Re: [dmarc-ietf] Evaluator reference model
Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 19 January 2022 13:26 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B1D3A1D71 for <dmarc@ietfa.amsl.com>; Wed, 19 Jan 2022 05:26:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aj17c0n6OQRO for <dmarc@ietfa.amsl.com>; Wed, 19 Jan 2022 05:25:57 -0800 (PST)
Received: from mail-oi1-x22a.google.com (mail-oi1-x22a.google.com [IPv6:2607:f8b0:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 472193A1D73 for <dmarc@ietf.org>; Wed, 19 Jan 2022 05:25:57 -0800 (PST)
Received: by mail-oi1-x22a.google.com with SMTP id bx18so4066588oib.7 for <dmarc@ietf.org>; Wed, 19 Jan 2022 05:25:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=9ldteM4wMauJu4mHWBzu80k6gKIebCz/vLdciKeey6o=; b=Lg9cE9YW0FYWpvFxnvkX2OmJRzPHo972jZlX0uKCYZEDippXW2GmgCD9z9dkTCMIpt J/yySPU/XqdjtTN50489K64gkdP/GHxFH2SZVNitTWrNCmehcplLKy5ddzi6WFBxZ1wQ atkpirMj9yalBTCl0IJOGMPMiYG5h9nYUu5tUfMwAVo39D6WPbwY7S5ByTeg9ZP6jpy0 2ZIGmfh9WQwlBvXqCjBXuXdbEnJ5pYnJGcdH6TEdbtOn81ShmATFt2q4Y5zDjfCSv/Fw k/HxjOxC8tJY2ADj3Jmwm5mdpowwVEp/qyMQWlvlNM+4u0iB0qoLTyVi7CbzPs8Zu6CT 2Ypw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=9ldteM4wMauJu4mHWBzu80k6gKIebCz/vLdciKeey6o=; b=S7VqTojXgaVpUb21uh8k5cheNZZ2/Wf6PEe5OaopwU5VPDN8aEP3EYP5fSTX1EEZlq ikxIFRUmbAyIklPOh0XZxj93OoRmwZQ6YC4WDd5mpxY0h7Z3AHR2Mre2BMaNmj7+If3P EcYgy4N8Jss4lo6toXqexwRP3Zp/iyagrX0sxrzjILeu8WY+jHrQzSjO1T1ZIG4rVLlo 2z68PFLqXLyu74c7Y1oE0aqWRhBacJ0wdXkn7F6kjepSqiwhA8YlWHWoCN3ERyjZVIdk ZabZqjphAFxwbMuaFtt9xKCxM8xQSey0BFvtftvS5kDGpVvE3q56d/GWW8uvxZnPZTxe 6G9A==
X-Gm-Message-State: AOAM5332KPGVb9P47poX+S5S9wjFe6cYt7MD+7T+4YuZz27m+BSx1OWa n2X44jsZ7gQVEcivj7YlMOr5XkrLfYsgskas4nGbDU9Xa70=
X-Google-Smtp-Source: ABdhPJyIVeMZrRVcqPT+1lIY7mZFlC86Z2HL2+FbuIJb/U7za+RiydzVTRpJXt6cgOrLUTKMBAwfNihAp/eVH6QZ+A0=
X-Received: by 2002:a05:6808:1ca:: with SMTP id x10mr3058718oic.20.1642598755660; Wed, 19 Jan 2022 05:25:55 -0800 (PST)
MIME-Version: 1.0
References: <CAH48Zfxga57bZXLNBPYC4LUrcYDJ5cr7cGzmMjC=W_5CXBn3EQ@mail.gmail.com> <CAHej_8nX6_6tSnTh-pkSuc-9D5C8H-aKYwKQd4f9dbrc-a4U9g@mail.gmail.com> <CAH48ZfywZDizR86=KVgSHyzhYEiDRJ7Mj7og7r8PdToGGWV++g@mail.gmail.com> <CAHej_8kTckSCsJ8mc4592pW_uMg08zg0+0L6HjD9eiV=69X6cw@mail.gmail.com> <CAH48ZfzizSbfvVVBNvnRB-KyHihvYezLKJiX5tfjkzCLWTWZEQ@mail.gmail.com> <CAHej_8nVN-7j5=E8KVAZbb-0OmCZaoOL7AQ9S5OYn+1gw6TJ3A@mail.gmail.com> <CAH48ZfywLhnhDx7VCPaicexNrCt1yyofEZQ79iJ=K-DGQY5REw@mail.gmail.com> <CAJ4XoYe+Vc_s0YQRJd6ymA-w0n0VTviqy0KzEz4CPknUNXwRaQ@mail.gmail.com> <CAH48ZfzQidbrpm83CeZaxQ1tcNvyaf+WREdnPrfXG=j1c0_pdQ@mail.gmail.com> <CAHej_8kiHvtUH-YMmQ7JxOwzcW7oebjJ08AkR3Vd9E5VwhYz6g@mail.gmail.com> <CAH48Zfw9yxpPsYECJwg5mNNi+iuexJFQ41YEdZsX261wT381Yw@mail.gmail.com> <CALaySJK5bbmWXHaXvGk-8oGp00kFp7wGxPeG_BFUkFaX2eHMAA@mail.gmail.com> <CAH48ZfxNK_tx+wBSeP89aOVF_Wog=FHx6W4hsAH-kkFScT0Cuw@mail.gmail.com> <CALaySJL3Ksh2E2pxEpeVLUp+L-qB7MF-w_NiMmdma-H_mpnP6w@mail.gmail.com>
In-Reply-To: <CALaySJL3Ksh2E2pxEpeVLUp+L-qB7MF-w_NiMmdma-H_mpnP6w@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 19 Jan 2022 08:25:43 -0500
Message-ID: <CAH48Zfz+qoK_aDz=DLUrqvMw1OrKKtsDfgFFWPLp9+UgU7Jq_A@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000056f78f05d5ef5380"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/R2VV6dYJDNv7dailSyo9FVPf3ck>
Subject: Re: [dmarc-ietf] Evaluator reference model
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jan 2022 13:26:02 -0000
I have been trying to understand why such a big disconnect is possible between my usage of DMARC data and the standard one. I have concluded that it occurs because we are dealing with two protocols, not one, and the standard view conflates them unnecessarily. The first protocol is the algorithm for detecting DMARC PASS, and the second protocol is the algorithm for handling DMARC FAIL. DMARC PASS is trusted to indicate that the message is from the domain owner because of the nature of DNS record ownership – the message is reliably tied to a DNS record, and the DNS record is reliably tied to the domain owner. There is no secondary authentication which is required to make DKIM PASS or SPF PASS authenticate the domain’s messages; the authentication is inherently triggered by publishing SPF or DKIM information. Therefore