IETF Logo Mail Archive

[dmarc-ietf] DMARC policy overrides

Franck Martin <fmartin@linkedin.com> Tue, 02 July 2013 18:44 UTC

Return-Path: <prvs=888df1167=fmartin@linkedin.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FC0321F9B57 for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2013 11:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.965
X-Spam-Level:
X-Spam-Status: No, score=-5.965 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g0o4UBu0FF0o for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2013 11:44:40 -0700 (PDT)
Received: from esv4-mav05.corp.linkedin.com (esv4-mav05.corp.linkedin.com [69.28.149.81]) by ietfa.amsl.com (Postfix) with ESMTP id 8316D21F99A4 for <dmarc@ietf.org>; Tue, 2 Jul 2013 11:44:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; i=@linkedin.com; q=dns/txt; s=proddkim1024; t=1372790680; x=1404326680; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=C4Pna/sOvaajmpMt0EJkHHxGrTvZPLNd6oKvXANjFvs=; b=Dux6pMu1yfXQLLZXDp4U9KU+Pv/X83unVShaErsY5u1CxhpeBZyIEzmz EUoGGPytXYlGrzDMiDopc2999gZWWxf5wPRXnCaW6ZHHEz94PVChNeSp+ dcycDqFUDkx0QgIwkv4nzh8iqmgGx19YYlA8BdhJIg1LKe+Ej8CH9/7KL U=;
X-IronPort-AV: E=Sophos;i="4.87,982,1363158000"; d="scan'208";a="54519583"
Received: from ESV4-HT01.linkedin.biz (172.18.46.235) by esv4-cas01.linkedin.biz (172.18.46.140) with Microsoft SMTP Server (TLS) id 14.2.328.11; Tue, 2 Jul 2013 11:44:27 -0700
Received: from ESV4-MBX01.linkedin.biz ([fe80::d029:a1fa:62c4:2641]) by ESV4-HT01.linkedin.biz ([::1]) with mapi id 14.02.0328.009; Tue, 2 Jul 2013 11:44:27 -0700
From: Franck Martin <fmartin@linkedin.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: DMARC policy overrides
Thread-Index: AQHOd1Qt4G/x1dE5/0mSwEkA7nXYtQ==
Date: Tue, 02 Jul 2013 18:44:26 +0000
Message-ID: <77426B543150464AA3F30DF1A91365DE533DD678@ESV4-MBX01.linkedin.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.18.46.251]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C0F58A19C47C5646BE0915BB846B5DE8@linkedin.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [dmarc-ietf] DMARC policy overrides
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 18:44:44 -0000

"DMARC-compliant Mail Receivers SHOULD disregard any mail directive
   discovered as part of an authentication mechanism (e.g., ADSP, SPF)
   where a DMARC policy is also discovered that specifies a policy other
   than "none". {R7} To enable Domain Owners to receive DMARC feedback
   without impacting existing mail processing, discovered policies of
   "p=none" SHOULD NOT modify existing mail disposition processing.
   Note that some Mail Receivers may reject email based upon SPF policy
   mechanisms before email enters DMARC-specific processing.

   Mail Receivers SHOULD also implement reporting instructions of DMARC
   in place of any extensions to SPF or DKIM that might enable such
   reporting. {R10}"

As a sender I want certainty in the processing. The DMARC mechanism is of better strength than SPF alone, because it does SPF AND DKIM. However not everyone does DMARC on the receiving side, so there is still a need to publish a -all SPF policy for the receivers that are not yet on DMARC. If a sender does DMARC with p!=none this is because it has a (serious) spoofing problem.

With such SPF policy I don't want it to overrides DMARC, as DMARC is of more superior nature (this is my judgement otherwise I would not care about DMARC).

But to encourage adoption, and make transition smooth, when p=none, the email flow must not be affected by DMARC. DMARC is transparent to the email in that case, providing reports to allow you to put your mail in order.

The problem arises because SPF can be evaluated at the end of the RCPT TO phase, well before DKIM and therefore DMARC is evaluated. In practices, few enforces SPF policy and uses it later as a scoring mechanism like spamassassin do.

This is why in the text above there is a SHOULD, this brings constancy in the processing, but depending on the receiver infrastructure, then it certainly can deviate from ignoring SPF, but this is not the recommended practice.

Furthermore, for the aggregate reports to be accurate, they need to see all the emails, regardless of SPF policy. Once you implement DMARC as a receiver, you should move your SPF policy decision to the end of DATA, so you can make an accurate aggregate report. This will provide certainty on what will happen when the sender moves away from p=none policy.

A receiver can do what it wants, but the SHOULD above is common sense when you decide to do DMARC as a receiver. 

I think the text, could be more focused, and speak only of overriding only policies that use the same underlying authentication mechanisms, and this is only SPF, DKIM and ADSP. TLS to other scheme would not be affected.

v2.23.0 | Report a Bug | By Email