[dmarc-ietf] Sender-supplied decision matrix for passing DMARC

"Brotman, Alex" <Alex_Brotman@comcast.com> Mon, 14 June 2021 17:09 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FECC3A2B35 for <dmarc@ietfa.amsl.com>; Mon, 14 Jun 2021 10:09:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CI9CcK8WaIy8 for <dmarc@ietfa.amsl.com>; Mon, 14 Jun 2021 10:09:48 -0700 (PDT)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 102123A2B33 for <dmarc@ietf.org>; Mon, 14 Jun 2021 10:09:47 -0700 (PDT)
Received: from pps.filterd (m0156891.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 15EH1YoN002202 for <dmarc@ietf.org>; Mon, 14 Jun 2021 13:09:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : content-type : content-transfer-encoding : mime-version; s=20190412; bh=3oI+EbBxMWihQn5gtQbnO28p+228WUbH8uo8UYHcu/I=; b=Pn3+IQV++ZWIqQJROzMrkFpY+fP939v7XYpG6wdpXwtsJj7P7OL6kJspqbfKzcjWJqlY di1t923MhWQcTT6MQwlzd6azlwDNLDlemO0pPTSmCp4MQNhzFdBHibXpGb4Z6/dTsyTj 9v7rkqHgGNA8tSM1W76K+vIfsOc+JZF6i9fWBH7ASYVm1YL5XflWVR1DeRwolJ/7AEmW pWMHLUjTuQoQoqyRBlNIsj+iGlgFtAJsGDYajADHAoP0wpSPoKG0aqo8o/bmTDFjugYW Ansan7M5HDHzkZgGUcf2Wtt2hmI/+WjG6cJc7Me+cnC8R+45JoqXfkomkbjBXtkgk1Xa HQ==
Received: from copdcexc37.cable.comcast.com (dlppfpt-po-1p.slb.comcast.com [96.99.226.137]) by mx0a-00143702.pphosted.com with ESMTP id 39675kafax-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Mon, 14 Jun 2021 13:09:47 -0400
Received: from copdcexc33.cable.comcast.com (147.191.125.132) by COPDCEXC37.cable.comcast.com (147.191.125.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2242.10; Mon, 14 Jun 2021 11:09:45 -0600
Received: from COPDCEXEDGE01.cable.comcast.com (96.114.158.213) by copdcexc33.cable.comcast.com (147.191.125.132) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2242.10 via Frontend Transport; Mon, 14 Jun 2021 11:09:45 -0600
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (104.47.59.172) by webmail.comcast.com (96.114.158.213) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Mon, 14 Jun 2021 11:09:39 -0600
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by BL0PR11MB2913.namprd11.prod.outlook.com (2603:10b6:208:79::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.23; Mon, 14 Jun 2021 17:09:38 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::cddd:25b1:344d:8818]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::cddd:25b1:344d:8818%5]) with mapi id 15.20.4219.025; Mon, 14 Jun 2021 17:09:38 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: Sender-supplied decision matrix for passing DMARC
Thread-Index: AddhPDwbCzQ9bLtKT5O2BtOM1Kt/Jw==
Date: Mon, 14 Jun 2021 17:09:38 +0000
Message-ID: <MN2PR11MB4351C05DCCFD04F0C7B3F766F7319@MN2PR11MB4351.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=comcast.com;
x-originating-ip: [2601:43:103:e60:9e7:3126:fd:f039]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c959ef3e-042d-46cb-3817-08d92f57314b
x-ms-traffictypediagnostic: BL0PR11MB2913:
