IETF Logo Mail Archive

Re: [dmarc-ietf] third party authorization, not, was non-mailing list

Brandon Long <blong@google.com> Thu, 20 August 2020 21:01 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51CFC3A1415 for <dmarc@ietfa.amsl.com>; Thu, 20 Aug 2020 14:01:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYNwikWnkX5Q for <dmarc@ietfa.amsl.com>; Thu, 20 Aug 2020 14:01:08 -0700 (PDT)
Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58E793A1414 for <dmarc@ietf.org>; Thu, 20 Aug 2020 14:01:08 -0700 (PDT)
Received: by mail-io1-xd36.google.com with SMTP id u126so3611388iod.12 for <dmarc@ietf.org>; Thu, 20 Aug 2020 14:01:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sP6A1R9UdhHc5mlM6ulRXdXDWogVmVKTfhBTT/Tuqrg=; b=ppcVn/EuLFzLy4uMIaRkDWwA4FnOIXMqf8OURREf2YGzcXWWdj25TcwTbl5N1b73iL kAQftJlCv9Ph/KwwSfNSY96JTj1j/mG8e+B+hQZKdxbvARa61rFyAk5/1b4g+ZCIsEG7 itExMj9AmoSC7HQULsvhs9kpydGcFWHVbYkW0Oz8A1dZ96ph+R9+5DRciRdnw7i+De0O 66EQuFs7Zs8RIJE+2SYQP7u1NRD64NBFnmW6QAuyr/8+irfrbtaSfYSznOFVkZsuTJ3n Fbu+CO58b/FX0wBVi1B6jkQNtv74OmlfZnC8TOouW+Zc2kCBVDprqERBcnJY6ud3l0fL NsMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sP6A1R9UdhHc5mlM6ulRXdXDWogVmVKTfhBTT/Tuqrg=; b=EUkQ+eOxfWGHRmd1i2H+aflzsDGmOkuh7JnF7gs/PQ+zn74YQC1SbVRW1IiFtHn6tk 9BcIAmyNhhIrrdsEk8DEnJ4bBt5Xc+GfKYKwbt4H5j8hjxlxFOgvlUV4wQixKwQvktIK WKh4GUMlzK291JeQiJBDHZLa97YByZzlg76yMHWG3neDTPOZ4yPf+7IvBvc1/wT5rsqC 1iBj0rUL4SglF+fCBCnabD7kRPFvUk/Ed55j8tcTO9M+hBzDO6nxyJTEl7x9fmg9Zj87 19lQtk0VH8+EaQw/N4+RlAhecpObWFpiDO3BBeesT2ZzICfWF6ZfsHHJ6koFJcdDE0jr 7gvw==
X-Gm-Message-State: AOAM532tbZvUjHA3MGfCsjnsbz8h+cGoFz7pR51MqVywJvGe/31ZkYJ8 AgdPfebRZZPmm8TdjcYe1u2bQ6cvoWP57HS4MTBHLnCReA==
X-Google-Smtp-Source: ABdhPJzs51580srElMzHn+sAKpflU/qx5x/rYdFs0z9nSJym26m8VAfH3soBEe4tqcePQBXvX0oK0wBFMr2IDcf5h90=
X-Received: by 2002:a5e:9601:: with SMTP id a1mr56198ioq.179.1597957266956; Thu, 20 Aug 2020 14:01:06 -0700 (PDT)
MIME-Version: 1.0
References: <20200810172411.A13681E7CD8B@ary.local> <7e9326fc-ae27-d4bd-9f2b-9896da8320f1@dcrocker.net> <CAL0qLwacyBbJscEM_a4-nvugO0HBaSAdPqUPkfYYOOb++cOjQQ@mail.gmail.com> <5F396A77.3000109@isdg.net> <CAL0qLwYaqsU-U8yTcr5_cw0LmEomz8JbqUXuWNJ-bnkN6ceXyA@mail.gmail.com> <21110e7f-ea60-66d6-c2fb-65b716a049a9@tana.it> <CABuGu1qdZdXBSsAwCvk4244szskz6Pf9x83kRUGd8jHDafEMGQ@mail.gmail.com> <CAL0qLwYY8ZWq4k3wobOgSJSVnabsefPRiCtcVPrb_iF1JEUZag@mail.gmail.com> <5d4e48f86ca7479ab4889ddff57a2870@bayviewphysicians.com> <6c7c2ad9-8a7e-e44c-6b2f-559129f70a9d@tana.it> <CAL0qLwb-SG-dsNkiiGtYkUz_AwsZSd6f5cKFX07Kzme5iXoZJA@mail.gmail.com> <F37D57E3-C55B-41EB-B4BE-328E40F73E81@eudaemon.net>
In-Reply-To: <F37D57E3-C55B-41EB-B4BE-328E40F73E81@eudaemon.net>
From: Brandon Long <blong@google.com>
Date: Thu, 20 Aug 2020 14:00:53 -0700
Message-ID: <CABa8R6sUoyaa8sMJVOCnUUuH=g--2PSNQ-eLhVuW5NorzcQvqA@mail.gmail.com>
To: Tim Draegen <tim@eudaemon.net>
Cc: "Murray S. Kucherawy" <superuser@gmail.com>, IETF DMARC WG <dmarc@ietf.org>, Alessandro Vesely <vesely@tana.it>
Content-Type: multipart/alternative; boundary="00000000000044432605ad556beb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UOMTzfpxpemaXP0YLrIfVLQWO4s>
Subject: Re: [dmarc-ietf] third party authorization, not, was non-mailing list
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 21:01:10 -0000

