IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 22 October 2022 13:50 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E03FC14CF1D for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 06:50:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ddw8CyKBPqqG for <dmarc@ietfa.amsl.com>; Sat, 22 Oct 2022 06:50:50 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F9D3C14CF1C for <dmarc@ietf.org>; Sat, 22 Oct 2022 06:50:50 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id n23so4457410ljc.3 for <dmarc@ietf.org>; Sat, 22 Oct 2022 06:50:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=16B4HARrPh5nDERWam5Uzc04MviOJFlJm3JiRuKh2Cc=; b=b+2znDdaZSPVdKZiDJZt3zKRd1F6XYA5795d+6vbeDRU/vHoNx9yurOrAhdf0j9PFF BPYq4tBu/XzU5Y/9rc3gNEzGyrCq4MG/FgS+VU1vT9ShSHJVPNhxFwZTWn7BNvLFOXaE nHoUJRMq8+u43UCC66neCjwwxeJpFoQ455uYMAScIk4zG65SPD9el27ymZdzA5BBchqW bzDaSwa2WDCLhrEhj+tqy/lggcpFZBMLr+BZYsbV6dx0rvxe70xt4z7aenjHCTlM5otz 7ddk6NbpnFjqpaLJcdcxHDuuRShab53SKzYDTMBrgPwvSwgbap6KK4/dl9OnMiiiztql GWSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=16B4HARrPh5nDERWam5Uzc04MviOJFlJm3JiRuKh2Cc=; b=jUEfrxV8tP+bnE9YOH/pePCZdrRJQiTZMvxctBA8qa48K+6iJGzT2npTtdYanp+wyR zL+GPsZVohIupLy6jkxmpkEeAK922CZ7x6NWiS0nZExrB8YriSgb6pm2LawQReThO/mM 9+gv9QEY/ZpN1Wrn23qgwK7rVlHbaa24+WxxvL+SGsSdxDUMGth8cusiWx7ym8AgfaUp ydc7lwV2cxPSPQuX9GyVhlyvxAVWtGvV9kAdsMGNzQeX0+fWOPUVmWzNRikc8CRlRg1E ltmWkunTC3WxVDrXSDYvRNq1xm1dxovYQQeb5gShOWvOCTPehnJzagOjD+XRNNUl0mzT ZlkA==
X-Gm-Message-State: ACrzQf0lHlelwC3f9oriVJOWVJOIFvuWXEvQtYPKdUT6eYxrLM9lkWv0 FlUQMlIBOP+QOxk3MGHgxBiKiXr+xz0KIescT/A=
X-Google-Smtp-Source: AMsMyM67fqc2b44fQ6UD62FHiTeFGVPtfpZGoTspFa9G/aCEdnmPOfnW/HJrb62rZa8TyJgtsJQXj+/ZJHeXKBIc7LM=
X-Received: by 2002:a05:651c:1954:b0:26f:e9d7:1650 with SMTP id bs20-20020a05651c195400b0026fe9d71650mr8365703ljb.140.1666446648266; Sat, 22 Oct 2022 06:50:48 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com> <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com>
In-Reply-To: <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sat, 22 Oct 2022 09:50:37 -0400
Message-ID: <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com>
To: Dotzero <dotzero@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000081d1d505eb9fd872"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UX_8UgrkgVVwqnawVpFMt8Myo30>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Oct 2022 13:50:51 -0000

Yes, it could have multiple causes.

  I was just trying to elucidate a reason why unaligned signatures are
needed.

Instead I conclude that one best aligned signature is all that is needed
for reporting.  Not 100, not 10, just 1.

Doug

On Sat, Oct 22, 2022, 7:43 AM Dotzero <dotzero@gmail.com> wrote:

