IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #1 - SPF alignment

Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 30 January 2021 12:44 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51F7C3A07DF for <dmarc@ietfa.amsl.com>; Sat, 30 Jan 2021 04:44:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mjXg6FTK9Fhu for <dmarc@ietfa.amsl.com>; Sat, 30 Jan 2021 04:44:35 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66A433A07C8 for <dmarc@ietf.org>; Sat, 30 Jan 2021 04:44:35 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id i12so3413947vsq.6 for <dmarc@ietf.org>; Sat, 30 Jan 2021 04:44:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=YwHSQndmuzVPa384Kc4koYwxpXMrbOYcCuj6UIQAgH8=; b=MAbLh4OygP9OLFsoxQe8yAvE24eGLQ+aK+8jogjkObXLOSibxxfyA0Mj0apTkmLkVi VH0OugV9TPP69UGrVYKqFewbHfwtpRtcjqRPe04SZImbdKw7CP+FAG3K9262BpZFWmKT rFe+L5dap4Od664PFMQ9Rln7m7vxa1EImZrB/ttMKnC7BpH22WkK/wWA6Dk5ANWrI8Rt jDAgYZDwUoLCgefw6Uv8UKSbmKAnm7XOkKzR7MxUKxU4kMG8Gqsfs11D9QBCT6XO9z5n 32LP4C4EFsptTsW6eKXVgXDy0fmrlOCyO4vtnyg4gGiNgr+LtAoECGWeak06uWwe63iU 8CwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=YwHSQndmuzVPa384Kc4koYwxpXMrbOYcCuj6UIQAgH8=; b=sMBJAoXWgVZsmZIpIIialrFY+RLfpXB3V/iD4KhSYwt8AgT71bWUsmLLQ+nffUo9XJ YDf1IDWKC5x+C2SSQkeag86Ws03Z9cqrPRpDe2QqYkAV03xyLjfHfBdFqXSvikf9Y1IJ ZB3I/HadDVdnhh1w7g9rvX3kpOudu9gdpmHCzmFCrMFWhf7pMCz6G2jy8zUuomTki5gA JvGvT0DSGS9VI+iFDj5WBOXcNtJAoXsClwnTpweMkLZuF4uhEYQv0I479biQrUDfGja0 XFOY8Ab7NDbP+TeltR1baIeVje27pMzcYB5Enu08A6V+O3uSCSp9w0CR63aGKikV0kkE 6fqw==
X-Gm-Message-State: AOAM531GjPH0UbG/pfwJycTJJxdAOw5AKnLtq+vqOSt1KVizYsV1M+TE vhL3mn/d4S5Vzn4cmM4Fuvyw68WchxU8wpm+0Z0qEVFghbCa3Q==
X-Google-Smtp-Source: ABdhPJySMJ5TSAVvZXjvf4pwzLmtTpoh0hQDPOgvDSp/T82IznpQawiHzB2vO47MxrckkxxEKrcC5u0CKJ9kHOusxPQ=
X-Received: by 2002:a67:c29e:: with SMTP id k30mr5241407vsj.45.1612010673948; Sat, 30 Jan 2021 04:44:33 -0800 (PST)
MIME-Version: 1.0
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <1655426.E2olI3CrJK@zini-1880> <c39916f8-33f5-9876-c018-53085f5cc8f5@tana.it> <3776619.NdRDDhGtae@zini-1880> <81ab38a1-4b0a-3845-fc8c-7d49d7850c26@tana.it> <CAL0qLwZgB4iVSudbJeh8NGiKd1232SBTy4YDG6Zj-=LV+1m6Uw@mail.gmail.com> <fc735412-dfa2-20c8-087f-727b13eb3ad5@tana.it> <CAL0qLwbYxTXXXpx11L3f1CqBns=fSRho3C+S7q=-DmiPSvxKvg@mail.gmail.com> <cf51d6d4-0c7b-971d-bcac-743370f16433@tana.it> <CAL0qLwYK7SFfV5fOb7qhy5hVgR15z4HEJbAHv38OFMAfC=_j-Q@mail.gmail.com> <920ee8e1-2947-379e-5798-2a6818e69526@tana.it>
In-Reply-To: <920ee8e1-2947-379e-5798-2a6818e69526@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sat, 30 Jan 2021 07:44:24 -0500
Message-ID: <CAH48ZfyFB=ys44NwRB=j8h9t6XgfsC84JnOd6whFo4GM7-1xMg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000098490505ba1d7b7b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/TlftrWczMzhwR0zv7qgAJYbBLf4>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Jan 2021 12:44:37 -0000

I have been using forward-confirmed DNS in my filtering logic for a long
time.   These are my results from a recent time period:
4.5% neither name confirmed
9.6% reverse DNS confirmed only
39.7% Helo confirmed only
46.2% Both confirmed

Of the ones where both were confirmed:
96% had the same domain in both names,
4% had different domains between HELO and REVDNS

I apply my DNS blacklisting rules to both domain names.
I often use a verified DNS domain (either type) with SMTP domain to define
corrections for sender SPF policy.
HELO is part of the SPF algorithm that I use, but I do not track how often
it is used to generate SPF PASS.
I use BATV to I don't worry much about SPF or DMARC for automatic messages.

Overall, I don't know how important HELO is to SPF, but it is verifiable
and often useful.

Doug Foster

On Sat, Jan 30, 2021 at 5:41 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Fri 29/Jan/2021 21:30:49 +0100 Murray S. Kucherawy wrote:
> > On Fri, Jan 29, 2021 at 3:02 AM Alessandro Vesely <vesely@tana.it>
> wrote:
> >
> >> I just run a quick test on my current folder.  Out of 3879 messages I
> >> extracted 944 unique helo names.  721 of these matched the reverse
> lookup
> >> exactly. Out of the 223 remaining, 127 had an SPF pass for the helo
> >> identity anyway. So in 96 cases, roughly 10%, the helo name was indeed
> >> junk.  Isn't the remaining ~90% something worth considering? >
> > I am admittedly quite heavily biased against using the HELO/EHLO value
> for
> > anything.  I have simply never found value in it, probably because at the
> > SMTP layer it's simply a value that gets logged or used in cute ways in
> the
> > human-readable portion of SMTP.  I seem to recall (but cannot seem to
> find
> > at the moment) RFC 5321 saying you can't reject HELO/EHLO based on a
> bogus
> > value, so it's even explicitly not useful to me.
>
>
> There seems to be consensus on changing the MUST NOT there to a SHOULD
> NOT.
> See ticket #19 of emailcore.
>
>
> > Even if it's not junk, there's pretty much always something else on which
> > to hang a pass/fail decision about the apparent authenticity of a message
> > that at least feels safer if not actually being more sound.
>
>
> I might understand being reluctant to spend a DNS lookup for a TXT record
> that
> many operators don't care to define.  However, we're discussing the case
> that
> an upstream SPF filter already acquired and evaluated that record.
>
>
> > Or put another way, if you present to me a DKIM-signed message with a
> MAIL
> > FROM value and the only thing that passes is an SPF check against HELO,
> I'm
> > mighty skeptical.
>
> We have helo as the only valid identifier in most DSNs.  What is
> idiosyncratic
> is that a message MUST be a DSN (i.e. have an empty mfrom) in order for an
> already authenticated helo to be considered significant.  What I'm
> proposing is
> actually a simplification.
>
>
> > Anyway, I'll let consensus fall where it may.
>
>
> Thank you
> Ale
> --
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email