the DMARC PASS protocol is a datagram service, like SPF and ARC. All three use a one-way flow of information from the domain owner to the evaluator via DNS. The DMARC FAIL protocol is different. Once a message is determined to not pass the DMARC PASS protocol, the domain owner is queried to answer the question, “What is the probability your messages are always authenticated, and therefore that this FAIL represents an impersonation?” The possible responses are: No protocol, None, Test Quarantine, Test Reject, Quarantine, and Reject. As we move from No policy to Reject, we have an increase in the probability that all domain messages can be authenticated and therefore that all FAIL messages are impersonations. (Of course, even when impersonation is confirmed, the evaluator has to determine whether it is an acceptable impersonation. This is sufficiently common that it needs to be mentioned, but is outside the scope of our protocols.) The two protocols are largely independent. A domain owner could publish nothing for SPF and DKIM, then publish a P=REJECT policy, to indicate that it never sends mail from a particular subdomain name. It could also publish SPF and DKIM information to allow some messages to be authenticated, yet publish no DMARC policy to guide failure handling. Doug On Tue, Jan 18, 2022 at 5:33 PM Barry Leiba <barryleiba@computer.org> wrote: > First: I note that you did not answer my direct questions. Please > consider that when you see that people aren't understanding you. > > > I test every message for SPF, aligned SPF, and aligned verified DKIM. > With one exception mentioned below, > > I don't block on FAIL, but I do collect data. > ... > > I cannot imagine why I would give this up to only evaluate the domains > that have given me permission via a > > DMARC policy. > > And here's where we have the disconnect: > No one is suggesting that you should not do anything you find useful > with the data you collect: no one wants you to give anything up. All > we are saying is that when a domain owner does not publish a DMARC > policy, anything you choose to do is outside of the DMARC spec, > because DMARC is about the policies that domain owners publish. > > > I think documenting this approach would help a lot of other evaluators > and software developers. > > An informational document that suggests collecting data they way > you're doing it, and documents things you can do with that data... > would be a fine thing to write. You may, of course, do so, publish it > as an Internet draft, and see if there's agreement to publish it > through the IETF. Lacking that, you might get it published through > the Independent stream. > > In any case, I don't see that it has anything to do with the DMARC > protocol spec that we're working on now. > > Barry >
- [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Dave Crocker
- Re: [dmarc-ietf] Evaluator reference model Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model John Levine
- Re: [dmarc-ietf] Evaluator reference model Barry Leiba
- Re: [dmarc-ietf] Evaluator reference model Dave Crocker
- Re: [dmarc-ietf] Evaluator reference model Dave Crocker
- Re: [dmarc-ietf] Evaluator reference model Barry Leiba
- Re: [dmarc-ietf] Evaluator reference model Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Dave Crocker
- Re: [dmarc-ietf] Evaluator reference model Dotzero
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Barry Leiba
- Re: [dmarc-ietf] What is a PSD for, was Evaluator… John Levine
- Re: [dmarc-ietf] What is a PSD for, was Evaluator… Scott Kitterman
- Re: [dmarc-ietf] What is a PSD for, was Evaluator… Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Barry Leiba
- Re: [dmarc-ietf] What is a PSD for, was Evaluator… Douglas Foster
- Re: [dmarc-ietf] What is a PSD for, was Evaluator… Scott Kitterman
- Re: [dmarc-ietf] Evaluator reference model Alessandro Vesely
- Re: [dmarc-ietf] Evaluator reference model Douglas Foster
- Re: [dmarc-ietf] Evaluator reference model Todd Herr
- Re: [dmarc-ietf] Evaluator reference model Barry Leiba
- Re: [dmarc-ietf] in praise of none, was Evaluator… John Levine
- Re: [dmarc-ietf] in praise of none, was Evaluator… Alessandro Vesely
- Re: [dmarc-ietf] in praise of none, was Evaluator… John Levine