Re: [dmarc-ietf] Ticket #1 - SPF alignment

Scott Kitterman <sklist@kitterman.com> Tue, 26 January 2021 22:36 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0B7A3A0A5E for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 14:36:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=H6Uk+8lC; dkim=pass (2048-bit key) header.d=kitterman.com header.b=dfbJpZ9+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D2v5FlLU9wpI for <dmarc@ietfa.amsl.com>; Tue, 26 Jan 2021 14:36:21 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25B3A3A0A3B for <dmarc@ietf.org>; Tue, 26 Jan 2021 14:36:20 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id B6995F801F9 for <dmarc@ietf.org>; Tue, 26 Jan 2021 17:36:19 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1611700579; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=qXKHpTMv36TXnTou14fe1Yq5eWHCR06X0hJq6hgn8Uo=; b=H6Uk+8lCF78KaxzmgPRaZuddfWMnvWt0J4PNrJpXe/0w5SPMMKtc4gz9JxYLym/6vtjVR lWNr4bV9BnVUdjbBg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1611700579; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=qXKHpTMv36TXnTou14fe1Yq5eWHCR06X0hJq6hgn8Uo=; b=dfbJpZ9+neSDHxy5rG2NgYNHlYmHnYbynhT2vFtQXiOKdHg7v800mi7xYXXfDmb0hI29s cWsKMeBbmJmMnsU30Alp/xFpAUbXYlwTT0QibMKD9i84nmP1J4UA3PcABT5czID97yKlEtn G0OU90p3B8GR2sF3Iv5IgkWcITsFnDuugAS4Y2JF/etQgXWGhFuesJZIyimmor5okKXD/6p eoP+grZogRU6DaIMIbwFrC6kfeNDtJr+sYvwSgYLV+LLVhF+kw6fyrsOuOqXHt3wIlUeL7M wmNxSSA4kJLfqTnq2C538AhFvAEiP3FEmi5YZOoSrJ+AStpiGI2Sl1oieW+g==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 825AAF80052 for <dmarc@ietf.org>; Tue, 26 Jan 2021 17:36:19 -0500 (EST)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 26 Jan 2021 17:36:19 -0500
Message-ID: <1655426.E2olI3CrJK@zini-1880>
In-Reply-To: <3ed1bd47-43e9-3260-b2fe-567c967eede2@tana.it>
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <1859075.lZWC7Mh21l@zini-1880> <3ed1bd47-43e9-3260-b2fe-567c967eede2@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TZxs-XYagma9legYySanjsXglIg>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jan 2021 22:36:23 -0000

On Tuesday, January 26, 2021 11:47:51 AM EST Alessandro Vesely wrote:
> On Tue 26/Jan/2021 14:14:45 +0100 Scott Kitterman wrote:
> > On Tuesday, January 26, 2021 6:54:56 AM EST Alessandro Vesely wrote:
> >> On Mon 25/Jan/2021 22:35:09 +0100 Scott Kitterman wrote:
> >>> On Monday, January 25, 2021 4:04:33 PM EST Todd Herr wrote:
> >>>> May I propose that the section labeled "SPF-Authenticated Identifiers"
> >>>> be
> >>>> rewritten as follows:
> >>>> 
> >>>> [...]
> >>>> 
> >>>>    The reader should note that SPF alignment checks in DMARC rely
> >>>>    solely
> >>>>    on the RFC5321.MailFrom domain. This differs from section 2.3 of
> >>>>    [@!RFC7208], which recommends that SPF checks be done on not only
> >>>>    the
> >>>>    "MAIL FROM" but also on a separate check of the "HELO" identity. >
> >>> 
> >>> I think this is fine, but there is a subtlety to be aware of.
> >>> 
> >>> If you look at RFC 7208 Section 2.4, when Mail From is null,
> >>> postmaster@HELO is the mail from for SPF purposes.  DMARC really can't
> >>> change that.
> >>> 
> >>> As a result, there are cases where Mail From results actually are
> >>> derived
> >>> from HELO and it's unavoidable.
> >> 
> >> I doubt that SPF filters report envelope-from=postmaster@HELO; more
> >> likely
> >> they write helo=HELO.  In that case, the paragraph quoted above is
> >> deceptive.
> >> 
> >>> I believe the proposed text is clear enough about not using separate
> >>> HELO
> >>> identity results and that's appropriate.
> >> 
> >> My filter collects SPF results recorded from an upstream SPF filter.  It
> >> writes Received-SPF: lines for each identity.  For NDNs, it writes a
> >> Received-SPF: for the HELO identity only.  Am I allowed to use that
> >> result
> >> for DMARC?
> > 
> > No.  You should only use Mail From results.
> 
> So NDNs having only an aligned HELO will never pass DMARC?
> 
> And what is a <scope>helo</scope> element in aggregate reports provided for?
> 
> The spec says:
> 
>           [SPF] can authenticate either the domain that appears in the
>     RFC5321.MailFrom (MAIL FROM) portion of [SMTP] or the RFC5321.EHLO/
>     HELO domain, or both.
> 
> And then:
> 
>     In relaxed mode, the [SPF]-authenticated domain and RFC5322.From
>     domain must have the same Organizational Domain.  In strict mode,
>     only an exact DNS domain match is considered to produce Identifier
>     Alignment.
> 
> So, consider the following message without DKIM signatures:
> 
> HELO example.org
> MAIL FROM:<user@example.com>
> 
> Received-SPF: pass (domain example.org
>    designates 192.0.2.1 as permitted sender)
>    identity=helo; helo=example.org;
> Received-SPF: fail (domain of user@example.com
>    denies 192.0.2.1 as permitted sender)
>    identity=mailfrom; envelope-from="user@example.com".com";
> Subject: Not using a mail client for this example
> From: different-user@example.org
> 
> Does it pass DMARC?

No.

Scott K