IETF Logo Mail Archive

Re: [dmarc-ietf] Abolishing DMARC policy quarantine

Tim Wicinski <tjw.ietf@gmail.com> Sun, 28 July 2019 13:36 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49E2F120136 for <dmarc@ietfa.amsl.com>; Sun, 28 Jul 2019 06:36:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7HesxFD8XcI for <dmarc@ietfa.amsl.com>; Sun, 28 Jul 2019 06:36:52 -0700 (PDT)
Received: from mail-ot1-x344.google.com (mail-ot1-x344.google.com [IPv6:2607:f8b0:4864:20::344]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47FDD120100 for <dmarc@ietf.org>; Sun, 28 Jul 2019 06:36:52 -0700 (PDT)
Received: by mail-ot1-x344.google.com with SMTP id z23so31626461ote.13 for <dmarc@ietf.org>; Sun, 28 Jul 2019 06:36:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4rjrSMZTgewH5WjxCPEtTZ3v8YYTu/xeyX6ctKjJMmw=; b=FKQF8/ptQK6nxifSKK5tAkLChuoAH1K+PwnbWXNM0/vrG/sghTJvdTkYU3JoDTgcjK 3aUL45hstZo0OOvv+0QyxqWe2VPRA/H5egJcoWoRWvFQiRDF4eJMmUArrgLvg3ABjgZ0 Y40IIWwXgDw4nCYDBgVAeoD0YVsA62EF3djXFCz1x0tqMS8uQ6zcmGcBYGqAVMSK5Dvc MWwbTdtFbov+coFUAVJkf2XCK8jJs5xk0rvOYjQwjFvVEGmhByK2P0FjsLObDwACspYB StMq549UnwVvHHaEC5jk8b1eWH+gVQirN7HS3SKQ2lzQeWVpMkM/8UUOhGJSb6Xgbvbk ++Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4rjrSMZTgewH5WjxCPEtTZ3v8YYTu/xeyX6ctKjJMmw=; b=dkFFz8X3vluC7qh1Vnt3Dl/oNMmvVbMJQInSPbAkY1PgdxCnOYKtitwdt4/bI8LotV df1sP22jGB/BIZU3O0PBuGdyxNJ4T+SHNvQSD7fy/E3wTWrWnfYvG5rJprkwfLTd3HAh jWAIb/KJtT5EN5w8whGEsCvStL/X0CUfnoTn0AfAYwHTERRekLV9cyX27Qe3kKRgkUy3 bA53bjDq7gjXea9cCnKzXCn98lvPKYxmEQUCIR06vq0MqAs08CmdADgbMFfRCozZk7CS ETsCSfncx2IbuVaO2+Udrs5VEwd0Lq4nh0yeCeqvoLLlOwDQ8EA1fYrdLXe6dmiiEAnM 6eIA==
X-Gm-Message-State: APjAAAXJ80f03m+qi+8nqh9kb0o8M5Rsk/PjJOLzC1+UJWu+fASfMrnA aN5PStjGiav7LJHMmwKrCozth0jSv8utdu/PPfg=
X-Google-Smtp-Source: APXvYqwRr4EoldZaE0Gl1LfD5fzQZw1ELv30sLEmetmnvBltyhF8E89wPdveFTDDZ9mvtcXiKSaRVMpA3UAzWf0tTws=
X-Received: by 2002:a05:6830:13d9:: with SMTP id e25mr46729103otq.197.1564321011651; Sun, 28 Jul 2019 06:36:51 -0700 (PDT)
MIME-Version: 1.0
References: <a8ac130a671f5bcd1bf9f09781325e84a9f1fda6.camel@aegee.org> <b903c983-5c65-5b17-62bf-9ff42ffdbaaa@corp.mail.ru> <CAJ4XoYeJRcGfO7LntM6LBeJ5rMOcb0D=ya31Rm8utoWTqE7oXQ@mail.gmail.com> <0295aa1e-733a-b3ae-14cb-edcb2050d6af@corp.mail.ru> <CAL0qLwYYEMofia2S4a8oXsf02fnJg7y+DovvMWZENUW+4yUyiw@mail.gmail.com> <36cba315-e738-ddec-0f6c-2e6086b69d11@corp.mail.ru> <70da228a75b94c28097ce0c25bc407d93e86c4c2.camel@aegee.org> <CAL0qLwbX4T5=EFZtwPPk9aYdUpR72c4r5t8SB1WETkpXEtUahQ@mail.gmail.com> <1951EFA7-0695-4B98-9CB1-3ECCEFEBF321@wordtothewise.com> <CAL0qLwbixESJypwDG3NMuv22+Lb3w-iHPok8xZf-hy3Fiu38EA@mail.gmail.com> <7DFCE75A-4D31-4DEF-BD12-F161EE8D2CA9@wordtothewise.com> <92880e84-be6d-302c-dd6e-0768638ee54a@tana.it> <88795b092c9d32bcaf49a4c02ead802dc3c22753.camel@aegee.org>
In-Reply-To: <88795b092c9d32bcaf49a4c02ead802dc3c22753.camel@aegee.org>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Sun, 28 Jul 2019 09:36:39 -0400
Message-ID: <CADyWQ+GcVA64Kg0RVi13+-kTXtHRds+iPb5gs7VM7VYSk=XS-A@mail.gmail.com>
To: Дилян Палаузов <dilyan.palauzov@aegee.org>
Cc: Alessandro Vesely <vesely@tana.it>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000036d7a3058ebdded8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Ts-vqzEzxRXNw9d0reKf6rk923U>
Subject: Re: [dmarc-ietf] Abolishing DMARC policy quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Jul 2019 13:36:55 -0000