x-microsoft-antispam-prvs: <BL0PR11MB2913EF294E0F1B0482BB46ECF7319@BL0PR11MB2913.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6lvnl3KvaqzcS1bs+C0Jh6dnXjVNjJnV8x4DTAHvITNhB8BZUprYWP4BfO5Ewx7GjvMdptHIUw16BOxVNMMJHIqnOzNElEmc8CQJ+UCUS4v+cCYddyeTGC0G7p+gYtcFxus+XeCsTW8Ugg3vZmnVucdFBWxdp7kta+Ys3SutZGRJ0SducOlAXtFgHunYwDfft+Kd5wO2g1maZzmnFsnKQFO+DkOUPDGecIrh2oxOyjjcP8jbUjjgn174ULgpwc6IL48u/mtl86dmq747WkYopdf/or03cnpVnpNqAZqdSeeQdmP1T94o0QKEXXm8N3PEhjnTCWofwOVSxj43W5+DDKCABnXIR3cUtx2bzMrFtdDsZJf0hFSnrDVw8iD+ANR717HGngI5jUk53q7E1lSe9aNcSpJcRn+qlOBdY6r0DkzujcbEx/YIHhJivR6A/AXnZFejb9ncXwp2xSxfHECeQS6kT08QbqzJU0Q7EAJRdXOqStdyaxdPv0SqcBKPh5wdtWfMNcMS5VzpoZIguu0TsJhC6PokW4L1KqYOBeGNvLbgIpN75Ax0by3VPGMMgrvol2Ka8ajgcxdCNKZp+pekznx0tJvwduNetD1aJP5T2DA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(84050400001)(7696005)(8676002)(122000001)(38100700002)(86362001)(2906002)(316002)(71200400001)(478600001)(9686003)(66946007)(76116006)(66556008)(64756008)(66476007)(66446008)(33656002)(6916009)(8936002)(52536014)(6506007)(186003)(83380400001)(55016002)(5660300002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?r0q+p0cEuJhb+hmnzVmV6RHT8g31jfTzUbHMWXdiBM8Gx1i5oPjG4S5B3aUd?= =?us-ascii?Q?ErTWlFVbIoVix19IuemszUM2xj3pupdQFW4/0VqAHz4IfkXreqz9bPDLSHY2?= =?us-ascii?Q?c7a5XF7FjvAPSV+xDTmQrgzSDXIuHvTp8fjvfTmclpDCXJ4TCsv6B7narwnO?= =?us-ascii?Q?OCPe/lfqt2FEnx9QOWVRVu7z8VHDxtB8igVe2l96kn6gnimXlFgJYgFwXvTQ?= =?us-ascii?Q?5sbu5DG8khtBGp8u7xcOO/3DmJmIHApCZqeq7tpYlf6p441khFxeR0eAxjOX?= =?us-ascii?Q?EIIs4nBClykOmzeq6U3KFU9JmmJ60t+UetQp06Cn4+vpCoNFvxA+i1m85QAy?= =?us-ascii?Q?e8jCY9wSB9C5go6ynlnYsoSlu0YkK1EbV/gni2DYbKUDabMjVC2oeysbQkCy?= =?us-ascii?Q?3qTuBKzTpNn/zmCgs/b4pQjO4HhsioUIUXSyPMa95/kaxxhOqtIqfcsKNYdd?= =?us-ascii?Q?6xOoxzKKd5sk9mnJ4V633B9dl9EI6hAxEG9h5Am6i6kjp7wVtMH2U7LxWgzo?= =?us-ascii?Q?orfTVa/BcRMb5F81vbuW9l6/fWnnnpw01/rcDS5Ls3XB1eh71rkMK7JL2+qO?= =?us-ascii?Q?jay96pzyljDKnVIQtrZnvKkLXuq5qIp7o4Ht6TCXUYMjuzY1xfQzNpnl7Nsk?= =?us-ascii?Q?z0sugsu7EXYsnspYu+qE+M9gh8jCX3uh0wvt1zpLnIufDA1hUvJ1BsFLFx4Y?= =?us-ascii?Q?DRaOS4BVNln1oW84Eb+FlcZ2X9W0Lzhsv3/SkoNLixguSWUOX3JS6sXvZpGu?= =?us-ascii?Q?mYoNhRxCJGJPHU7TScZMwpDSx0A/mshKZVHJuLTUUwfCbV3/wmbyCeYpyCxs?= =?us-ascii?Q?ukm3Kk//pNIsDTdUM6vQsTE/DSDg/ad6zX1nc/243chuvO2ZTI1OPo6iuzIR?= =?us-ascii?Q?qKt98HJ9J+lM0Nz0DXAl3rIb5opTtzqzpzOo0WWEQieEaM5PGJw+XY1vAlFN?= =?us-ascii?Q?yfp7pnMP9TA+KH3lo5sOE1YDv2mKzCDWZAkgtp+Gd6J5A+ZTBcEvF3BdLviQ?= =?us-ascii?Q?8s6LbrW4aNmt9Tm3o1gc5zSDNrOdzriI5pQpbU6wbOQEr43c/47t1Nyt3ArU?= =?us-ascii?Q?T3/dkSZ3re5XSJX/fVtydQgCTCAtvRoZT/ULj2QzX0mYHyJW9tWYZtv/esMo?= =?us-ascii?Q?7rqGMU1oDgbcBeaJne2NNUZT1Oi9PWWH5VQ4HeAJoDLR9wT2x0JHgXvzFU02?= =?us-ascii?Q?RFpcy8M5T7U5AfawQu4QlHJYFb6FmFzF+SThYONAY88i+O0LlToS4w3BEluu?= =?us-ascii?Q?O/GwofybJ83rzw9vbxi5DBo0XNCAxJ/HY74fHCzjBbVtDcmhORvAIcl6lQqm?= =?us-ascii?Q?2jGIYa7CkPjmJ2JafjW+qxcXq3mK+J/mELE5ETgnhg9v/7RlGr1a9SNr85KM?= =?us-ascii?Q?m3XZmcU=3D?