IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 29 March 2023 02:05 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0F80C151552 for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 19:05:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymsOSmPWMkBK for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 19:05:25 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B73BAC14F748 for <dmarc@ietf.org>; Tue, 28 Mar 2023 19:05:25 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id h25so18243303lfv.6 for <dmarc@ietf.org>; Tue, 28 Mar 2023 19:05:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680055523; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=/KM4UuR4MH1fskaGUOWKaA+KP/6B3peYTWxAvBX/wV4=; b=Kes0g/qbQqGsj1XJw5M88P5WHmuh1jn7Kq+cVSG/FI7H0rpr7FNB5v4H15KRVSSL+o y87FhehDwT5XuidlNTPhWOP7eFC89aYO6xDcohGSQeKAZKHWfnloFGS9KedNvKXYZaQS uaVFLWv78XsX9kt+rQOXwxdjacyOgHXVFQixXIqKZdr3sQAIAeh1Etal0QuUS6O9HNan aSDxJMm0VsNSbSYLRvbik6QyKfm1LQp4mafaagLu5vke18O5Xyqb5pTHLYtbmZEH1Pss Kq8R6SnbRGamrzjaGV53fujmOPiMbRXGsZYHmvzWdB6pnG8rWKo7FiQkYf69LRBvjDoz r3xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680055523; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/KM4UuR4MH1fskaGUOWKaA+KP/6B3peYTWxAvBX/wV4=; b=sSMJENzf8GTyG+j1P79Vm9/xbwcKIJd8zEHuX0LgzD1CSsAgJCUl+YNHMCS1veHFNi tvoJWE+pmaFUypoz41SrbtzIyyk9GOT8HOC/pLTSR5VnFOtywhFNxmb8rAiDq7gUFmfO Kb6g+W8MqhFAh6Ky8FbhMz+rW1fKmBaXqXzTqJjT0Yc0YIoxUmVz/eKLd4jpr1UAvrY6 sgpplInWCljqV7hh5J7QbOXpcMdZn4XFlpeEn2YEn6GX34CoIwFmrzBhbpA0KXxBRi33 3E184LQA916yaMaRkPnqVnQqDvYIrLLFz1Bd22xgWlUTffKeybGOmBvSJc5l/ya39qOe NJFw==
X-Gm-Message-State: AAQBX9cy5txyP5zbP7ZqOLsBiblfMblpS22VkdYkWMLZaTFVP2cTOoS+ /Fpvd7+hUX2sfNh4JC7fhO35OCtKxFUepvlmE6d/bEY7
X-Google-Smtp-Source: AKy350YCdDj4H0/HzR/bhOtKwCB74j19xqWOZecorhNFY/+crNM2Y/1q1jgsIc+4V5DeWP+24yaPXOqwFfH2e9z/rE4=
X-Received: by 2002:ac2:4a84:0:b0:4db:2425:5d11 with SMTP id l4-20020ac24a84000000b004db24255d11mr5038002lfp.5.1680055523272; Tue, 28 Mar 2023 19:05:23 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com>
In-Reply-To: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Tue, 28 Mar 2023 22:05:12 -0400
Message-ID: <CAH48Zfy3PSVDAW2gYc78Hh1+5gth-Sg6m3U8YenJ+ehMMYJrJw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aaeb7305f800682f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UiAoFRJy2fCvw4SWIQgjZQROnyQ>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 02:05:29 -0000

Are we trying to define a protocol that evaluators can follow automatically
without ever making any mistakes?   I am not.

It is simply wrong to assume that changes-in-transit are the only cause of
DMARC Fail on acceptable messages.    If you work with a mailstream, you
should be aware of these other causes, which are probably more important,
because they have universal applicability:

   - Benevolent impersonation by trusted entities
   - Overzealous implementation of DMARC before all messages have DKIM
   signature
   - Software errors that cause outbound signatures to be missing or
   unverifiable (a variant of the previous)

If we say, "DMARC should only be implemented by domains where FAIL will
never occur on an acceptable message", then there are few domains that can
use DMARC, and the value of the protocol vanishes.