> " 3) A signature has been compromised and an unauthorized source is
> sending authenticated mail.  SPF FAIL with DMARC PASS provides the alarm
> trigger."
>
> This is incorrect. SPF FAIL with DMARC PASS can simply be an indirect mail
> flow. It might also be an incorrectly configured SPF record.
>
> Michael Hammer
>
> On Fri, Oct 21, 2022 at 5:57 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> I remain unconvinced.   Mail is nearly free to the sender, but expensive
>> and risky for the recipient and his organization.   Anything unwanted
>> message that gets through the spam filter consumes a person's time, which
>> is a non-trivial opportunity cost.   Asking me to accept extra cost to
>> provide "nice to have" data is too much.
>>
>> Your first scenario is mostly about what an evaluator can do.  I think
>> there is an opportunity and need to discuss all the ways that an evaluator
>> can obtain acceptable authentication on a message that fails SPF or DKIM,
>> but the chairs have been clear that doing so is "not DMARC" and out of
>> scope.    I don't see is how the aggregate report contents facilitate or
>> hinder your un-munging algorithm.
>>
>> I am not a mass mailer with a complicated identity structure, so I am
>> willing to be educated about the wonderful things that can be learned from
>> aggregate reports.   Based on my current knowledge, the use cases seem few,
>> and do not need unaligned results.
>>
>> 1) A server is sending legitimate mail and is correctly configured with
>> both SPF and DKIM.   The feedback from non-forwarded recipients confirms
>> this fact.
>>
>> 2) A server is sending legitimate mail on behalf of the domain owner, but
>> has a configuration error:  no signature, invalid signature, or using a
>> server not in SPF record.    SPF results from non-forwarded recipients will
>> identify the problem so that it can be corrected.
>>
>> 3) A signature has been compromised and an unauthorized source is sending
>> authenticated mail.  SPF FAIL with DMARC PASS provides the alarm trigger.
>>
>> 4) A server is using a delegated signature for an unauthorized purpose.
>>  Nothing in the reports is likely to indicate this problem.   If it is
>> detected from other sources, the correction involves revoking the public
>> key and terminating the offending organization.
>>
>> 5) Some mail is failing authentication after forwarding without MailFrom
>> rewrite or forwarding with changes.    The IP address and MailFrom address
>> help to identify the problem but the domain owner has no ability to correct
>> the problem.   He can use p=none to limit the consequences.
>>
>> 6) Some mail is failing authentication because it originates from an
>> illegitimate source.      The IP address and MailFrom address help to
>> identify the problem but the domain owner has no ability to correct the
>> problem.   He can use p=reject to limit the consequences.
>>
>> Case 5 and Case 6 are distinguishable only by the reputation of the
>> server or Mail>From address.   Malicious senders are unlikely to add a
>> signature to prove their identity, so perhaps a signature suggests case 5
>> rather than case 6.   But a competent forwarder will be doing MailFrom
>> rewrite, so the forwarder identity will be present whether a signature is
>> added or not.
>>
>> These use cases do not deal with authentication failures after multiple
>> forwards.   An abundance of signature data might allow the domain owner to
>> reconstruct the forwarding path, but is that something he needs to do,?   I
>> don't think so.
>>
>> As for the duplicate signature issue, my rule would detect support for
>> the new signature algorithm if it appears first.
>>
>> I would be happy to hear a case summary which indicates how a real
>> problem was solved, and was only solvable using non-aligned results.
>>
>> Doug Foster
>>
>>
>>
>> On Fri, Oct 21, 2022 at 4:11 AM Alessandro Vesely <vesely@tana.it> wrote:
>>
>>> On Fri 21/Oct/2022 00:53:56 +0200 Douglas Foster wrote:
>>> >
>>> > Aligned DKIM PASS
>>> > When an aligned DKIM result is PASS, I don't see that the domain owner
>>> needs
>>> > any more data collection performed.   The verifiable DKIM scope ID
>>> should tell
>>> > him where the message originated, and the source IP and HELO name tell
>>> the last
>>> > place it landed before delivery.    I cannot see why a domain owner
>>> would spend
>>> > a lot of time trying to analyze success results, unless his interests
>>> have
>>> > transitioned from assuring identity to analyzing marketing impacts.
>>>  We are
>>> > not trying to provide marketing data, and any successful use of DMARC
>>> for that
>>> > purpose seems like an encroachment on the privacy concerns that we
>>> want to
>>> > minimize.
>>>
>>>
>>> Non-aligned signatures can be meaningful for various reasons.  In that
>>> case,
>>> the result of their evaluation is also meaningful.  For an example, the
>>> original author's domain signature, before From: was munged, is
>>> meaningful.  If
>>> it fails, it can be retried after undoing MLM transformation, possibly
>>> leading
>>> to secure recognition of the true author.  Is that worth its carbon
>>> footprint?
>>>
>>> And for scope, one may wonder whether the recognized, or failed to be
>>> securely
>>> recognized original author's domain deserves a copy of the report.
>>> People
>>> prone to set p=quarantine; pct=0 in order to avoid receiving "errors"
>>> would
>>> clearly dislike a copy of the report.  Others may want it, in order to
>>> tune
>>> their DKIM signing configuration.
>>>
>>>
>>> > Duplicates:
>>> > If an aligned domain has multiple DKIM signatures and one passes, I
>>> suggest
>>> > that the PASS is the only one that needs to be reported.  If an
>>> aligned domain
>>> > has multiple DKIM signatures and none pass, I suggest that the first
>>> one found
>>> > (from the top) is the most important, because it is the last one
>>> applied.   If
>>> > duplicates are reported, disaggregation is increased, so why report
>>> data that
>>> > is not useful?
>>>
>>>
>>> Currently, putting 2 signatures, one rsa and one ed25519, is the way to
>>> monitor
>>> who supports the latter.
>>>
>>>
>>> Best
>>> Ale
>>> --
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email