>
> To configure SPF for DMARC, the Domain Owner MUST choose a domain to use
> as the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail
> that aligns with the Author Domain, and then publish an SPF policy in DNS
> for that domain. The SPF record MUST be constructed at a minimum to ensure
> an SPF pass verdict for all known sources of mail for the RFC5321.MailFrom
> domain.
>
>
> A major consideration, Todd, is receivers will process SPF for SPF without
> DMARC (payload) considerations.  IOW, if SPF is a hardfail, we have SMTP
> processors who will not continue to transmit a payload (DATA).
>
> DMARCBis is making a major design presumption receivers will only use SPF
> as a data point for a final DMARC evaluation where a potentially high
> overhead payload was transmitted only to be rejected anyway,
>

I don't necessarily think your assertion is true here, or at least I'd
submit that DMARCbis and RFC 7489 aren't approaching this subject any
differently.

Section 10.1 from RFC 7489, titled "Issues Specific to SPF" had two
paragraphs, the second of which reads:

   Some receiver architectures might implement SPF in advance of any
   DMARC operations.  This means that a "-" prefix on a sender's SPF
   mechanism, such as "-all", could cause that rejection to go into
   effect early in handling, causing message rejection before any DMARC
   processing takes place.  Operators choosing to use "-all" should be
   aware of this.


DMARCbis contains the same two paragraphs with no change to the text, other
than the section is now numbered 8.1.


> In the ticket, I propose the following new text:
>
> ==================================================
> To configure DKIM for DMARC, the Domain Owner MUST choose a DKIM-Signing
> domain (i.e., the d= domain in the DKIM-Signature header) that aligns with
> the Author Domain.
> ==================================================
>
>
> In order to maximize security, the Domain Owner is REQUIRED to choose a
> …..
>
> Is REQUIRED the same as MUST?   I think SHOULD or MUST is fine as long as
> we specify the reason it is required,
>

I'm not understanding the comment you're making here, as I don't see the
word "REQUIRED" in anything I wrote.

If one wants to configure DKIM for DMARC, one MUST choose a DKIM signing
domain that aligns with the Author Domain, mustn't one? Saying SHOULD
choose an aligned DKIM domain means that the Domain Owner can choose not to
choose an aligned DKIM domain, and that won't be configuring DKIM for DMARC.

-- 

Todd Herr | Technical Director, Standards & Ecosystem
Email: todd.herr@valimail.com
Phone: 703-220-4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email