If DMARC FAIL could actually mean that a message source is certainly
malicious, then the necessary response is much more than blocking one
message.   A competent administrator must block all messages from a source
known to be malicious.    It would be reckless to reject malicious
impersonations while accepting malicious messages that are not
impersonations.   But recklessly blocking message sources based on an
automated DMARC FAIL would multiply the mistakes.

The flip side of this topic is an implicit assumption that acceptable
p=none messages will never be discarded because the evaluator will not
enforce authentication.   Similarly, an assumption that No Policy messages
will never be discarded because the evaluator cannot enforce
authentication.   The domain owner does not eliminate risks by avoiding
DMARC, he merely chooses different risks.

For the current topic, we need language that says simply:
- Evaluators need to be cautious about blocking messages exclusively on
DMARC results, as acceptable messages may be blocked sometimes.
and
- Domain owners need to be cautious when setting DMARC policy to reject,
because acceptable messages may not appear authenticated when they are
received by the evaluator, and some evaluators may block on DMARC results
alone..

The evaluator is the most important part of the DMARC process.   If we want
optimal results, we need to give him the guidance needed to make optimal
decisions.

Doug Foster



On Tue, Mar 28, 2023 at 4:15 AM Barry Leiba <barryleiba@computer.org> wrote:

> I raised this issue in the DMARC session in Vienna, and have let it
> sit for a while so as not to derail other discussion.  As we're pretty
> close to finished with the DMARCbis document, I'd like to raise it
> again, this time with specific proposed text for us to discuss.
>
> And so:
>
> OLD
>
>    5.5.6.  Decide If and When to Update DMARC Policy
>
>    Once the Domain Owner is satisfied that it is properly authenticating
>    all of its mail, then it is time to decide if it is appropriate to
>    change the p= value in its DMARC record to p=quarantine or p=reject.
>    Depending on its cadence for sending mail, it may take many months of
>    consuming DMARC aggregate reports before a Domain Owner reaches the
>    point where it is sure that it is properly authenticating all of its
>    mail, and the decision on which p= value to use will depend on its
>    needs.
>
> NEW
>
>    5.5.6.  Decide If and When to Update DMARC Policy
>
>    Once the Domain Owner is satisfied that it is properly authenticating
>    all of its mail, then it is time to decide if it is appropriate to
>    change the p= value in its DMARC record to p=quarantine or p=reject.
>    Depending on its cadence for sending mail, it may take many months of
>    consuming DMARC aggregate reports before a Domain Owner reaches the
>    point where it is sure that it is properly authenticating all of its
>    mail, and the decision on which p= value to use will depend on its
>    needs.
>
>    It is important to understand that many domains may never use
>    policies of “quarantine” or “reject”, and that these policies are
>    intended not as goals, but as policies available for use when they
>    are appropriate.  In particular, “reject” is not intended for
>    deployment in domains with users who send routine email, and its
>    deployment in such domains can disrupt indirect mail flows and cause
>    damage to operation of mailing lists and other forwarding services.
>    This is discussed in [RFC7960] and in Section 5.8, below.  The
>    “reject” policy is best reserved for domains that send only
>    transactional email that is not intended to be posted to mailing
>    lists.
>
>    To be explicitly clear: domains used for general-purpose email MUST
>    NOT deploy a DMARC policy of p=reject.
>
> END
>
> I'm well aware that the MUST will *not* be followed by everyone, and
> that some domain owners will feel that they need to use p=reject,
> regardless.  I think that's fine: the standard should specify what's
> right for interoperability, and I believe that improper use of
> p=reject is extremely harmful to interoperability... so "MUST" is
> correct here.  And no one will be arrested or fined for choosing not
> to follow it.  We should still say it, nonetheless.
>
> OK, have at it.
>
> Barry
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email