>From our end user point of view, I'm against abolishing quarantine, even
with its current shortcomings.

Tim
(no hat)

On Sun, Jul 28, 2019 at 8:48 AM Дилян Палаузов <dilyan.palauzov@aegee.org>
wrote:

> Hello Alessandro,
>
> abolishing policy quarantine means with p=reject that for failed messages
> there should be some penalty and the receiving
> site decides on the form of the penalty, e.g. quarantine or reject.
>
> In fact I see the DMARC specification updated to use consistently some
> neutral word, like penalty or punishment attached
> to p=reject, once p=quarantine is abolished.  This word is then dissected
> into “quarantine or reject” at the place where
> it elaborates on the possible penalties, or how to do reject right.
>
> The penalty could be implemented with reply
> 550 Message failed DMARC validation and was delivered in the Junk folder
> of the recipient
>
> This form has the advantage over either quarantine or reject, that for
> lost messages, the sender can call the recipient
> and the recipient can dig for the message.  So the message does not have
> to be resent and no surprizes happen.  I do not
> see how could this reply mess anything, except in the cases where the
> sender does not speak English.
>
> > OTOH, quarantine lets one forget about delivery, perhaps with a
> backhanded
> > thought of recipients rummaging through their spam folders in search of a
> > missing message.  That style seems to me to better suit ESPs, whose duty
> is
> > rather to have a lot of mails sent than to make sure that each message is
> > acknowledged, albeit they try and maximize the ratio.
> >
> > IMHO, by abolishing quarantine, we make the protocol less flexible than
> it is.
>
> If an ESP wants to forget about delivery, the ESP likely does not care
> whether it has implemented DMARC correctly and
> then it does not need quarantine mode.
>
> The penalty is applied to messages that are either sent by spammers or by
> the domain owner.  If messages are from
> spammers, for the domain owner it is irrelevant, what kind of penalty is
> applied, but for users doing reject means
> having to scan less messages in the Junk mailbox.
>
> If messages are from the domain owner and fail DKIM/DMARC validation, the
> only way to fix DKIM/DMARC is to use policy
> reject.  There is no other way to find out which messages fail DKIM/DMARC,
> as single message faiulure reports are rarely
> sent, and without knowing which messages fail DMARC fixing the problem is
> unnecessary complicated.
>
> So here, p=quarantine is in fact an option for providers, who do not care,
> whether they have implemented DMARC
> correctly.
>
> All that said:
>
> • Is there a consensus on abolishing policy quarantine?
> • If policy quarantine will be kept, will the none>quarantine>reject order
> be abolished, meaning “quarantine” will not
> be handled as softer variant of “reject”?  Meaning with p=reject; pct=30
> messages are either delivered or rejected, but
> the specification does state anything about quaratining 70% of the failed
> messages.
>
> The first argument in favour of keeping policy quarantine was exactly this
> order (quarantine is a softer variant of
> reject and before deploying reject one has to exercise with quarantine).
>
> Regards
>   Дилян
>
>
