IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling MLMs

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 13 April 2023 11:25 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E02BC15C28D for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 04:25:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbnGn_o-1VND for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 04:25:02 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5EA63C1522C6 for <dmarc@ietf.org>; Thu, 13 Apr 2023 04:25:02 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id y35so192128ljq.6 for <dmarc@ietf.org>; Thu, 13 Apr 2023 04:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681385099; x=1683977099; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=fcFSfifpRcVd09OdsuVgadR4xrLLBgbIl0d4tHmi+x0=; b=Ik8Mv1pIpeqtWwkWSOnezyaigrmvt3PrFHe/LBFsbl1pykETKKpwQDsZ6swnInD3eE q+N/67ctUWqLky0h+Sq8AUWZLZ+XJG7v0Xdk2ajmwcm6xwthhPZmsQrD+GoeZ/UKrXUe 2LOCnukpo/Sv8Z7nrcZ64MNCXHtkbEHJyJM0HRnMHTm7pAzU69skLDlG26A3I4iMXHZF WFBwe5IxZFV9jEduAyGCWBsF5vjHT2CY3whYt1uqPT+jTK361Rrk7xIc46E3baFHr1Y3 ZfkuK7hoiU6fIIwvnfpyBnKX/YSWAuVmKFetLQxnImskt6RyErkFyXAlIUtDd+0eRVD5 krYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681385099; x=1683977099; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=fcFSfifpRcVd09OdsuVgadR4xrLLBgbIl0d4tHmi+x0=; b=OwQ1QPU1MAMmzB9+ub5/uRTnLkPxkkSez8rZ97j+5tsoDwJqM7whMr2CXgMj+vlJ7r ocHn/QA4FJRFDUsanvFYvYeiixYCxK7uovDSG+pGy2lqvLoz2igdvinTXFPuv4H24Ssq dTQI2uKi2oH1Kv58FUWPcMGc1gTnSdNAaqLqz4hYMUymXdXmX+416jp6XsFF16+OaJFY w00TIQ0NlUk+fsvFAuvBbgEbh407uJebFnKE09ZSdRZ/QUBirDJ6MaNdhb/itqGfEp7M 2qZNjpWpIGJr0qw75c2jdFx9eajBhQFKV3nLFTjNQ+XJAFQUeN65kCgOoR+R2cvaN8D3 oVVg==
X-Gm-Message-State: AAQBX9eXx0CD1WPywohjbTixNj9nRMEmIE0baaRH1aQm9HTdQSSTj9a7 pBxP4cswHV9o8DdsZYVHpXaLJWSoNe3SgHNssZoDFY9M
X-Google-Smtp-Source: AKy350a0sY+ESG2QMq7ZCElblvSTjmsYrANkSDWwMxNXM9Sjdo2U52/n/fnMHo7lQiLhdRP9DWAfV4yCsrs8+d1tMqg=
X-Received: by 2002:a2e:9916:0:b0:2a7:a52b:123e with SMTP id v22-20020a2e9916000000b002a7a52b123emr643064lji.1.1681385099033; Thu, 13 Apr 2023 04:24:59 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwZc2X7tyP+_8vvL3Yb7uJk6td3XGbsXUB68BNUEMhV4yQ@mail.gmail.com> <CAHej_8mYUH7=im5D8YsrAmA77V-+GAFaMnTNDdkZPPSapSi1OA@mail.gmail.com> <CAL0qLwYbbLLq-qLg_Wnp5aFw_2my4UTZz3U3LjwbCmpMNdudfA@mail.gmail.com>
In-Reply-To: <CAL0qLwYbbLLq-qLg_Wnp5aFw_2my4UTZz3U3LjwbCmpMNdudfA@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 13 Apr 2023 07:24:47 -0400
Message-ID: <CAH48ZfzgT3FY33L8HwP+gQTG9JLmjjNkiZMc6yGd_E1A=ZFccw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f01e205f935f90b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WSBkMlp2IGztB7pcSDM8SMWtJTQ>
Subject: Re: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 11:25:06 -0000

I am beginning work on a Best Practices document which will attempt to
explain what evaluators should understand about p=reject.   Topics to
include:

   - PASS is more important than FAIL
   - SPF and DMARC are not the end of authentication options.   Any message
   can be authenticated for the purpose of distinguishing acceptable mail
   streams from their impersonators.
   - Exceptions are to be expected.
   - Tuning of Sender Authentication should be a normal process of filter
   tuning, occurring in parallel with content filter adjustment, whitelisting,
   and blacklisting.

