IETF Logo Mail Archive

Re: [dmarc-ietf] ABNF errors on RFC7489 and dmarcbis-07

Todd Herr <todd.herr@valimail.com> Thu, 21 April 2022 16:43 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E63813A10E7 for <dmarc@ietfa.amsl.com>; Thu, 21 Apr 2022 09:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kzx8nxJmTKYh for <dmarc@ietfa.amsl.com>; Thu, 21 Apr 2022 09:43:42 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5DA3A18A4 for <dmarc@ietf.org>; Thu, 21 Apr 2022 09:43:42 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id x12so3673395qtp.9 for <dmarc@ietf.org>; Thu, 21 Apr 2022 09:43:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=b0yYEwYCM4L1FAfQj0l4wNsgmb9G2tGE6imJX7frgnQ=; b=gPFnoikocXIOZj/dmQ/It5Cj4ys7a5kZiHeLe0yspzlzWRaghdZpKDOKm0uLRcsxrp eGkr4hc8CySn+bJilTX2I5CtQPAYNvr4G7CJ1QYfuLlXB1rvXDh5i1I2SfkGDJmsgwTR onnEiqt+TKSXuKJMmHLJ2efbgzhnX2v0qcMc+rMB1sg0OOA//O5Ld1+Yl8oVYSyiy7VH nH21aZ2K55AiPA6AyAzNIrbjdsNRh2M8l6QweOFEH+Wd6IcCAnGaipFiybTb2+UalTvb UJp9XRFhFyAzr5rtsiV1k2B2MoSjiTyppwj5ilDGElzXwanumJNAlt7nk956JK3wYyy0 Dekg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=b0yYEwYCM4L1FAfQj0l4wNsgmb9G2tGE6imJX7frgnQ=; b=7NbEFoWQsjY9PU3Ktw2FwWrur/9kVplxDDF1DRrA2+bwWfs5iDTCQJ/2wGWPZwsKf0 Jfky36fZ2aURSPkpOSVVrgyZcGpHar5Z4wC0O52ccarFGKUujqwtlFjBf8neZoI0Q/cz fXqdpBCgJCY/I9hnv3de9nGdRKJQkPmBjmRofP91lFY16aa9mo9IqfMk7YbXJDxSuJ/r GEAkW4A3kQsw29FlqmZxHwITuVa5lV8e6YSoyjsRlYZFgO1yMU8ECJVTBtNUrLhkT7si ibWsKyckOH4/iQOK4SRfUMvsx7s31r8ju2fgN6lPZwGfyOj+dsvqGwaKa5nFIbnZE5kR tMXA==
X-Gm-Message-State: AOAM531T63/KwbTtZZ1QAlkvqDD+uDBgRiH+EEadxtYI5KD2u0ccdTW9 9tOnNLuImT2ISF871Sf9YPvVf/bALaKAxciCZavkvYsMp9qalQ==
X-Google-Smtp-Source: ABdhPJwyNMcOuhPEymt1gCukxmaR79Fl1VlW8DbFZ9yiA7BEtYO2UmrI5pA/975XvgP9a84iL7uiZ0gkpafVhPp+FJU=
X-Received: by 2002:a05:622a:180e:b0:2f3:3901:65a9 with SMTP id t14-20020a05622a180e00b002f3390165a9mr281624qtc.450.1650559420903; Thu, 21 Apr 2022 09:43:40 -0700 (PDT)
MIME-Version: 1.0
References: <b10bc885-c428-9754-53c9-a6ea76833ea0@univ-grenoble-alpes.fr>
In-Reply-To: <b10bc885-c428-9754-53c9-a6ea76833ea0@univ-grenoble-alpes.fr>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 21 Apr 2022 12:43:25 -0400
Message-ID: <CAHej_8maHGBx=5prYysmPS3589UvyTDsVe_xfTxPB1pjmGPQsg@mail.gmail.com>
To: Olivier Hureau <olivier.hureau@univ-grenoble-alpes.fr>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f6c58105dd2ccf4d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UEpXLLAtw7ZZTvtCwhipyJekQKk>
Subject: Re: [dmarc-ietf] ABNF errors on RFC7489 and dmarcbis-07
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Apr 2022 16:43:48 -0000

Hello, Olivier, and thank you for your email.

