IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Laura Atkins <laura@wordtothewise.com> Mon, 17 August 2020 10:24 UTC

Return-Path: <laura@wordtothewise.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95F863A09F8 for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 03:24:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sKpCWdQTGuTo for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 03:24:51 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [104.225.223.158]) by ietfa.amsl.com (Postfix) with ESMTP id 97B263A09EA for <dmarc@ietf.org>; Mon, 17 Aug 2020 03:24:51 -0700 (PDT)
Received: from [192.168.0.227] (unknown [37.228.245.144]) by mail.wordtothewise.com (Postfix) with ESMTPSA id 591E39F1F7 for <dmarc@ietf.org>; Mon, 17 Aug 2020 03:24:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1597659890; bh=UJHoBnKtzF0Gjv0Km3Zkbw6fQMF80V+p32mStNukkyI=; h=From:Subject:Date:References:To:In-Reply-To:From; b=pNsIMklp+IzHsZHZzXqm0Xg5Me+nGpRYLqnNMMObH6v4nI1rRvZ5OVaZsFbJVjlmt BvfXdIU6WiRK3xbSC4jkM81ENpEiMuc2d0EqKfqUCjPAgnJsaz4tV62NhvbNgRE/gy vcu3wUYi5aa15M810AAGXWEYBlrJlG3x2Et/OYdQ=
From: Laura Atkins <laura@wordtothewise.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_465B689B-12B9-409D-A4B1-D7DC59241B33"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 17 Aug 2020 11:24:48 +0100
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net> <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it> <c972e0af-b589-1780-47b3-8cb2a2024ec2@dcrocker.net> <13a0ed72-2c5a-8ba6-84ab-b857e29403f1@tana.it> <1703e878-e20a-8ae2-09e8-25470c0cf5f8@dcrocker.net> <e89a5551-f8cc-2d8e-4bfb-65fef943e9fe@tana.it>
To: IETF DMARC WG <dmarc@ietf.org>
In-Reply-To: <e89a5551-f8cc-2d8e-4bfb-65fef943e9fe@tana.it>
Message-Id: <3AFAA767-9CC1-4722-80FB-5C4F9BE1FC05@wordtothewise.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/QVFfEVYab6onZ22Yhou14Thd8Ik>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 10:24:54 -0000


> On 17 Aug 2020, at 10:57, Alessandro Vesely <vesely@tana.it> wrote:
> 
> On Sun 16/Aug/2020 20:16:17 +0200 Dave Crocker wrote:
>>>>>> If I put my gmail address into the from field, there is no pretending, no matter what platform I am using.
>>>>> 
>>>>> 
>>>>> That conflicts with the coarse-grained authentication strategy, established at the FTC Email Authentication Summit in November
>>>>> 2004, as Doug^W Michael recalled >>>
>>>> 1. I was making a semantic point, not a technical or technical policy one.
>>> 
>>> They have to match at some point.
>> it would be nice, wouldn't it?
>> but that's separate from the factual statement I made.
> 
> 
> Separate but related.
> 
> 
>>>> 2. There was nothing 'established' at that event.  There were interesting discussions, but that's all.
>>> 
>>> 
>>> I wasn't there.  Can't it be considered the historic event that marked domain-level authentication as the promising strategy to counter email abuse?
>> Reference to that event as if it 'established' anything is misguided, at best.  The meetings were helpful, but not definitive.  And the efforts at domain level authentication were wholly independent of these events.
> 
> 
> Would it be still correct to mention that summit as a conspicuous event that testifies the emergence of domain-level authentication around the early 2000s?

As someone who participated in the forum, that is not how I’d characterize it at all. You can read 

>> As already noted on this list, the events served as a plea from the government and, therefore, a signal that the government was concerned.
> 
> A noteworthy historical detail.

Maybe? This was part of the drafting of CAN SPAM. If you look at what CAN SPAM was concerned with, authentication didn’t show up. 

> 
>>>>> Your gmail address needs to be authenticated by gmail. 
>>>> 
>>>> Good grief, no.  There is no system rule to that effect.  DMARC created that, but no policy before it was in place, never mind accepted.
>>> 
>>> 
>>> DMARC took that strategy to the extremes.  A number of users and operators seem to have accepted it.  Why cannot we accept it too?
>> That DMARC does something and that some people use it is quite different from claiming that there was some grand change in the semantics and operational policy of email.  Why can't THAT be accepted?
> 
> 
> There's been a combination of events, from IETF's reluctant laissez-faire to Yahoo/AOL adoption, which brought up the illusion that email authentication can provide a global means to counter spoofing.  To believe that such illusion will come true makes for a strong motivation.
> 
> Couldn't we meet somewhere halfway?  I can see that you, John, Herr Hammer, and other relevant participants don't accept that domain-level authentication is semantically mandatory.  What d'you reckon about the possibility that such grand semantic change can be made official within the next 10~20 years?  I think that by just spelling the technical means /as if/ such change is going to happen, we can design a consistent authentication protocol.

What issue will only domain-level authentication solve? 

The DMARC proponents have asserted that DMARC prevents domain specific spoofing and phishing. The amount of harm DMARC authentication has caused, however, seems disproportional to this small benefit. Phishing is still happening using cousin domains (and even random domains). Departments inside companies avoid DMARC mandates buy buying cousin and “campaign specific” domains which trains users to be phishing targets for those domains. Companies have tried to cut down on this by saying DMARC must be done for all those domains as well. Unfortunately, those “from above” decrees have often created more problems than they solved. 

Mailing lists have coped by rewriting from addresses, but that has caused a lot of issues. Two of the big ones are members can no longer search for “mail from this list member” and cannot easily create filters acting on mail from other participants. 

laura 

>>>>> Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and whitelisted as yet another domain (songbird.com) can hardly be verified.  There is no "pretending", since it's you, but it is not formally distinguishable from spoof, is it?
>>>> 
>>>> Whether valid and invalid uses can be distinguished does not alter the fact that valid uses are valid.
>>> 
>>> The problem is to find the technical means that allow receivers and recipients to verify such validity.
>> Of course.  But when it's at the expense of valid use that has worked for 45 years, then those means are problematic.  Highly.
> 
> It seems to me most expenses have been paid already, for example this mailing list is applying From: rewriting.  We don't need to propose further restrictions.  To the opposite, there are means on the table[*] that can enable us to sketch a time horizon where From: rewriting can cease.
> 
> 16 years have passed since the FTC event, which is 1/3 of those 45. What I see looks much like a very mild shift.  Lazy operators have plenty of time before the semantic change is established, at some point in the medium-term future, if ever.

> 
> Best
> Ale
> -- 
> 
> [*] For MLMs to resume traditional address usage, the most promising I-D's is dkim-transform, IMHO.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

-- 
Having an Email Crisis?  We can help! 800 823-9674 

Laura Atkins
Word to the Wise
laura@wordtothewise.com
(650) 437-0741		

Email Delivery Blog: https://wordtothewise.com/blog

v2.23.0 | Report a Bug | By Email