Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 22 October 2022 13:50 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E03FC14CF1D for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 06:50:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ddw8CyKBPqqG for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 06:50:50 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9D3C14CF1C for <dmarc@ietf.org>; Sat, 22 Oct 2022 06:50:50 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id n23so4457410ljc.3 for <dmarc@ietf.org>; Sat, 22 Oct 2022 06:50:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=16B4HARrPh5nDERWam5Uzc04MviOJFlJm3JiRuKh2Cc=; b=b+2znDdaZSPVdKZiDJZt3zKRd1F6XYA5795d+6vbeDRU/vHoNx9yurOrAhdf0j9PFF BPYq4tBu/XzU5Y/9rc3gNEzGyrCq4MG/FgS+VU1vT9ShSHJVPNhxFwZTWn7BNvLFOXaE nHoUJRMq8+u43UCC66neCjwwxeJpFoQ455uYMAScIk4zG65SPD9el27ymZdzA5BBchqW bzDaSwa2WDCLhrEhj+tqy/lggcpFZBMLr+BZYsbV6dx0rvxe70xt4z7aenjHCTlM5otz 7ddk6NbpnFjqpaLJcdcxHDuuRShab53SKzYDTMBrgPwvSwgbap6KK4/dl9OnMiiiztql GWSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=16B4HARrPh5nDERWam5Uzc04MviOJFlJm3JiRuKh2Cc=; b=jUEfrxV8tP+bnE9YOH/pePCZdrRJQiTZMvxctBA8qa48K+6iJGzT2npTtdYanp+wyR zL+GPsZVohIupLy6jkxmpkEeAK922CZ7x6NWiS0nZExrB8YriSgb6pm2LawQReThO/mM 9+gv9QEY/ZpN1Wrn23qgwK7rVlHbaa24+WxxvL+SGsSdxDUMGth8cusiWx7ym8AgfaUp ydc7lwV2cxPSPQuX9GyVhlyvxAVWtGvV9kAdsMGNzQeX0+fWOPUVmWzNRikc8CRlRg1E ltmWkunTC3WxVDrXSDYvRNq1xm1dxovYQQeb5gShOWvOCTPehnJzagOjD+XRNNUl0mzT ZlkA==
X-Gm-Message-State: ACrzQf0lHlelwC3f9oriVJOWVJOIFvuWXEvQtYPKdUT6eYxrLM9lkWv0 FlUQMlIBOP+QOxk3MGHgxBiKiXr+xz0KIescT/A=
X-Google-Smtp-Source: AMsMyM67fqc2b44fQ6UD62FHiTeFGVPtfpZGoTspFa9G/aCEdnmPOfnW/HJrb62rZa8TyJgtsJQXj+/ZJHeXKBIc7LM=
X-Received: by 2002:a05:651c:1954:b0:26f:e9d7:1650 with SMTP id bs20-20020a05651c195400b0026fe9d71650mr8365703ljb.140.1666446648266; Sat, 22 Oct 2022 06:50:48 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com> <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com>
In-Reply-To: <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sat, 22 Oct 2022 09:50:37 -0400
Message-ID: <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com>
To: Dotzero <dotzero@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000081d1d505eb9fd872"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UX_8UgrkgVVwqnawVpFMt8Myo30>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 13:50:51 -0000
Yes, it could have multiple causes. I was just trying to elucidate a reason why unaligned signatures are needed. Instead I conclude that one best aligned signature is all that is needed for reporting. Not 100, not 10, just 1. Doug On Sat, Oct 22, 2022, 7:43 AM Dotzero <dotzero@gmail.com> wrote: > " 3) A signature has been compromised and an unauthorized source is > sending authenticated mail. SPF FAIL with DMARC PASS provides the alarm > trigger." > > This is incorrect. SPF FAIL with DMARC PASS can simply be an indirect mail > flow. It might also be an incorrectly configured SPF record. > > Michael Hammer > > On Fri, Oct 21, 2022 at 5:57 PM Douglas Foster < > dougfoster.emailstandards@gmail.com> wrote: > >> I remain unconvinced. Mail is nearly free to the sender, but expensive >> and risky for the recipient and his organization. Anything unwanted >> message that gets through the spam filter consumes a person's time, which >> is a non-trivial opportunity cost. Asking me to accept extra cost to >> provide "nice to have" data is too much. >> >> Your first scenario is mostly about what an evaluator can do. I think >> there is an opportunity and need to discuss all the ways that an evaluator >> can obtain acceptable authentication on a message that fails SPF or DKIM, >> but the chairs have been clear that doing so is "not DMARC" and out of >> scope. I don't see is how the aggregate report contents facilitate or >> hinder your un-munging algorithm. >> >> I am not a mass mailer with a complicated identity structure, so I am >> willing to be educated about the wonderful things that can be learned from >> aggregate reports. Based on my current knowledge, the use cases seem few, >> and do not need unaligned results. >> >> 1) A server is sending legitimate mail and is correctly configured with >> both SPF and DKIM. The feedback from non-forwarded recipients confirms >> this fact. >> >> 2) A server is sending legitimate mail on behalf of the domain owner, but >> has a configuration error: no signature, invalid signature, or using a >> server not in SPF record. SPF results from non-forwarded recipients will >> identify the problem so that it can be corrected. >> >> 3) A signature has been compromised and an unauthorized source is sending >> authenticated mail. SPF FAIL with DMARC PASS provides the alarm trigger. >> >> 4) A server is using a delegated signature for an unauthorized purpose. >> Nothing in the reports is likely to indicate this problem. If it is >> detected from other sources, the correction involves revoking the public >> key and terminating the offending organization. >> >> 5) Some mail is failing authentication after forwarding without MailFrom >> rewrite or forwarding