On Thu, Aug 20, 2020 at 1:36 PM Tim Draegen <tim@eudaemon.net> wrote:

> On Aug 20, 2020, at 2:16 PM, Murray S. Kucherawy <superuser@gmail.com>
> wrote:
>
> On Thu, Aug 20, 2020 at 1:59 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> I am wondering whether companies like Dmarcian could implement third-pary
>> whitelisting.  As they receive and analyze DMARC aggregate reports on
>> behalf of many mail sites, they probably are able to distinguish various
>> level of authentication failures, from mailing lists to misaligned ESPs, to
>> actual abusers.  In that case, they could maintain a whitelist tailored for
>> any given client.  The client would set, say:
>>
>> _dmarc.client.domain.example IN TXT "v=DMARC1; rua=mailto:
>> client-id@ag.dmarcian.com; snd=client-id.rhswl.dmarcian.com; [...]"
>> [...]
>>
>
> Having spent a lot of time and energy building a DKIM-based reputation
> system that (IMHO) showed promise, I made it available for people to try
> for free.  There was no uptake, even after presenting its promising results
> in places like M3AAWG.  Times may have changed, but in retrospect I think
> there are too many "what-ifs" for add-ons of this nature to be seen as
> feasible.  The issues seem to be:
>
>
> Hi MSK, hi Ale,
>
> I can second that MSK's DKIM-based reputation system is amazing. From
> where I sit, it's like a flying saucer that humans just haven't figured out
> how to fuel quite yet. I believe that fuel comes from widespread adoption
> of domain-based email authentication aka DMARC. The challenge of getting
> the email universe to embrace something like DMARC feels at times
> impossible, but the fact is it just takes a lot of coordination,
> dedication, and consistent levels of exercise to stay sane.
>
> That said, Ale, I like the idea of a Domain Owner being able to share some
> sort of exception list for email flows that are recognized by the Domain
> Owner, but are still (for various reasons) beyond the ability of the Domain
> Owner to address. Something like, "I've got a vendor that will never send
> DMARC-compliant email on my behalf". It appeals to my fondness to be able
> to Just Fix Things without having to bother anyone. I don't think it would
> work, though, because it relies on email receivers having to widely
> implement new stuff, and it relies on Domain Owners accurately maintaining
> another thing. It's easier and more effective to get the vendor to do the
> right thing.
>
> Oh, on 2nd read (I've been consumed with the non-IETF world for a few
> months and only took this up because Ale emailed me at work).. I think
> keying off of "Sender:" is a really bad idea. Multiple policy keys into a
> single piece of email has never made sense.
> Third party authorization makes sense to me in theory as a tool for a very
> specific problem. In practice, people and organizations struggle to get
> first party authorization into place. Once they start to tackle their own
> first party authorization, the need for third party authorization tends to
> evaporate. What's left over? People that want to put together a list of
> authorized third parties but aren't quite ready to do their own first party
> auth?
>
> From a receiver's perspective, it then looks like the first party has no
> idea what it is doing (which is the default anti-spam stance for all
> Internet mail), so then the receiver is now looking at a bunch of factors
> unrelated to first-party auth.. including any third party authorization.
> EG, the receiver notes that the email is authorized by a third-party - a
> newsletter company. "First party" authorization is NOT established, so the
> receiver has to process the email based on the strength of the newsletter
> company's reputation (among other things). So then why bother at all with
> the construct of "third party authorization"?
>
> So I guess put me in the camp of not seeing utility in third party
> authorizations. Better to make the work that needs to be done as clear and
> as simple as possible.
>

I tend to agree with the negative stance on third party auth, but SPF
obviously has the include: statement which is third party auth at the most
basic level...
atps[1] is the obvious equivalent for DKIM.  I don't know if atps failed
because it wasn't all that useful, or if it was tied in folks minds to
adps, or the failure of the follow-on reputation system stuff..

Neither atps or spf include are really designed for large scale usage
across thousands of "relays" etc, and I don't think they should be used for
that, but for a bunch of small to medium entities, it could be the thing
that makes higher p= possible.

Brandon

[1] I just looked atps again, but I might have missed something that makes
it less useful

v2.23.0 | Report a Bug | By Email