IETF Logo Mail Archive

Re: [dmarc-ietf] version bump to DMARC2

Barry Leiba <barryleiba@computer.org> Fri, 09 June 2023 23:41 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0BC6C15E406 for <dmarc@ietfa.amsl.com>; Fri, 9 Jun 2023 16:41:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVuinxrpS-B4 for <dmarc@ietfa.amsl.com>; Fri, 9 Jun 2023 16:40:56 -0700 (PDT)
Received: from mail-ed1-f52.google.com (mail-ed1-f52.google.com [209.85.208.52]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53E0FC15109B for <dmarc@ietf.org>; Fri, 9 Jun 2023 16:40:56 -0700 (PDT)
Received: by mail-ed1-f52.google.com with SMTP id 4fb4d7f45d1cf-5147f4bbfdaso3315806a12.0 for <dmarc@ietf.org>; Fri, 09 Jun 2023 16:40:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686354055; x=1688946055; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/N0dwSjPWb/KnEuPFNoawM6pXLXbVR0rk5kkkQJxp80=; b=llZxOYPcP46UMB28iGsSyScmE/0PFqkxeZLMY+RUyY4V3vgx2nbMobhmZZGhQDqAAk uhaca/Cum71zEX3DZOiG9/CS+ouXZOpbDcukqfZok8s39Xnf8NuB6thHEt/I76pBpjnh 9xUgGF5HmPfclHdYwROrhGknnmmC9qlzJ0G7YNuEBjViSzqLw4XqORDWStRhF0Won7YF NOLNxGCJF56dJXOXhvC0n/9613bJ/fVogmY+7VC5qhI3qoLUmu5HS06/UmgIrOJ7keVt vKgZD2jcGor6l5VRINLqq5mamBT8+eRHXO3/dcKaa+/QQaKVFmMQ3/50141vqiyqRrLO OklQ==
X-Gm-Message-State: AC+VfDwpKYFj4ad5zuGN+j4MCVV7tD4f4ckOB4q+uFzsC6cxoSPm4iSB pxbinq+5UkW5KsdlKSJnrjtX2o9ly4OifW9JrruH7idd0Mg=
X-Google-Smtp-Source: ACHHUZ6vP4eTNrSbpzbFdS6dCLnXIghhCVLGm9ngdkXJlytHCA07pYPeGxQB42pofoWgQLIuoimSXsjA+CX3NukvQW4=
X-Received: by 2002:a17:907:7f07:b0:96f:6c70:c012 with SMTP id qf7-20020a1709077f0700b0096f6c70c012mr2671431ejc.45.1686354054264; Fri, 09 Jun 2023 16:40:54 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <20230608162112.5903CE7035F3@ary.local> <CABZJ8kkSAf3V0ccNAQn0ntPH+nOyTB6Jqj=fU+Pt4Ga5RByMDA@mail.gmail.com>
In-Reply-To: <CABZJ8kkSAf3V0ccNAQn0ntPH+nOyTB6Jqj=fU+Pt4Ga5RByMDA@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Sat, 10 Jun 2023 00:40:42 +0100
Message-ID: <CALaySJLK_bqr6T4zqvoE4QjtapUpCWkWnA1Tx+vYzUjtPkFnfQ@mail.gmail.com>
To: Emil Gustafsson <emgu=40google.com@dmarc.ietf.org>
Cc: John Levine <johnl@taugh.com>, dmarc@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Pce3LTRxD29o4uh_Mc4ymaGo_AE>
Subject: Re: [dmarc-ietf] version bump to DMARC2
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 23:41:00 -0000

Keep in mind that we have looked at this extensively, and what we've
found is this:

1. Almost all [1] of the DMARC senders out there will see the same
results when recipients look them up using the tree walk as they have
using the PSL.  In other words, the change will be different an
*extremely* small set of DMARC domains.

2. In *all* -- by that I mean 100% -- of the cases that we've actually
*seen* where there's a difference, the difference is *better*: that
is, the difference is a better reflection of the intent of the sending
domain.

3. We can find theoretical cases where the tree walk will be *worse*:
that is, where the PSL is a better reflection of the intent than the
tree walk is.  But *all* of these are theoretical, and we have not
found *any* such cases that actually exist in the real world.  It is,
though, possible that they do exist.

Emil, given those three points, do you still think you need to be
concerned about the risk of making the change?

Barry

[1] In mathematics, we use "almost all" as an actual technical term
that applies to an infinite set and means "all but a finite number",
since removing a finite number of entries from an infinite set still
leaves an infinite set.  That's kind of what I mean here.  That is,
the vast, vast, VAST majority.

On Sat, Jun 10, 2023 at 12:26 AM Emil Gustafsson
<emgu=40google.com@dmarc.ietf.org> wrote:
>
> Not sure if I am that someone mentioned. In case I am - I'd like to clarify what I meant;
>
> Without a version change for the tree-walk, I think we (Google) would need to support both approaches (the old one plus the tree-walk) and based on what we see - make a best guess which version we should use.
> Having two explicit versions still means we have two implementations, but at least we don't have to guess which one to use whenever there would be ambiguity with a single version.
>
> I'm always concerned about what bad people do to gain an advantage. But in this case I'm more worried about somebody having an ambiguous DMARC setup where VLMPs end up guessing the wrong intention. The most likely outcome there would be rejected emails and an upset sender the VLMP need to deal with. But atleast they are not spoofed. I think explicit versioning helps mitigate that risk too (but it wont help companies making bad configurations - but that we always have to live with).
>
> /E
>
> On Thu, Jun 8, 2023 at 10:21 AM John Levine <johnl@taugh.com> wrote:
>>
>> It appears that Tobias Herkula  <tobias.herkula@1und1.de> said:
>> >However, such a fundamental shift in the protocol's architecture warrants a clear signifier. I suggest we upgrade
>> >our DMARC version string from the current state to 'DMARC2.' This upgrade would not only denote the change of SPF
>> >removal, but also the switch from the Public Suffix List (PSL) to the Tree-Walk algorithm.
>>
>> I was talking with someone from a Very Large Mail Provider who told me that
>> if we keep the same version number, they won't change what they do now, so
>> no tree walk even if we keep SPF.
>>
>> They understand that as things stand now, the results of the PSL and
>> the tree walk are in practice the same. Their concern is that if some
>> people do it the old way and some the new, and you can't tell which
>> the domain expects, bad guys will create records with deliberately
>> inconsistent results.
>>
>> I'm not sure how likely that is, but arguing with a gorilla rarely
>> turns out well.  I will see if I can talk to people at other VLMPs
>> and see how widespread this concern is.
>>
>> R's,
>> John
>>
>> PS: If we do bump the version number, it needs to go into the
>> aggregate reports, too.
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email