IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Scott Kitterman <sklist@kitterman.com> Sat, 16 March 2024 19:02 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECC00C14F6F0 for <dmarc@ietfa.amsl.com>; Sat, 16 Mar 2024 12:02:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="XdVthN24"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="jnDa3Hp0"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MjZ2gXeyXMbB for <dmarc@ietfa.amsl.com>; Sat, 16 Mar 2024 12:02:46 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB35C14CEED for <dmarc@ietf.org>; Sat, 16 Mar 2024 12:01:51 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 232B2F8022F for <dmarc@ietf.org>; Sat, 16 Mar 2024 15:01:42 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710615686; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=0PL5uxMfrOW+tayOlvRANd2sm0jqFN2hSHc0dATADAc=; b=XdVthN248U/UlRWXdEQ7fTVbNX3p4CoUiLmQALyJYoeB3CjTSOIHkpLPMN/dRsPb4EV3Q 2xhbkFqN9m+SMjNAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710615686; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=0PL5uxMfrOW+tayOlvRANd2sm0jqFN2hSHc0dATADAc=; b=jnDa3Hp0fSADvtbSORpI5/at+qH4irf13bSoGnezgM9f5XRDEi09cFhSdpfVHq5gQ8Y3k 0zLaFAUIePpmMjUh0dGH64VszsdQAzXnTzPYzrYfxsxGbQ1yr15onW6iNVajTbkxslgQuFY o6cTD1wIfLsbj00TLdwzvv+/LOHta+MNleN9O10Uc4w0xtJ6z8Gq9EJZH5CBo1xW1aal1Et KO/TIcTfAYgmVZdwA+3/aRUt7qJ6oU4Tv1Wv+3CrO9zvPnVwscvjvfvy5V8TFLI3V5to6Sn ZpAc1YWaPGM6XA+MgqFG1cT+hIu83vMpIlNxa5/2W93fHkPZumFyKPuUp8XQ==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 64B76F80211 for <dmarc@ietf.org>; Sat, 16 Mar 2024 15:01:26 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sat, 16 Mar 2024 15:01:22 -0400
Message-ID: <2068150.yCtiIVWOOC@zini-1880>
In-Reply-To: <2956306.Z6hNudi34S@zini-1880>
References: <CAHej_8nrQG3XN5k=p0x5KzV3ZLAzzGQaXNpG9cFvPS338uS0dw@mail.gmail.com> <2956306.Z6hNudi34S@zini-1880>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ShD7WKFcKMa3tMr13QG1k1Xzsa8>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Mar 2024 19:02:51 -0000

On Thursday, March 14, 2024 12:24:50 PM EDT Scott Kitterman wrote:
> On Thursday, March 14, 2024 11:44:22 AM EDT Todd Herr wrote:
> > Colleagues,
> > 
> > Issue 135 is open for the subject topic. Please add your thoughts to this
> > thread and/or to the issue in Github.
> > 
> > Thank you.
> 
> I'd suggest we discuss where to say it first.  I think the right place is
> security considerations, which starts:
> 
> 11.  Security Considerations
> 
>    This section discusses security issues and possible remediations
>    (where available) for DMARC.
> 
> I think there are two, related questions here:
> 
> One is the risk associated with which I'll call a false pass from one of the
> underlying authentication mechanisms.
> 
> The other is the risk associated with using DMARC results for positive
> associations (as BIMI does).  Even absent third party considerations, all it
> takes is one compromised user account and forged messages can get a DMARC
> pass.  DMARC was designed to identify "bad" mail, not certify any kind of
> goodness.
> 
> I think both of these should be addressed as part of this issue in Security
> Considerations.

It seems to me that, to the extent we are going to address this issue, there 
is agreement that Security Considerations is appropriate.  Here's proposed 
text:

11.X  External Mail Sender Cross-Domain Forgery

Both of the email authentication methods which underlie DMARC fundamentally 
provide some degree of assurance that an email was transmitted by an MTA which 
is authorized to do so.  SPF policies just map domain names to sets of 
authorized MTAs [ref to RFC 7208, section 11.4].  Verified DKIM signatures 
indicate that an email was transmitted by an MTA with access to a private key 
that matches the published DKIM key record.

When Domain Owners authorize mail to be sent by sources outside their 
Administrative Management Domain there is a risk that an overly permissive 
source may send mail which will, as a result, receive a DMARC pass result that 
was not, in fact, authorized by the Domain Owner.  These false positives may 
lead to issues with systems that make use of DMARC pass results to indicate a 
message is in some way authentic.  They also allow such unauthorized senders 
to evade the Domain Owner's requested message handling for authentication 
failures.

The only method to avoid this risk is to ensure that no overly permissive 
sources can successfully DKIM sign the domain's mail or transmit mail which 
will evaluate as SPF pass.  If there are non-DMARC reasons for a domain owner 
to include a permissive source in a domain's SPF record, the source can be 
excluded from DMARC consideration by using the '?' qualifier on the SPF record 
mechanism associated with that source.

Scott K

v2.23.0 | Report a Bug | By Email