with changes. The IP address and MailFrom address >> help to identify the problem but the domain owner has no ability to correct >> the problem. He can use p=none to limit the consequences. >> >> 6) Some mail is failing authentication because it originates from an >> illegitimate source. The IP address and MailFrom address help to >> identify the problem but the domain owner has no ability to correct the >> problem. He can use p=reject to limit the consequences. >> >> Case 5 and Case 6 are distinguishable only by the reputation of the >> server or Mail>From address. Malicious senders are unlikely to add a >> signature to prove their identity, so perhaps a signature suggests case 5 >> rather than case 6. But a competent forwarder will be doing MailFrom >> rewrite, so the forwarder identity will be present whether a signature is >> added or not. >> >> These use cases do not deal with authentication failures after multiple >> forwards. An abundance of signature data might allow the domain owner to >> reconstruct the forwarding path, but is that something he needs to do,? I >> don't think so. >> >> As for the duplicate signature issue, my rule would detect support for >> the new signature algorithm if it appears first. >> >> I would be happy to hear a case summary which indicates how a real >> problem was solved, and was only solvable using non-aligned results. >> >> Doug Foster >> >> >> >> On Fri, Oct 21, 2022 at 4:11 AM Alessandro Vesely <vesely@tana.it> wrote: >> >>> On Fri 21/Oct/2022 00:53:56 +0200 Douglas Foster wrote: >>> > >>> > Aligned DKIM PASS >>> > When an aligned DKIM result is PASS, I don't see that the domain owner >>> needs >>> > any more data collection performed. The verifiable DKIM scope ID >>> should tell >>> > him where the message originated, and the source IP and HELO name tell >>> the last >>> > place it landed before delivery. I cannot see why a domain owner >>> would spend >>> > a lot of time trying to analyze success results, unless his interests >>> have >>> > transitioned from assuring identity to analyzing marketing impacts. >>> We are >>> > not trying to provide marketing data, and any successful use of DMARC >>> for that >>> > purpose seems like an encroachment on the privacy concerns that we >>> want to >>> > minimize. >>> >>> >>> Non-aligned signatures can be meaningful for various reasons. In that >>> case, >>> the result of their evaluation is also meaningful. For an example, the >>> original author's domain signature, before From: was munged, is >>> meaningful. If >>> it fails, it can be retried after undoing MLM transformation, possibly >>> leading >>> to secure recognition of the true author. Is that worth its carbon >>> footprint? >>> >>> And for scope, one may wonder whether the recognized, or failed to be >>> securely >>> recognized original author's domain deserves a copy of the report. >>> People >>> prone to set p=quarantine; pct=0 in order to avoid receiving "errors" >>> would >>> clearly dislike a copy of the report. Others may want it, in order to >>> tune >>> their DKIM signing configuration. >>> >>> >>> > Duplicates: >>> > If an aligned domain has multiple DKIM signatures and one passes, I >>> suggest >>> > that the PASS is the only one that needs to be reported. If an >>> aligned domain >>> > has multiple DKIM signatures and none pass, I suggest that the first >>> one found >>> > (from the top) is the most important, because it is the last one >>> applied. If >>> > duplicates are reported, disaggregation is increased, so why report >>> data that >>> > is not useful? >>> >>> >>> Currently, putting 2 signatures, one rsa and one ed25519, is the way to >>> monitor >>> who supports the latter. >>> >>> >>> Best >>> Ale >>> -- >>> >>> >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> dmarc mailing list >>> dmarc@ietf.org >>> https://www.ietf.org/mailman/listinfo/dmarc >>> >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-aggrega… internet-drafts
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-agg… Brotman, Alex
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-agg… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Todd Herr
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Brotman, Alex
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Barry Leiba
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Laura Atkins
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Neil Anuskiewicz
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Scott Kitterman
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Scott Kitterman
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Neil Anuskiewicz
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Neil Anuskiewicz
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Brotman, Alex
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Murray S. Kucherawy
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Dotzero
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Brotman, Alex
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Alessandro Vesely
- Re: [dmarc-ietf] Aggregate Reporting - "Not Evalu… Douglas Foster