IETF Logo Mail Archive

[dmarc-ietf] Problem with multiple policies, different alignment

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 12 March 2024 11:15 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A729C151079 for <dmarc@ietfa.amsl.com>; Tue, 12 Mar 2024 04:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rwO-jMEW_y3v for <dmarc@ietfa.amsl.com>; Tue, 12 Mar 2024 04:15:15 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70439C151072 for <dmarc@ietf.org>; Tue, 12 Mar 2024 04:15:15 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-51381021af1so5193409e87.0 for <dmarc@ietf.org>; Tue, 12 Mar 2024 04:15:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710242113; x=1710846913; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=T2iWYQBxwfC31LqjJFyGcmOBRnb30O2AbSUNfq5xaic=; b=YC3oo04+95CgHbw2KOEz5k1MNvk5pTLQr1bpVhco0Hk2Z5k9r0GMnS2h1FMmr6B0PG cfMunP3qnktKu0WljoW6p+Ypeg9eFzz/ZpBwlGVzNdzv4JuVFGgWi7mzxjtUAcfw7M+R CyfrpoB7hUcp2hNTEVJ8lymh1z7VinYCtCLxsn4ZxRlcXBuS6xlJk0S8ozzG5jxbb56J u255CAQjrXG8usFZYqoxEnJMSobdsLN+Ccu0UvtheeZQm3hQ8UJQktzKZViFLimyx8J+ Ua0xYQ1fz6l9PQLxDweIxYMFWB1aP8tJyFs6VV8fnH6z6ICTWm+Opvnr8Z/yFBkIJ0av B/Zw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710242113; x=1710846913; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=T2iWYQBxwfC31LqjJFyGcmOBRnb30O2AbSUNfq5xaic=; b=po84/waHSolyVRgc6+TCGTHeVBP1HLeYDHvl61JPPYAv/L6rqu0FuCkFXY366ES5qF BsD1pqMVcv9qBgSiTwBuLXhmC7+f7bSu2NJP+jZiQSHMetL5AEj21gyv+owgjMWN1Ogm PFkZHNFzxMrq5eT+y9rLuXb/IxYQvv4ba6ppo47MkyCXzUzakCEOi6k7tR11XVotK2Ot 9PReTHoNRUVc5ldBkxzBe+HgpkCS5ihlDnilltTlKsWvYiD8+Kgv7XxEeYBzP8Hg46MM W8c99gPyNbq4VcpfO9qGOFyHScqOshdQM8t3ElIkm3dlIqjx1kPWji9HQ0JrHXrCzurS BXkA==
X-Gm-Message-State: AOJu0YwjkzcAN23KfERz+sQQ3TuzlBEMTNU5NR9IULwalc7aWSkxeSrF rkOuAlZNcXyM/pPIYQzabwukgWc9lvFE2sIPyvOCs6UoodzgbXykCPoyANcuNUcVdF+VK5cdll2 0EW7CJi921HzeEY3TWWocGqQVmMs0j0nwvw0=
X-Google-Smtp-Source: AGHT+IGcxv9baDBGkQgJKIvmX95xJnqgqFIF8oiXQRPeuDCZkoIDe/Ctrxgstrr9rYSHASJ8ex155v58lhuDdeyi+HM=
X-Received: by 2002:a05:6512:3e07:b0:513:af27:df03 with SMTP id i7-20020a0565123e0700b00513af27df03mr3889491lfv.5.1710242112822; Tue, 12 Mar 2024 04:15:12 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 12 Mar 2024 07:15:02 -0400
Message-ID: <CAH48Zfz+60=UOrBsuMvScFcDphpLF975jsbaEiX-2xSMzQUoPA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009d6bf8061374c582"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/S8QtDH3YL8_W7g2XaRtJlVSf6ZA>
Subject: [dmarc-ietf] Problem with multiple policies, different alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 11:15:16 -0000

I have been building a DMARC implementation, starting with a simple
function:
TreeWalk(domain) which returns:

   - Policy found or not found indicator
   - Policy Domain
   - Organizational Domain
   - Policy record

My thought was that the Tree Walk result was independent of the domain
identifier being checked, but this is not true.

Assume these DMARC policies:

   - example.com aspf:r adkim:r
   - sub1.example.com aspf:s akim:s


When the message contains:

   - From: user@sub1.example.com
   - DKIM: d=example.com

Strict alignment on the From domain makes the organizational domain
unimportant, so the PSL lookup or Tree Walk are not necessary.   The
organizational domain used for reporting purposes is sub1.example.com.
The DKIM signature is not aligned.

But when the message contains the reverse, the logic gets complicated:

   - From: user@example.com
   - DKIM: d=sub1.example.com

If we apply the same Tree Walk to this message, we have a problem.   The
>From domain Tree Walk returns "example.com" as the organizational domain,
and the Tree Walk of the DKIM domain returns "sub1.example.com" as the
organizational domain because of strict alignment.   So the result appears
to be unaligned.

Consequently, the Tree Walk needs to be sensitive to the identifier being
checked.     If the identifier is not the From address, the Tree Walk is
only interested in the existence of a policy and the PSL tags, and the
special case related to strict alignment needs to be bypassed.

I don't think this case was covered in previous discussions.

Doug Foster

v2.23.0 | Report a Bug | By Email