IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC editorial review of draft-ietf-dmarc-dmarcbis-30

Douglas Foster <dougfoster.emailstandards@gmail.com> Sun, 31 March 2024 12:22 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F46C14F700 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 05:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wc4_cu0HJvc5 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 05:22:16 -0700 (PDT)
Received: from mail-lj1-x234.google.com (mail-lj1-x234.google.com [IPv6:2a00:1450:4864:20::234]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D2AC14F6F5 for <dmarc@ietf.org>; Sun, 31 Mar 2024 05:22:16 -0700 (PDT)
Received: by mail-lj1-x234.google.com with SMTP id 38308e7fff4ca-2d4360ab3daso41041521fa.3 for <dmarc@ietf.org>; Sun, 31 Mar 2024 05:22:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711887734; x=1712492534; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=k1mx8htMu3b3wcEFU3T6bbNd49mdKA+wSclelU/PGyE=; b=cznLnrAzgsK9QpWr0GEMbHh1zp8oIz+2UvhbufjqCwxSjoL/6GPpdkgk1TPcp1E9BA l7JAI7mvgLs/y96MTAz6uuM/nhyShl8WykDmLlhLWY35dy3Djw4Mr0WDuOkI9qwpGIQx EY4KX4LfFui4Xvp9gbszT0iKznERi95eRKGAzoGPwnVbdR8RmHExYsR+sLAugq/ELbHQ Pn2Ii7TVAKxCRmejK6Lt+Uvza3zBPed5P6wOk11xp4ccFfMmH64l87XJ4N1uzbwP0ati Yp211j/MZh8hyBCoP5Gm7N5XNEQVaOnWY6J2q1K5C8qXIxfCdr0CJCOqG1y/tepwpl0F 2O+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711887734; x=1712492534; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=k1mx8htMu3b3wcEFU3T6bbNd49mdKA+wSclelU/PGyE=; b=N1xfCTZHU53TGJne0x4QVcihvwSIF9VaNPByzpLnXhy3tfhD/kTxW+6McX9hKlW1ZL QLju90x9dUf+AeD3gq7j3o5fVidUJ8z3jdybvgZZsi4enONI+/34xEaOHOKiCqXCNGTO Y53IcQqnYrApIadbmzZSGfW3/6i3VeFxmSEY5iAOyFBqaCUpGGSmVXuAJnYeHXRXiyHQ fRLNXpS6tBqOdmMIW9FCeDVB396xGMsDlr2J9h5FudrNQBHtyKoz64xWvPD4rLTNB3Hi mxEgbjrpv1U4fhpLSFQCtbici+5/WCJ7mUWY5j7DWBT7JQO3N4fkcztiokurb+BKuozu rp2g==
X-Gm-Message-State: AOJu0YxvNRsDRHHqfEuzAu63RFk5SAfdIFSoBMTnGC71pyqozvYXax/Z SaGKw5se9ApKiPgqXyPUi5CLsQBGLyq4dqzzHG+HBN4EO9NFmn3BoviCEaaj9PEPm/pPT1Gfzsb in3W6jRXdCi0omgZh9TEjPAjtNRLZDbtq
X-Google-Smtp-Source: AGHT+IHJGni1H0b7Zhz4aWreLkwRCX7fKmEVr8h0lrAvOOBsykilUNvE6K0axdM+JBD8mJJBaBIRDa4GUxlBh3ND0wc=
X-Received: by 2002:a2e:9090:0:b0:2d4:5404:3e8e with SMTP id l16-20020a2e9090000000b002d454043e8emr3820289ljg.42.1711887734129; Sun, 31 Mar 2024 05:22:14 -0700 (PDT)
MIME-Version: 1.0
References: <CAOZAAfPwJHKGyLjTkdGDqkMeK4RQX4Fj0rw-Upn0cLZ+cE74aA@mail.gmail.com> <2cdd13ec-9d7f-4732-91ea-9c8983d7a28c@tana.it>
In-Reply-To: <2cdd13ec-9d7f-4732-91ea-9c8983d7a28c@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 31 Mar 2024 08:22:04 -0400
Message-ID: <CAH48ZfzaNR2A6zUWVeeoay+UHLHTzja9f5RGfAt5htXd21C0KQ@mail.gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000049cc8f0614f3ec10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VG7Cy-QwPdaHh86JQoiu8HRDWTU>
Subject: Re: [dmarc-ietf] WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 12:22:20 -0000

On SPF, our document should say simply,
" a DMARC-compliant evaluator MUST NOT reject a message, based on SPF
result, prior to receiving the Data section and checking for aligned and
verifiable signatures."

Of course, evaluators may still reject early base on known-bad server or
known-bad Mail From domain, but not based on SPF alone.

I weary of the notion that the solution to all authentication problems is
to stop authenticating.

DF


On Sun, Mar 31, 2024, 6:41 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Sat 30/Mar/2024 21:05:17 +0100 Seth Blank wrote:
> > This is a real operational problem, so I wanted to expand guidance. The
> note
> > about best practice may or may not be appropriate here, but I think it
> works.
> > There are multiple M3AAWG documents which cover this use case, and we
> can also
> > link them if valuable.
> >
> > [...]
> >
> > Since DMARC only relies on an SPF pass, all failures are treated
> equally.
> > Therefore, it is considered best practice when using SPF in a DMARC
> context
> > for domains that send email to end records with a soft fail ("~" /
> "~all").
>
> The last phrase is overly strict.  To /consider using/ soft fail ("~") or
> neutral ("?") should be enough.  For example, I use an SPF record
> terminating
> like so:
>
>     ?exists:%{ir}.list.dnswl.org -all
>
> It can be criticized for imposing DNS usage, but it works too.  One could
> also
> use ~include:vast.whitelist.example before -all; it would work as well.
>
> Using ~all is akin to use p=none.  Be armed but only load blanks.  Its
> being
> best practice bears witness to the weakness of domain based
> authentication.
> Currently we are in the mid of a swamp, but if we hope to ever get out we
> can
> start by softening these kind of requirements.
>
>
> Best
> Ale
> --
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email