IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Hector Santos <hsantos@isdg.net> Sun, 09 April 2023 18:31 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5EFCC1782D8 for <dmarc@ietfa.amsl.com>; Sun, 9 Apr 2023 11:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="fGUL21iY"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="2a+dax2j"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O-jLDZPW1BMQ for <dmarc@ietfa.amsl.com>; Sun, 9 Apr 2023 11:31:39 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87202C1782D0 for <dmarc@ietf.org>; Sun, 9 Apr 2023 11:31:39 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5131; t=1681065093; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=O5YZfBopxfaRzASMuhLDlUfp3FenR+q LORJuq6pvTeA=; b=fGUL21iYT77M8FLq2ZnRvkVRFOw0ysnuY3tbPaQ+2HSzGRd IVc6si9+bBNgfpxyHcgwUcthK8UfIHbiWKyPWT4PirhzzF6rSJCIlTYD+WHgrhlR PyxNscYZKtXqfcjvHkNSRHFMxLAf/NHO7oxAUCv0ggJS31TAiFJE7aw312dQ=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Sun, 09 Apr 2023 14:31:33 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 1457896770.1.7136; Sun, 09 Apr 2023 14:31:32 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5131; t=1681065088; h=Received:Received:From: Message-Id:Subject:Date:To:Organization:List-ID; bh=O5YZfBopxfaR zASMuhLDlUfp3FenR+qLORJuq6pvTeA=; b=2a+dax2jnWDI3swufDwisD2YuWsQ tC5Lae0iR+8a29yemdBBP4c4/mXNYYDlcoXmVL32za7k2mBFVIGKVgFgvqgpZJuU ycYy5+80O27SgQS0Amx3dwuTeYGQ/Gjv+i/qf9qLayz9HZbj4pX8bvcybom46oDt wPhNAE+0Ov438Fs=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Sun, 09 Apr 2023 14:31:28 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 1903930238.1.12060; Sun, 09 Apr 2023 14:31:27 -0400
From: Hector Santos <hsantos@isdg.net>
Message-Id: <3E00DDA6-1A7D-45BF-9320-8D28AC931CDD@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_437BB08D-2A3A-48EF-9A9E-F8C0556D8ECA"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Sun, 09 Apr 2023 14:31:16 -0400
In-Reply-To: <CAL0qLwbPzS-XfncBjrtunP8OQ=Z-yRLfnWZKQ0v1acvuWTvnZQ@mail.gmail.com>
Cc: Jesse Thompson <zjt@fastmail.com>, IETF DMARC WG <dmarc@ietf.org>
To: "Murray S. Kucherawy" <superuser@gmail.com>
References: <20230409005207.DCA8BBD1CC17@ary.qy> <4a0dba74-3e25-b9cb-dd64-20bf04ae76ba@tekmarc.com> <7b599a98-922a-44db-af91-2f8aa0f74181@app.fastmail.com> <CAL0qLwbPzS-XfncBjrtunP8OQ=Z-yRLfnWZKQ0v1acvuWTvnZQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PjrFoDBv224Avr6MYhSmXtvQV7Y>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 18:31:44 -0000


> On Apr 9, 2023, at 2:15 PM, Murray S. Kucherawy <superuser@gmail.com> wrote:
> 
> On Sun, Apr 9, 2023 at 6:33 AM Jesse Thompson <zjt@fastmail.com <mailto:zjt@fastmail.com>> wrote:
>> As Todd previously stated, my preference is for language that acknowledges the primacy of the domain owner over interoperability. CISOs have been sold (arguably, by the DMARC deployment companies' marketing) on the idea that there are security benefits. Maybe oversold, but there are benefits and the motivation will not change. Let's not also overlook the primary benefit of _the process of deploying DMARC_ gives to an organization: increased management and governance (enabled by the observability from the reports). In any case, the domain owner is motivated to deploy DMARC and gain the perceived benefits. If we are going to tell these motivated domain owners to MUST do something, at least make it something they might consider doing.
> 
> I don't think the way DMARC has been marketed is germane to discussions about interoperability, which is what "MUST NOT" type language seeks to resolve.

So is that the difference with ADSP and DMARCbis?  Lacking ADSP language to forcibly say ESP-like domains MUST NOT use `DISCARDABLE` policy? DMARCbis will survive this ADSP dilemma by saying MUST NOT p=reject?  👍

Basically what we are authorizing now is permission for MDA, MLS and MTA, middle-ware, to do whatever they need to do that make sure mail is transportable and deliverable, including removing, masking the security wrapper.

Since we will never get this right with this WG and rewrite is the only solution, I now agree to use a MUST NOT. 

So I think it should be outlined what will expected to happen if a domain uses p=reject when they should not:

- risk interop issues,
- messages alterations to remove the DMARC security blanket.

—
HLS

v2.23.0 | Report a Bug | By Email