IETF Logo Mail Archive

[dmarc-ietf] Signaling MLMs

"Murray S. Kucherawy" <superuser@gmail.com> Wed, 12 April 2023 18:15 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA78AC15270B for <dmarc@ietfa.amsl.com>; Wed, 12 Apr 2023 11:15:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eGqPaWID0aF6 for <dmarc@ietfa.amsl.com>; Wed, 12 Apr 2023 11:15:59 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3452FC1524DD for <dmarc@ietf.org>; Wed, 12 Apr 2023 11:15:59 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id 4fb4d7f45d1cf-504fce3d7fbso668742a12.2 for <dmarc@ietf.org>; Wed, 12 Apr 2023 11:15:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681323356; x=1683915356; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=mJuravPreFymvoqozXJFh4NsZTVzxW8BDNTAIQSRNVg=; b=NbSrXptkgQEfk7EtnSr2HMwoEdaP9PFfQX2HhyFEzCOZnBq1eeRlEHBIoog54/7UtH 9AwOigvAv465VA9PNeGU3c6Smj2MTnAc/6cbpsX1udC85EMIT6qmnGLPUdSibt4ybPlg qqxSZY8R1ON/lYB1Bo+bu4ABqlkwHmWDyILWtwfmLh+UnROi/x8CYce+kdAJ9F6klpp9 ECug1u5Nxx6egbrwM+eTCWf3vIWaEtpHVGZ9U4sOzxB0ZpONsisyXdQ56a3vkH1ZgVUp YTlwRIz07Oq+w6rlgO2dkPUPkfCTPZlg0NJRSxLnhCUBATG8gvz+ZpeUhyuFjxCFNc+L ct2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681323356; x=1683915356; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=mJuravPreFymvoqozXJFh4NsZTVzxW8BDNTAIQSRNVg=; b=NVi/ytmHMunEmGPvZh/Hn32mMFxsDxCNh46qhTRsbdJNORxCqY9YUT4mkMAU6eQFOl kTAx7MiSLb4Z0AArLEAzDVybMqL7raUEK0xTu5SvWNUEnwu9cnhMiX4B5M4ATj81BLBB rWDMmmK7JWnLG1Ij4gnzcfDVkQAEY9PpHBMMSjN+m37Xej4gXZeVqaNOzY8gj7LKpz+f 6KSFYGhgxwoP04BTdNFZqdk7/i/NQfynXTfT3J1b839QU5OUcStPRK+BwOSzP0ERZBPn an5OtGDjnezk+OHiUFAc95/2aWAPgJKefbhyMl7OLUSjP6NKr2cFL5DAjczBYMzx9lec dn5Q==
X-Gm-Message-State: AAQBX9eo2HzhpThsKu5PLmtK74pGkPPOLeRkY9HIM2Y7oQy5Sjwe0bXf rPAAdnSoBOj+ECCaAxEblsMBiAYDfUuLUsWegh3p0q+AyWk=
X-Google-Smtp-Source: AKy350bW4RDe661Q/xvxaTh9NIQFuXEroIwCCtpdp4U3RFWibdHR4v6pA2nrk0R7Non9DmbniMsDHY0HYMOgga7iQms=
X-Received: by 2002:a50:951c:0:b0:506:34d8:c710 with SMTP id u28-20020a50951c000000b0050634d8c710mr185444eda.3.1681323356381; Wed, 12 Apr 2023 11:15:56 -0700 (PDT)
MIME-Version: 1.0
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Wed, 12 Apr 2023 11:15:44 -0700
Message-ID: <CAL0qLwZc2X7tyP+_8vvL3Yb7uJk6td3XGbsXUB68BNUEMhV4yQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000068e6eb05f927991f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/VkXMYR3YHwUNFhrlvI8dFZHrUR0>
Subject: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2023 18:15:59 -0000

I've been thinking about the point a few people have made now that DMARC
has two actors that cause the problem: Those who "blindly" apply
"p=reject", and those who advertise "p=reject".  You do, indeed, need two
to tango; enforcement doesn't happen without an advertising sender and a
participating receiver.  Maybe any "MUST NOT" advice we provide needs to
cover both ends.  We need to be careful about admonishing participating
receivers though.  What would we say to them about how to be selective in
application?

We've talked about having signal from the enforcing receivers back to the
MLM that the bounce occurred because of DMARC, but we haven't seen much
uptake of that idea for various reasons.

I've also been thinking about ways to push the burden back on the
advertisers.  Imagine we have some kind of signaling mechanism that MLMs
can take advantage of indicating to them that the author is using a strong
policy, and so it would be possibly a bad idea for the MLM to accept,
mutate, and re-send this message.  This could be a header field or an SMTP
extension (though the latter is complex to get right in a store-and-forward
system).  The MLM can then decide if it is willing to pass the message
unmodified to the list, or reject it with an error like "The policies of
this list require modification of your message, which violates your
domain's apparent policy.  Your submission therefore cannot be accepted.
Please contact your support organization for further assistance."  There's
never an opportunity for the collateral bounce to occur if the message is
never distributed, and the author domain has to either soften its policy or
separate its regular users from its transactional stuff somehow.

This avoids the "collateral" and "persistent" damage issues I raised in a
separate post.  It still requires the MLMs to do something new, but avoids
the need to implement any of a variety of unsavory mutations.  MLMs could
also determine this by querying the current DMARC policy of the author's
domain, to be sure, so it's a choice between MLMs looking for a header
field (which they already know how to do) or becoming DNS-aware (relatively
simple, but pulls in some complexities and dependencies they may not want).

-MSK, trying to be useful here

v2.23.0 | Report a Bug | By Email