Re: [dmarc-ietf] Overall last-call comments on DMARC
Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 03 April 2024 14:51 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 645A5C14F685 for <dmarc@ietfa.amsl.com>; Wed, 3 Apr 2024 07:51:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FsljSQL0_MgG for <dmarc@ietfa.amsl.com>; Wed, 3 Apr 2024 07:51:02 -0700 (PDT)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40E85C14F6BC for <dmarc@ietf.org>; Wed, 3 Apr 2024 07:50:55 -0700 (PDT)
Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2d48d75ab70so96150171fa.0 for <dmarc@ietf.org>; Wed, 03 Apr 2024 07:50:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712155853; x=1712760653; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=vPHcGrgyV57ZADPlOlcAx3GZkLl791oOoA0AE55uqgg=; b=gYsKU4+dVfxBP3EwGMOtcW7CZ+AfufRIkaOOWfIezGN6cZHkAynRJujIfORwqi1kaw AiKofsT3cvohioYOrBTav+l6QX3BO8uH2+eu7SV6ZjM5v+gvOoyYMne1TEXJp4XnyMYN cTRWFr66BJeVZ1oSlEyB/08LcNJ59twypQSFq0lHZuIqDhjVphIAcD0kZddUvSMoDX87 1eWgddWo9rmp1whguBC7Y6yR9BYO+bKWJJcl4MI2t6jb5WYHdymq0lPvYQq1yMy66E4L iSBQtz+gNqOxzw+JHWjq5P9/zA8tB373LxjC4u7GaM+ZCDgGpYPrkh5wIoVQVgwVseD+ tVFg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712155853; x=1712760653; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=vPHcGrgyV57ZADPlOlcAx3GZkLl791oOoA0AE55uqgg=; b=p/B66ISDihcc4GoNPhoJWqxhzskcl9nnbenWQ3ubZDdzClEwe2PnkI7Cu9+XfyrCn9 XS68l00j204dGR818QLCFmTOUg1T6pS/wWpPef+nXdMnwJMNRWsnQRsojr6DoSF+1/Rd AzMvBiqTM38Up7vcUvTVA2oCivbhj2LW8OSCp5Y/VDO2LoeKSzW52l1bLBtk6ME5s82Q +0oqTcYPuAyDoigprfP+DsJwsN2VhxdfierUiVImu71dpSNT2CcYO+4xDi7KfFJa+Xf5 LIE0akeVu3CxxGz1ARaZUPhOVye0P61qouJwcR5giWZGTnG8Q4uzExoQxAciAIwYPLT+ pH8g==
X-Gm-Message-State: AOJu0YzKs4B/aIMmVeZXitUO0MGD6aneEmw/0wioyZWnQGgBaZYBMARQ T/jW+opvldWdfdsLFlGASpFGo1tlLzDg5I+CDMCPzjXOzYE/Lp5B9ko2aXQ6/wTSaEQxeGzYNIr 9F5zfV2RQnN2QCfGh/STF/hDZPyqZyseb
X-Google-Smtp-Source: AGHT+IHWHBRm/P+nhPBj6FWE2I1C+ibAQu/x8ueBD0Ad69au3WGkPq73UuzTtjnxxnbpRgY3lITO1PavdT5Yqy3dgRA=
X-Received: by 2002:a2e:8606:0:b0:2d5:9703:263f with SMTP id a6-20020a2e8606000000b002d59703263fmr1703272lji.44.1712155852509; Wed, 03 Apr 2024 07:50:52 -0700 (PDT)
MIME-Version: 1.0
References: <CFEA2796-9213-4847-836B-81E8770973F5@bluepopcorn.net> <5208da1b-ecfb-4d41-8506-a734a27ab3a0@tana.it> <CAL0qLwbnSe77Wdt+M8bi2pBmZFCZjDUQc6je9bjCzP5TQ0N6XA@mail.gmail.com> <49859572-18a4-483b-bb99-62c1c231896e@tana.it> <CAL0qLwZc6idmMra11pVx2bbtk2Em9-vy6+962M7jDWOMnP+UHQ@mail.gmail.com> <1ee6df39-a622-4060-83db-bcc9a7a835d4@tana.it> <CAL0qLwYX_D7S_-Vn9RwwRzwyNO=8=3UVqbP8rz3SCWG4dvGZig@mail.gmail.com> <f5f55a39-127d-4a84-a66b-950379ecb013@tana.it>
In-Reply-To: <f5f55a39-127d-4a84-a66b-950379ecb013@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 03 Apr 2024 10:50:41 -0400
Message-ID: <CAH48ZfzQ+7dEBu1awSdnZFk2UQueMf4uVOywug=NEGA9avsmHw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000639d420615325956"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/SwY04OQFQ-gET-EsUCJh51YCghQ>
Subject: Re: [dmarc-ietf] Overall last-call comments on DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2024 14:51:04 -0000
In response to Ale's comment that we describe the mailing list problem without defining a path forward, I suggest the text below. Doug Foster Some legitimate messages are sent on behalf of an individual account, based on an established relationship between the sender and the account owner, but without domain owner involvement, These messages are legitimate in the sense that the RFC5322.From address represents the true author, but the messages do not produce DMARC Pass because the sender does not have a DKIM private key from the domain owner. Mailing list messages are one example. We shall call these Special Senders. The mechanism which evaluators use to determine whether a message source should be classified as a Special Sender is outside the scope of this document. [ARC could be part of the process.] Once identified, an alternate authentication technique is needed to distinguish Special Senders from other sources, particularly malicious actors. To facilitate this alternate authentication, senders of such messages SHOULD use their own domain name for the Mail From address, and SHOULD apply a DKIM signature corresponding to the Mail From domain, and SHOULD ensure that the messages produce SPF Pass. When these identification measures are in place, the evaluator can authenticate the Special Sender, and use that identification to override DMARC Fail or DMARC No Policy. - For messages received directly, the evaluator detects the Special Sender's Mail From address or