IETF Logo Mail Archive

[dmarc-ietf] Additions to draft - Security Considerations

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 25 April 2022 01:16 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE9313A14A8 for <dmarc@ietfa.amsl.com>; Sun, 24 Apr 2022 18:16:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dSkchu_s2NvN for <dmarc@ietfa.amsl.com>; Sun, 24 Apr 2022 18:16:15 -0700 (PDT)
Received: from mail-ot1-x332.google.com (mail-ot1-x332.google.com [IPv6:2607:f8b0:4864:20::332]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7C983A14A4 for <dmarc@ietf.org>; Sun, 24 Apr 2022 18:16:15 -0700 (PDT)
Received: by mail-ot1-x332.google.com with SMTP id l9-20020a056830268900b006054381dd35so9825206otu.4 for <dmarc@ietf.org>; Sun, 24 Apr 2022 18:16:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=pYQL/NE6RBRlxzL0ZyNQ9Mv5uB+7eyEJ7XwMy/UcYvs=; b=dy/n+YHA8ekDWmDRyFXhyAIa1iW7Hnq7PB6Cmioe3fcsrbPuQTl2kWyKACuor+XKmM R5LNBkMGiVl/mRUM1WGuutgxERfajfQyImHuQ5Foc5r/bhXNLHs/9UEv8k+6lf/1qUq7 ZyjrF+qc0Mhe8RkrRqVpmwpfBGp7VElb8kOg/9i27C/DpQzLhS+hEn4N48LvWPu+ANB4 P1k5W/fb+s1+Hh3ogyZ2DD0rREAugfORlI61PL35eUUa3BH1hIv1PPNjEUR9S6CNt1Os Xxv4zr9tI5mCQO/+onfm9w6qT/k+UngbOdJA5zKe0xDTDlr6lf+x23UqewggO3YiHJyS UdYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=pYQL/NE6RBRlxzL0ZyNQ9Mv5uB+7eyEJ7XwMy/UcYvs=; b=P95wYbWllY0DY/xtm1TVvqXfn8uvP/ivd/DCkXE3ZP/HKqxHVTrQ3Dv1vqQe+h4wD3 9GUu/oCKnr411o3ioYtqxYcO4q1TWWWClCkiUBDV8gH2iKeeWnJs0wKOzlzvJpgwcODo HysSP+3Rq0AP6QAs2hM1WvqT5vwJjhdgBSbbbOWS2RsyfFAz4APzJkQokN/HTc7Q6Koq AJz2zxWsuoixsGQg6DqGk3HAIT+BtECHT4RrJTBNT9OV22I1cYX8C/stsRT4m0ptY1Vz jjmO+wI6YFbBPwLT1rlN8xxt9iCkvwzgqiWJO8DPqnM13YgYAnoT13Viou9f1uX8L/5a Yclg==
X-Gm-Message-State: AOAM532c1s6aySFTWS4G58O9S6hPFovvpSunhzvbUJluGfPemglvbWzq DnGz93ng+TCGLpjEWKHU8RCZL8B42DmlA/vSwA1EEtwu0J4=
X-Google-Smtp-Source: ABdhPJx+lvwDmFFpcCQJ1PeGaALdOROKPClkXyXF3oa9Gy5fuI/jNolp36rEJrjaTmokANkJTGQeboRhaSF/1lvMiMM=
X-Received: by 2002:a05:6830:1cc8:b0:5e6:f41c:f157 with SMTP id p8-20020a0568301cc800b005e6f41cf157mr5430206otg.82.1650849374770; Sun, 24 Apr 2022 18:16:14 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 24 Apr 2022 21:16:04 -0400
Message-ID: <CAH48Zfz5MWDuQa1DJQE_YK9gAUL4P-se4CeGAGYCf+c6D0ysaA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f9ae105dd7052f3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Soy2XV70MrSE7foS4b8OrrnSXdk>
Subject: [dmarc-ietf] Additions to draft - Security Considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 01:16:18 -0000

I have attempted to capture the security-related content of recent
discussions:

Security Considerations

Determination of the Organizational Domain

DMARC evaluation is highly sensitive to errors in the determination of the
organizational domain, as the organizational domain is used for the default
policy (when the RFC5322.From domain does not have a published policy) and
for determining relaxed alignment.

If an incorrectly selected organizational domain is actually a parent of
the correct organizational domain, then relaxed alignment will allow a
malicious sender to obtain DMARC PASS while impersonating either the parent
domain or sibling domains.

If an incorrectly selected organizational domain is actually a child of the
correct organizational domain, then relaxed alignment will produce an
incorrect DMARC FAIL when the message is actually authorized by either the
correct organizational domain or siblings of the incorrectly chosen domain.

When the RFC5322.From domain does not have a policy record, the
organizational domain policy is needed to demonstrate DMARC participation
and to provide the default policy.   In this case, when an incorrect
organizational domain is selected, and it does not contain a DMARC record,
then the domain will be treated as not participating in DMARC and the
domain owner will not receive reports.   If the incorrectly selected domain
does have a DMARC policy, the applied policy may be different from the
domain owner’s intended policy, and reporting will go to whatever
destination is specified by that policy.

A DNS path may contain a private registration, where a PSO-registered
domain owner makes subtrees of his domain available to independent
organizations.   This behavior complicates DMARC organizational
determination.    Clients of the private registration will have two
organizational domains in its DNS tree, one at the boundary between the
private registration client and its private registrar, and another between
the private registrar and its PSO.  If a private registry is unknown or
undetected during organizational domain selection, then the registrar
organizational domain may be incorrectly selected as the client’s
organizational domain, allowing the client to obtain DMARC PASS while
impersonating the parent domain or sibling domains.

Reliance on an externally-authored public suffix list, as specified in
RFC7489, creates stability problems for domain owners and evaluators.    An
organization may have their DMARC configuration fully deployed and
successfully tested, then suddenly develop unexplained and difficult to
detect problems if the PSL used by evaluators adds an entry which fragments
the domain’s intended organizational boundaries for email.  Even if the
domain owner manages to detect the problem, getting it corrected may be
difficult or impossible.   Since every evaluator operates on an independent
copy of one or another PSL list, updated at intervals determined by the
evaluator, the domain owner has no certainty about when or if a correction
will be replicated to all evaluators.

Domain owners can minimize the need for determination of an organizational
domain by publishing a DMARC record for each RFC5322.From domain, and
applying a DKIM signature which provides strict alignment.  When this
practice is followed, the organizational domain is only referenced when a
non-mail subdomain is impersonated by a malicious actor.   This
configuration allows the SP clause on all policies to be confidently set to
REJECT.

v2.23.0 | Report a Bug | By Email