IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Alessandro Vesely <vesely@tana.it> Tue, 25 October 2022 08:33 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26071C1524DF for <dmarc@ietfa.amsl.com>; Tue, 25 Oct 2022 01:33:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b=j+lHqJ8J; dkim=pass (1152-bit key) header.d=tana.it header.b=CsPp46Q3
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dc8ak4vrZO7M for <dmarc@ietfa.amsl.com>; Tue, 25 Oct 2022 01:33:07 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D533BC1524DE for <dmarc@ietf.org>; Tue, 25 Oct 2022 01:33:05 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1666686780; bh=U8AZWgcHzl0Xp9vSM2jwV/NJrwCqksmCky++sDokXCQ=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=j+lHqJ8JF+XczrCq6fcQzMJOnUpudb8LN6ZqYyJsaOc2PtCd906vk6Vtl1H8Ewy+C m9wD3TI/U+z7s6sAHsIBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1666686780; bh=U8AZWgcHzl0Xp9vSM2jwV/NJrwCqksmCky++sDokXCQ=; h=Date:Subject:To:References:From:In-Reply-To; b=CsPp46Q3lZ5ectvA3c1u/Y3cAOHjm/0F4uHWMdY6nAs8kkVNTHQCLJKvVkbqIPCSQ vtCESbs/NnTbcWtw+C5ieJwRRjreFy+icJF+t7LcDpTuoOmf9u3RPKqkMM5uOs99AU UNypd1Mwr86O375QgpGiQgLTEnxvOJ/b0iJaUdoo9QaNLi6Rxvc91yyo0ByHB
Original-Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0DD.0000000063579F3C.000066F1; Tue, 25 Oct 2022 10:33:00 +0200
Message-ID: <e9319eeb-4f6e-08f0-c052-1c084d4d7ffb@tana.it>
Date: Tue, 25 Oct 2022 10:33:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0
Content-Language: en-US
To: dmarc@ietf.org
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com> <f0d90ca7-38b7-3a1d-2be9-30cad7bec31c@tana.it> <CAH48ZfxcYFCj_5S7CU+r-d1yypMCOX9=UvLmTCqMNSa_kejycw@mail.gmail.com> <CAJ4XoYdvk506_L6BjZD2EYWfAyCgLWTgGS3qsV0_=XHC76--Nw@mail.gmail.com> <CAH48ZfxHzEHRGW-Omkj_HotO6kSdUByxhJstQTWn5hpOapYaRQ@mail.gmail.com> <CAJ4XoYe+s7BmFcvtNPaWu1i4kv_j=CtqA1DbkusfGk9s4rDYeA@mail.gmail.com> <560ccd88-2217-9e47-f690-6bc413c67ffa@tana.it> <CAJ4XoYdbPzf5ib6TX1s4tASANUj0FdrHb1uuJy52KdQayj8y3Q@mail.gmail.com> <bcdac862-95d3-94b3-9876-1a7b62a231e6@tana.it> <CAJ4XoYerfFq6vz3utqADk=Z5iXRrdgFCyKTAKMCZ8JSUxf2N_A@mail.gmail.com> <MN2PR11MB43518C0FD95E970FA3CD393BF72E9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAH48Zfz1k0UZDHGUYHgqD4gbS32e8Txu7GZsR0hMtFOd9f+jAA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAH48Zfz1k0UZDHGUYHgqD4gbS32e8Txu7GZsR0hMtFOd9f+jAA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/W-gCCv5boWYRrKz43_UBdu_ZpgQ>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2022 08:33:13 -0000

On Mon 24/Oct/2022 22:30:06 +0200 Douglas Foster wrote:
> If there is detailed ARC reporting, the only target should be the forwarder, as 
> the message originator and domain owner are not parties to the ARC process.  
> Consequently, ARC reporting cannot be part of the aggregate report going to the 
> domain owner.
> 
> To send reports to the ARC domain owner, we will need a DNS token for them to 
> request those reports.   This could be a new token in the DMARC policy record, 
> if we can assume that forwarders would be willing to publish a DMARC policy to 
> also obtain ARC reports.
> 
> Given the trust issues around ARC, I think only acceptance events should be 
> reported to the ARC domain.
> 
> The message's domain owner can get a status of "accepted by local policy," with 
> a code for ARC as the supporting reason.  This is equivalent to "redeemed" but 
> less disruptive to installed base.  I see no reason to give him anything more.


A bank, say, can be interested in knowing who forwards its messages and whether 
they are trusted as forwarders.  It is the very same kind of business that 
allows the bank to have feedback about affiliated forwarders —those whose 
public key is published in the bank's zone.

DMARC looks up records based on the domain in an email address, not on a 
signature's d=.  BTW, the d= and authserv-id domains of an ARC set can well be 
three distinct domains.

Let's consider a message from someone@A, munged as someone@B, forwarded by C. 
The message contains various signatures and a long ARC chain.  A report 
generator prepares a row where this message is aggregated according to the 
authentication status of the evaluated tokens.  If we extend DMARC linearly, 
besides the address at _dmarc.B —the munged From: domain— we can include the 
same row in the report sent to the address found at _dmarc.C where C is the 
domain in Sender:, notwithstanding Appendix A3.

By the same token, we could consider _dmarc.A if there was an Author: domain 
pointing there.  We can say that while From: defines message ownership, 
Author:, Sender, and possibly Resent-From: claim some interest in the message 
and the aligned authenticator(s).  Or do we look up DMARC records at the d= 
domains?


Best
Ale
--

v2.23.0 | Report a Bug | By Email