domain, and authenticates the message based on SPF Pass, aligned DKIM Pass, or both. Other message headers may also be used, specific to the situation, to ensure precise identification. - For messages received after secondary forwarding, but without Mail From rewrite, identification is based on the Mail From address and a verified DKIM signature aligned with the Mail From address. - For messages received after secondary forwarding and Mail From rewrite, authentication is more difficult. Before any message can be assigned Special Sender status, the evaluator must be able to detect that Special Sender status might apply. A DKIM signature for the Special Sender is the only verifiable identifier for this purpose. In most cases, the evaluator will need to use other message headers to supplement the DKIM signature as part of the Special Sender authentication, to ensure precise identification of the Special Sender messages. Alternatively, the evaluator may have reason to trust the secondary forwarder's authentication process, and accept the message on the basis of having been allowed through the secondary forwarder. On Wed, Apr 3, 2024 at 7:17 AM Alessandro Vesely <vesely@tana.it> wrote: > On 02/04/2024 20:16, Murray S. Kucherawy wrote: > > On Tue, Apr 2, 2024 at 9:01 AM Alessandro Vesely <vesely@tana.it> wrote: > > > >>>>>> By now, most mailing lists arranged to either rewrite From: or not > break > >>>>>> DKIM signatures. We all hope those hacks are temporary. > >>>>> > >>>>> What do you mean by "temporary", given the time scales that have > already > >>>>> passed since RFC 7489 saw wide deployment? Do you envision those > >>>>> techniques ending sometime soon? > >>>> > >>>> Yeah, the time scale is killing us. Is ten years soon enough? > >>> > >>> You tell me. You say you're hoping they're temporary, yet they've > been > >>> around a long time and I'm not sure that there's an alternative on the > >>> table. I'm asking you to explain. > >> > >> I believe alternatives are possible. Can't say how long it's going > >> to take, but I presume when they are available, the nasty hacks > >> will slowly fade out.> > > So what are you suggesting should go in this document that's in WGLC? > > > Section 8.6 states the ML problem very well, but it says nothing about the > way forward. Section 5.8, cross referenced with 8.6, talks about "other > knowledge and analysis". Neither that is forward looking, as it seems to > suggest some kind of presently available, heuristic content analysis. > > Some sort of contract or agreement between sender and receiver seems to me > to be unavoidable if we want to leverage ARC without having a global domain > reputation system. We don't have a precise method to do that. We need to > experiment and standardize something to that extent, which I hope this WG > can do after publishing -bis. > > Meanwhile, we can mention ARC, in Section 5.8 (minimal text proposed in > another thread[*]). How much can we expand that? For example, can we > whisper something about the need to trust specific sealers for specific > streams? > > In Section 8.3 the draft says: > > 550 5.7.1 Email rejected per DMARC policy for example.com > > I guess it would be too much to say: > > 550-5.7.1 Email rejected per DMARC policy for example.com, > 550-5.7.1 ARC seal by forwarder.example verified but not trusted. > 550 5.7.1 See https://receiver.example/arc-streams-registration/ > > Wouldn't it? > > > Best > Ale > -- > > [*] > https://mailarchive.ietf.org/arch/msg/dmarc/1aPplXPF1cYpnRzYHgxsTCPPzHg > > > > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- [dmarc-ietf] Overall last-call comments on DMARC Jim Fenton
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Standards Track? Yes or No. Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… John R. Levine
- Re: [dmarc-ietf] Standards Track? Yes or No. Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Dotzero
- Re: [dmarc-ietf] Overall last-call comments on DM… Murray S. Kucherawy
- Re: [dmarc-ietf] Overall last-call comments on DM… Jim Fenton
- Re: [dmarc-ietf] Overall last-call comments on DM… Douglas Foster
- Re: [dmarc-ietf] Overall last-call comments on DM… Tero Kivinen
- Re: [dmarc-ietf] There is no pony, Overall last-c… John R. Levine
- Re: [dmarc-ietf] There is no pony, Overall last-c… Jim Fenton
- Re: [dmarc-ietf] There is no pony, Overall last-c… John R. Levine
- Re: [dmarc-ietf] There is no pony, Overall last-c… Hector Santos
- Re: [dmarc-ietf] Overall last-call comments on DM… Alessandro Vesely
- Re: [dmarc-ietf] Overall last-call comments on DM… Neil Anuskiewicz