> On Fri, 2019-07-26 at 16:30 +0200, Alessandro Vesely wrote:
> > On Thu 25/Jul/2019 14:53:55 +0200 Steve Atkins wrote:
> > > > On Jul 25, 2019, at 12:06 AM, Murray S. Kucherawy <
> superuser@gmail.com> wrote:
> > > >
> > > > On Wed, Jul 24, 2019 at 4:45 PM Steve Atkins <
> steve@wordtothewise.com> wrote:
> > > > > It's interesting that the industry has decided to interpret
> "p=reject; pct=0" the way we intended "p=quarantine; pct=100".
> > > >
> > > > It's semi-explicitly defined that way in the RFC, isn't it?
> > > >
> > > > If so, we should fix it because (a) I don't think that's how we
> intended it, and (b) in any case, nothing in there should be only
> semi-explicit.
> > >
> > > rfc 7489 6.6.4
> > >
> > > "If email is subject to the DMARC policy of "reject", the Mail
> > >    Receiver SHOULD reject the message (see  Section 10.3).  If the
> email
> > >    is not subject to the "reject" policy (due to the "pct" tag), the
> > >    Mail Receiver SHOULD treat the email as though the "quarantine"
> > >    policy applies.  This behavior allows Domain Owners to experiment
> > >    with progressively stronger policies without relaxing existing
> > >    policy."
> > >
> > > It's pretty clear and well-defined; the case we're talking about,
> "p=reject; pct=0", is
> > > just a special case of this general rule.
> > >
> > > All emails will not be subject to the "reject" policy due to the pct=0
> tag, so the mail
> > > receiver should treat all emails as though the policy "quarantine"
> applies (which
> > > is the same as "p=quarantine; pct=100").
> >
> > I, for one, had missed that point.  Thanks for clarifying it.
> >
> > It seems to mean that the resulting steps are, for example:
> >
> >
> > "p=quarantine; pct=0"  (check From: rewriting)
> > "p=quarantine; pct=10" (some messages go to the spam folder)
> > "p=quarantine; pct=20"
> > ....
> > "p=quarantine; pct=100"
> > "p=reject; pct=0"      (same as the previous step)
> > "p=reject; pct=10"     (some messages bounce back)
> > "p=reject; pct=20"
> > ....
> >
> >
> > Is that what we want to suggest?  In that case, we should be clearer.
> Perhaps
> > by adding an example in a new appendix.  However, I hardly see the above
> > sequence as progressive.
> >
> > I had always considered quarantine and reject to be two more or less
> similar
> > alternatives.  Each has its merits and shortcomings, and can be chosen
> > according to a sender's needs.
> >
> > An advantage of reject is that one gets NDNs, which are much more
> universally
> > adopted than failure reports.  Perhaps a bank or similar transactional
> sender
> > would rather prefer reject, because they can timely resend bounced
> transactions
> > or notices thereof in order to have their duties accomplished.
> >
> > OTOH, quarantine lets one forget about delivery, perhaps with a
> backhanded
> > thought of recipients rummaging through their spam folders in search of a
> > missing message.  That style seems to me to better suit ESPs, whose duty
> is
> > rather to have a lot of mails sent than to make sure that each message is
> > acknowledged, albeit they try and maximize the ratio.
> >
> > IMHO, by abolishing quarantine, we make the protocol less flexible than
> it is.
> >
> >
> > Best
> > Ale
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email