IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

John R Levine <johnl@taugh.com> Mon, 18 March 2024 18:57 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F835C15108E for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2024 11:57:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b="qSqCXahk"; dkim=pass (2048-bit key) header.d=taugh.com header.b="G4Ti1Vfs"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OliGBdghYA-U for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2024 11:57:41 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4338C14F6A1 for <dmarc@ietf.org>; Mon, 18 Mar 2024 11:57:41 -0700 (PDT)
Received: (qmail 72027 invoked from network); 18 Mar 2024 18:57:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type; s=1195965f88ea3.k2403; bh=gU0sWFJ+xVQUCGB4xnwf8f6sKY77L4gKs6341wchMEc=; b=qSqCXahkQNkH9RYJc4/uOrZuse2uS59KABkbMHc+cd5DizZ615vyEQ9o9w/7zmTUAXpZ6J8aJX63ay9MUFK4LweEt7YhV0uGn4CkR1rGgTgA8EZzkw/DeWNAjdqJpZsExIc7prvfg0B2DuaAvSk/3/O6XMrexYKZbg7Q3PErXSGRM+h8X63W2XhFNoflfw3HdIcRxNUGHO0idQMbZEWzmX9zQYisEDDs1btoZvqxjiUUThA10Uav+9ukA0rZnH1/VwItq4068cGl7++H1XFssrkvVkSwWK5/FuGTlvoH1MAl+yrsd0eVnTSwux2xOrfX6s1zt/o7KWELzb9vztAyDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type; s=1195965f88ea3.k2403; bh=gU0sWFJ+xVQUCGB4xnwf8f6sKY77L4gKs6341wchMEc=; b=G4Ti1Vfsht3cY7VqV7xJSz/ZlsFdBym2DyRLZpTEhSwoC6W7QAhmrs7/7sqDfQEr7OWLiUNRfXWqH4zgUQQiefbwllgHUqkf/aH+LLwTmOFTsHXTHbFrvTKNdPQ1aOQr1ggoQ3bALnJpOft5b5HtJ34Vao6uHg+CUn1AF47gd+uOJoQo9CuN9hSlcXCe8ghIbJWZxDwWs95jxVi9zRW+nKINxbV7AuJsrsfGyaqpvRqe8h3umBFRCCSFnrYPskGu46QYRUMCHO6c0vbaJ/T239zE2wgW1baKkKero2UqxEzGYURfYlpUjVIuJ4L8c80wWFoBXIPpo60L8/wh/SCSZw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.3 ECDHE-RSA CHACHA20-POLY1305 AEAD) via TCP6; 18 Mar 2024 18:57:39 -0000
Received: by ary.qy (Postfix, from userid 501) id A5809859D700; Mon, 18 Mar 2024 14:57:37 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by ary.qy (Postfix) with ESMTP id 1DF25859D6E2 for <dmarc@ietf.org>; Mon, 18 Mar 2024 14:57:37 -0400 (EDT)
Date: Mon, 18 Mar 2024 14:57:37 -0400
Message-ID: <bb0dcf17-4ae6-7860-10c1-b0352ffa0bf9@taugh.com>
From: John R Levine <johnl@taugh.com>
To: dmarc@ietf.org
X-X-Sender: johnl@ary.qy
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/U6xEpW6cNuJaeC7AZPWTJ8lyj4A>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 18:57:46 -0000

Now with Mike's tweak:

Add this to 11.1 Authentication Methods

Both of the email authentication methods that underlie DMARC provide some 
assurance that an email was transmitted by an MTA which is authorized to 
do so. SPF policies map domain names to sets of authorized MTAs [ref to 
RFC 7208, section 11.4]. Verified DKIM signatures indicate that an email 
was transmitted by an MTA with access to a private key that matches the 
published DKIM key record.

Whenever mail is sent, there is a risk that an overly permissive source 
may send mail that will receive a DMARC pass result that was not, in fact, 
intended by the Domain Owner. These results may lead to issues when 
systems interpret DMARC pass results to indicate a message is in some way 
authentic. They also allow such unauthorized senders to evade the Domain 
Owner's intended message handling for authentication failures.

To avoid this risk one must ensure that no unauthorized source can add 
DKIM signatures to the domain's mail or transmit mail which will evaluate 
as SPF pass. If, nonetheless, a Domain Wwner wishes to include a 
permissive source in a domain's SPF record, the source can be excluded 
from DMARC consideration by using the '?' qualifier on the SPF record 
mechanism associated with that source.


R's,
John

v2.23.0 | Report a Bug | By Email