Per RFC 7489, dmarc-request isn't actually required for some valid DMARC
records.

I direct your attention to
https://datatracker.ietf.org/doc/html/rfc7489#section-7.1, Verifying
External Destinations, in which a third-party domain that is going to
receive reports for a different domain is directed to publish a DMARC
record that contains only "v=DMARC1;".


On Thu, Apr 21, 2022 at 11:40 AM Olivier Hureau <
olivier.hureau@univ-grenoble-alpes.fr> wrote:

> Hello,
>
> I am doing some research related to DMARC and I found some errors in the RFC7489 and dmarcbis-07 for ABNF rules
>
> - dmarc-percent RFC7489 :
> The rule 'dmarc-percent = "pct" *WSP "=" *WSP 1*3DIGIT' allow '999' as a value.
> a corretion could be : 'dmarc-percent = "pct" *WSP "=" *WSP ("100" / 1*2DIGIT)'
>
> - dmarc-record RFC7489 :
> The rule 'dmarc-record = dmarc-version dmarc-sep
>                        [dmarc-request]
>                        [dmarc-sep dmarc-srequest]
>                        [dmarc-sep dmarc-auri]
>                        [dmarc-sep dmarc-furi]
>                        [dmarc-sep dmarc-adkim]
>                        [dmarc-sep dmarc-aspf]
>                        [dmarc-sep dmarc-ainterval]
>                        [dmarc-sep dmarc-fo]
>                        [dmarc-sep dmarc-rfmt]
>                        [dmarc-sep dmarc-percent]
>                        [dmarc-sep]'
> have dmarc-request as optional but in 6.3 it says that p is "required"
>
> Then i did take a look at draft-ietf-dmarc-dmarcbis-07 and the problem is still there :
>
> - dmarc-record dmarcbis-07 !
> 'darc-record    = dmarc-version dmarc-sep *(dmarc-tag dmarc-sep)
>  dmarc-tag       = dmarc-request /
>                        dmarc-test /
>                        dmarc-psd /
>                        dmarc-sprequest /
>                        dmarc-nprequest /
>                        dmarc-adkim /
>                        dmarc-aspf /
>                        dmarc-auri /
>                        dmarc-furi /
>                        dmarc-fo /
>                        dmarc-rfm'
>
> Should be replaced by :
>
> 'dmarc-record    = dmarc-version dmarc-sep dmarc-request dmarc-sep *(dmarc-tag dmarc-sep)
> dmarc-tag       =      dmarc-test /
>                        dmarc-psd /
>                        dmarc-sprequest /
>                        dmarc-nprequest /
>                        dmarc-adkim /
>                        dmarc-aspf /
>                        dmarc-auri /
>                        dmarc-furi /
>                        dmarc-fo /
>                        dmarc-rfm'
>
> Moreover, On rfc7489 the last "dmarc-sep" is optional meaning that for all txt records
> such as the one for gmail.com "v=DMARC1; p=none; sp=quarantine; rua=mailto:mailauth-reports@google.com <mailauth-reports@google.com>" the system administrator
> must add a ";" at the end. To avoid this source of error i suggest to change the ABNF as :dmarc-record    = dmarc-version dmarc-sep dmarc-request *( dmarc-sep dmarc-tag ) [ dmarc-sep ]
> - dmarc-fo dmarcbis-07 :
> the rule '  dmarc-fo = "fo" *WSP "=" *WSP ( "0" / "1" / ( "d" / "s" / "d:s" / "s:d" ) )' does not allow the user to have both DMARC failure report
> and DKIM/SPF failure report at the same time as '0:d', '1:d' is not allowed.
>
> Best regards,
>
> Olivier HUREAU
> ---
> PhD Student
> Laboratoire Informatique Grenoble - UGA - Drakkar
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>


-- 

*Todd Herr * | Technical Director, Standards and Ecosystem
*e:* todd.herr@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email