=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PuZc2YtdW7CbnvWfyT7ihRZvSuCaPA/OhWa0rNXc8kEbRp3NuS2dQQHMKMcYfDUfFH+c3cjqkUoPEGla/juII4CM8ssXITCqmJ7vMi37v8oU2usVTTCDtsgirJjsgj3Vq4OU4+7ra/+R2NmL0z1wgRVCm3sd3ORQ3rfSoviQ0q9N2cgvORES3kUxs+LqLw7ZGg/trwgVm5jaEOAjrpU25EK/R5R0VR15EzPTuWoyoJIYY7/9buu4iS6NT5g3c9Xw1HSetAGKDTDImC3N92cKQGbd7UejLjrCEJnNbg88Ql+cKJ0bgY0u22kvzRFzd/UhMMKebFIvP6Mh8hIW7pEP3Q==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FbSOZFo9QuK48PVtXsLzD1v/uEpK7YNRfA8M3WV3TCA=; b=l7iJYND7NmjLIcstTKMqundNRzd9ysUOLKvsvUAMKKNyiZ7obq1I2QYTj6NXu+FiQkV6OrhmOysnGsBvL0hTs4gXp2jaF3XF+ezHYEzqBcu0e2dfhhJWeOZ3NEl/chcYuzNQzBvLianx/0nK2OBrbEeRKEGitYulYyYl1odLmhnoKD8Q07S0NdRxDlR3yeQTLO8TQvuFIhB/2RMcGd7L2LHBpPI+vvJ3fbSQIU/olES+bf06899E54rmhLPm4Uv0UqnxDgH3mmJSwatYLPSUrRlQ9LkuIs9gdhhdPufRn6i3qahdGCoiK4z7yMnwHRrhcItWpKyCZcmRZ7lqO+6RMQ==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR11MB4351.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: c959ef3e-042d-46cb-3817-08d92f57314b
x-ms-exchange-crosstenant-originalarrivaltime: 14 Jun 2021 17:09:38.4049 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: RMMNF2r2Izf0zDvhMxI1zgRio04BYRm8QrCt+/IyVfH1B/2W9J0PQXTey+c9zHtkHJ/2+VOqf1S+1T+7eDJ1ir7GF4eRjixIuc42WocqqYQ=
x-ms-exchange-transport-crosstenantheadersstamped: BL0PR11MB2913
x-originatororg: comcast.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Forward AAETWO
X-Proofpoint-ORIG-GUID: 2gOPxdK9bYABVKhGAhwFU5x7Wyes8e0o
X-Proofpoint-GUID: 2gOPxdK9bYABVKhGAhwFU5x7Wyes8e0o
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-06-14_10:2021-06-14, 2021-06-14 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VcY1o01uPm3Aj4g2KZLtpKmLB0k>
Subject: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2021 17:09:52 -0000

Hello,

I was talking to some folks about DMARC, and a question came as to suggest as the domain holder that your messages should always pass DKIM.  Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I will *always* sign my messages with DKIM."  So the obvious answer may be "Just only use DKIM", but I'm not sure that completely answers the question.  While discussing with someone else, "Tell me when DKIM fails, but SPF is fully aligned".  There was recently an incident at a provider where they were allowing any sender to send as any domain (and I'm aware that's not specifically a DMARC issue).  We all know brands that have just dumped in a pile of "include" statements without fully understanding the implications.  In this case, other users could send as other domains, but perhaps they would not have been DKIM signed.  Should there be a method by which a domain holder can say "We want all message to have both, or be treated as a failure", or "We'll provide both, but DKIM is a must"?

>From a receiver side, it makes evaluation more complex.  From a sender side, it gives them more control over what is considered pass/fail.

How does this look in practice?  Maybe "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;"
(pm=Policy Matrix)

Does this make everyone cringe, or perhaps worth a larger discussion?

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast