IETF Logo Mail Archive

[dmarc-ietf] DSAP "DKIM Sender Authorization Protocol" for DMARC

Hector Santos <hsantos@isdg.net> Sat, 08 April 2023 18:01 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D83C14CF13 for <dmarc@ietfa.amsl.com>; Sat, 8 Apr 2023 11:01:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="fY31hatv"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="g+19kVtZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XNmKoSchOdS3 for <dmarc@ietfa.amsl.com>; Sat, 8 Apr 2023 11:01:40 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0F39C14CF0D for <dmarc@ietf.org>; Sat, 8 Apr 2023 11:01:39 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=11873; t=1680976889; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Subject:Message-Id: Date:To:Organization:List-ID; bh=FKo2lV8wF6gzr5G1NlhqlEDILeHYTEp F6BtDROH1G6M=; b=fY31hatvN4r7Ml4hE1TdRj8Dr8rLIbet+TWxOAfnQC4RuJr xlqjr1A25csGuZsuQ1wTXbMT0+LZK+Zim51XEX/Fx0srTHuL/SjYkaNNN+CFIWEL gIBupvBcsYIIYUYVSGyjLHZ9ALfYAKFiqtYvUhQ/d6mX4aTk/PRvrMd4rGWM=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Sat, 08 Apr 2023 14:01:29 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 1369694691.1.2104; Sat, 08 Apr 2023 14:01:28 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=11873; t=1680976885; h=Received:Received: From:Subject:Message-Id:Date:To:Organization:List-ID; bh=FKo2lV8 wF6gzr5G1NlhqlEDILeHYTEpF6BtDROH1G6M=; b=g+19kVtZ/ZEpgp5r9mGCpcL BM3al4swvGX1t3mjCuhNzTXcAe4IC8T3pAs7dD21+ltqeu67H25yytLyu91Umod8 j2yP17dRtuPbkBg44xVbFL5Fk2C1OE5AdBBfueaKUrIJGrTJl0s6shdne3yRuDwa DeoH41uTZcyO/4KyBzMY=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Sat, 08 Apr 2023 14:01:25 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 1815728410.1.12416; Sat, 08 Apr 2023 14:01:24 -0400
From: Hector Santos <hsantos@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_0DADF506-9713-45E0-AB47-4207C8ADC4A0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Message-Id: <835E8C7C-431F-43A4-96DC-C3ED37325DFF@isdg.net>
Date: Sat, 08 Apr 2023 14:01:13 -0400
To: IETF DMARC WG <dmarc@ietf.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/R0qV0TizSnbru1A17hWkP_CH50I>
Subject: [dmarc-ietf] DSAP "DKIM Sender Authorization Protocol" for DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2023 18:01:44 -0000

Summary:

I would like to reintroduce the DSAP (DKIM Sender Authorization Protocol) as a DMARC extended tag extension -dsap. The original DSAP draft covered nine 1st vs 3rd party signature policies from a verifier viewpoint, which addressed boundary conditions for DKIM signatures. The reintroduction aims to address concerns regarding 3rd party resigners.

Key changes proposed for DMARC integration:

o Introduce -dsap tag for DSAP support, covering a complete range of possible policies.

o Use -asl tag for inline list of authorized signer support.

o Implement -atps tag for ATPS support.

o Formalize the From rewrite logic with a -rewrite tag.

o Introduce -target tag to assist mail forwarders with authorized redirection of exclusive policies.

The proposal seeks to offer better integration with today's wide range of mail applications, building on the existing DMARC protocol and improving 3rd party authorization and reporting.


Background:

In 2006, I submitted an I-D DSAP “DKIM Sender Authorization Protocol” that covers the boundary conditions for 1st vs 3rd party signature expectations.  There are nine 1st vs 3rd party signature policies in DSAP from a verifier viewpoint:

Original 1st Party Signature (OPS)
	Not expected (-)
	Expected (+)
	Optional (~)

Third Party Signature (3PS)
	Not expected (-)
	Expected (+)
	Optional (~)

Using these expectations, DSAP can cover most if not all possible Boundary Conditions for DKIM signatures.

I would like to re-propose DSAP but this time as a DMARC extended tag extension `-dsap` as I believe it can address our concerns regarding 3rd party resigners.

Here is the 2006 DSAP proposal I plan on updating to support DMARC and ATPS:

https://datatracker.ietf.org/doc/html/draft-santos-dkim-dsap-00

History:

The DKIM Policy Model began with SSP “Sender Signature Practices/Policy.” This image illustrates the overall process:




Many today do not realize the original DKIM included Signature Policy protocol called SSP.   It was spit into DKIM-BASE and DKIM-SSP to help speed up the process. DKIM was well defined but SSP was not.  SSP covered various signing scenarios, however, there were 3 policies missing which DSAP covered:



The DMARC protocol offers an exclusive only policy with p=reject|quarantine. This would be a -dsa=OP+,3P- policy With DMARC p=none, no other policy possible in terms of expectation other than an unhandled failed exclusive policy.  So DMARC is very limited making it a very to integrate with today’s wide range of mail applications.

DMARC also introduced two more takes that I would like use replaced with DMARC and ATPS.

For Reporting, DSAP provides tags for failure reports. This is now well-defined with DMARC. [DSAP only considered failure reports].

For 3rd party authorization, DSAP provided the -asl tag. The asl tag was an inline small domain list tag.  But it can also signify a check using ATPS for higher scale applications.  

Everything would be the same with DMARC and DMARCbis.   The change would be:

-dsap tag for DSAP support for the complete range of possible policies.

-asl for inline list of authorize signer support

-atps for ATPS support

I would also like to formalize the From rewrite logic with a tag:

-rewrite 

Which tells a resigner it may rewrite the From under certain conditions.  

-target is a new tag to help mail forwarders.

DMARC has considerations for SPF results with a strong alignment requirement. One scenario where a -dsap=op+,3p- is with SPF hard failure during mail forwarding.   The -target will allow a forwarder to resign as a 3rd party without -asl or -atps requirements. 

—
Hector Santos, CEO/CTO
Santronics Software, Inc,

v2.23.0 | Report a Bug | By Email