Re: [dmarc-ietf] Ticket #1 - SPF alignment

Scott Kitterman <sklist@kitterman.com> Wed, 27 January 2021 14:00 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41B913A119B for <dmarc@ietfa.amsl.com>; Wed, 27 Jan 2021 06:00:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_FAIL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=cQCrHRpO; dkim=pass (2048-bit key) header.d=kitterman.com header.b=mz9eUBC1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nPqJBsYwXypo for <dmarc@ietfa.amsl.com>; Wed, 27 Jan 2021 06:00:31 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B4F3A0C68 for <dmarc@ietf.org>; Wed, 27 Jan 2021 06:00:31 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 33CB0F80263 for <dmarc@ietf.org>; Wed, 27 Jan 2021 09:00:30 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1611756029; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=IAElUizHEY+UgkDdhb3sIRYQBupgFdgEap+AixAEyPc=; b=cQCrHRpOOUYi0kuVKSR9gAa/6VAxKggZZf4PRrf5/r0jmJis70izzj3MgTR1UO9Pt38VO Swf76uXEL4EEHD/AA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1611756029; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=IAElUizHEY+UgkDdhb3sIRYQBupgFdgEap+AixAEyPc=; b=mz9eUBC1Walk9CVoxo7I0xdgm8t/8vcV61t/jyHYgJ9/4yvv76jEULvG6Wv8DkLQs0RKG GD1vAosri8cyYTj0tEG50Tr34j+6pRkt3bl4mJqqEhSUJgIRQ0SyX6t9ZOnykYDBRB087Gt Nfuoxlpv6iCQdoGG4vVWZo038ndhjvE53AfwuBTIVjC5l4yu5uJ+R+64j2StV4tUsQ6NYye FXTgj2amblw3b7gCthrLzxYv+Sy7h2SNcoXJWCAQ8Tz8eWbLxArLKy9kRuh0B29X4+DX+uR x6pqmJ1oLmBLf+CXzFIy2jzcCQt+HPTDJQvviP0UMwAofRuvpcLx8LNc85PA==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 8E0AFF80052 for <dmarc@ietf.org>; Wed, 27 Jan 2021 09:00:29 -0500 (EST)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Wed, 27 Jan 2021 09:00:29 -0500
Message-ID: <3776619.NdRDDhGtae@zini-1880>
In-Reply-To: <c39916f8-33f5-9876-c018-53085f5cc8f5@tana.it>
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <1655426.E2olI3CrJK@zini-1880> <c39916f8-33f5-9876-c018-53085f5cc8f5@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SncvE3d_Ai63GMqTu8s5xnHtXkE>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2021 14:00:33 -0000

On Wednesday, January 27, 2021 4:49:02 AM EST Alessandro Vesely wrote:
> On Tue 26/Jan/2021 23:36:19 +0100 Scott Kitterman wrote:
> > On Tuesday, January 26, 2021 11:47:51 AM EST Alessandro Vesely wrote:
> >> On Tue 26/Jan/2021 14:14:45 +0100 Scott Kitterman wrote:
> >>> On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote:
> >>>> I doubt that SPF filters report envelope-from=postmaster@HELO; more
> >>>> likely they write helo=HELO.  In that case, the paragraph quoted above
> >>>> is deceptive. >>>>
> >>>> 
> >>>>> I believe the proposed text is clear enough about not using
> >>>>> separate HELO identity results and that's appropriate. >>>>
> >>>> 
> >>>> My filter collects SPF results recorded from an upstream SPF filter.
> >>>> It writes Received-SPF: lines for each identity.  For NDNs, it writes
> >>>> a Received-SPF: for the HELO identity only.  Am I allowed to use that
> >>>> result for DMARC? >>>
> >>> 
> >>> No.  You should only use Mail From results.
> >> 
> >> So NDNs having only an aligned HELO will never pass DMARC?
> >> 
> >> And what is a <scope>helo</scope> element in aggregate reports provided
> >> for?>> 
> >> The spec says:
> >>           [SPF] can authenticate either the domain that appears in the
> >>     
> >>     RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
> >>     HELO domain, or both.
> >> 
> >> And then:
> >>     In relaxed mode, the [SPF]-authenticated domain and RFC5322.From
> >>     domain must have the same Organizational Domain.  In strict mode,
> >>     only an exact DNS domain match is considered to produce Identifier
> >>     Alignment.
> >> 
> >> So, consider the following message without DKIM signatures:
> >> 
> >> HELO example.org
> >> MAIL FROM:<user@example.com>
> >> 
> >> Received-SPF: pass (domain example.org
> >> 
> >>    designates 192.0.2.1 as permitted sender)
> >>    identity=helo; helo=example.org;
> >> 
> >> Received-SPF: fail (domain of user@example.com
> >> 
> >>    denies 192.0.2.1 as permitted sender)
> >>    identity=mailfrom; envelope-from="user@example.com".com";
> >> 
> >> Subject: Not using a mail client for this example
> >> From: different-user@example.org
> >> 
> >> Does it pass DMARC?
> > 
> > No.
> 
> Let's not be silly, Scott.  We have example.org as the SPF-authenticated
> domain and it is aligned with From:.  Are you saying that the message would
> pass if it had an empty bounce address, but since it can bounce it does not
> pass?!?

All I'm saying is that DMARC only uses mail from results and that's 
appropriate.  I don't think the case of HELO name being aligned, but mail from 
domain is not is one to worry about.

Scott K