Since nothing like this exists, it may change the approach used by some
evaluators, but nothing will change all of them.

MLM senders need their minimally-authenticated messages to be accepted by
evaluators.  This requires a recognized identity with a high reputation
that is considered relevant to the decision.    John suggested that his
doman's signature should be enough to remove distrust.   If his domain was "
pphosted.com" or "mimecast.com", his signature might be sufficient.
 Evaluators know that those signatures mean the message has been initiated
by a big-money organization, and then been filtered to prevent accidental
release of malicious messages.

How does a MLM start building that kind of reputation?

   - Ensure posts are personal messages where MailFrom and From represent
   the same account, or at minimum the same domain.
   - Ensure messages are not impersonated by validating the MailFrom domain
   with SPF, DKIM (in the absence of SPF policy), or a local policy that
   corrects for SPF policy errors.
   - Ensure messages are not malicious by performing best-effort malware
   filtering.
   - Further protect against malware and abuse by restricting high-risk
   attachment types and overly large attachments.
   - Most importantly, publish all of these policies online where a
   subscriber and his mail system administrator will find it.

But yes, it is within the power of MLMs to reject subscriptions from
p=reject domains, especially since alternatives like Gmail are readily
available for free.  But this could have happened already without IETF
advice on the matter.   So how serious is the problem, and how does our
document add value to the negotiation between domains and MLMs?

Doug Foster



On Wed, Apr 12, 2023 at 11:35 PM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Wed, Apr 12, 2023 at 11:41 AM Todd Herr <todd.herr=
> 40valimail.com@dmarc.ietf.org> wrote:
>
>> On Wed, Apr 12, 2023 at 2:16 PM Murray S. Kucherawy <superuser@gmail.com>
>> wrote:
>>
>>> I've been thinking about the point a few people have made now that DMARC
>>> has two actors that cause the problem: Those who "blindly" apply
>>> "p=reject", and those who advertise "p=reject".  You do, indeed, need two
>>> to tango; enforcement doesn't happen without an advertising sender and a
>>> participating receiver.  Maybe any "MUST NOT" advice we provide needs to
>>> cover both ends.  We need to be careful about admonishing participating
>>> receivers though.  What would we say to them about how to be selective in
>>> application?
>>>
>>
>> I'd argue that we have language already that advises receivers to be
>> selective in application. The second paragraph of section 5.8, Policy
>> Enforcement Considerations, currently reads as follows in DMARCbis:
>>
>> Mail Receivers MAY choose to accept email that fails the DMARC mechanism
>> check even if the published Domain Owner Assessment Policy is "reject". In
>> particular, because of the considerations discussed in [RFC7960
>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#RFC7960>],
>> it is important that Mail Receivers SHOULD NOT reject messages solely
>> because of a published policy of "reject", but that they apply other
>> knowledge and analysis to avoid situations such as rejection of legitimate
>> messages sent in ways that DMARC cannot describe, harm to the operation of
>> mailing lists, and similar.
>>
>>
>> https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#name-policy-enforcement-consider
>>
>> Might that language be made stronger? Sure. Might it or other text
>> include mention of ARC as a possible solution? Maybe.
>>
>
> Right, thanks for the reminder.
>
> I think part of the problem might be that blanket observance of "reject"
> is already commonplace.  There's also very little in the way of algorithms
> or text guidance to indicate to receivers how they're supposed to know when
> it's safe to actually reject.
>
>
>>
>> I've also been thinking about ways to push the burden back on the
>>> advertisers.  Imagine we have some kind of signaling mechanism that MLMs
>>> can take advantage of indicating to them that the author is using a strong
>>> policy, and so it would be possibly a bad idea for the MLM to accept,
>>> mutate, and re-send this message.  This could be a header field or an SMTP
>>> extension (though the latter is complex to get right in a store-and-forward
>>> system).  The MLM can then decide if it is willing to pass the message
>>> unmodified to the list, or reject it with an error like "The policies of
>>> this list require modification of your message, which violates your
>>> domain's apparent policy.  Your submission therefore cannot be accepted.
>>> Please contact your support organization for further assistance."  There's
>>> never an opportunity for the collateral bounce to occur if the message is
>>> never distributed, and the author domain has to either soften its policy or
>>> separate its regular users from its transactional stuff somehow.
>>>
>>> This avoids the "collateral" and "persistent" damage issues I raised in
>>> a separate post.  It still requires the MLMs to do something new, but
>>> avoids the need to implement any of a variety of unsavory mutations.  MLMs
>>> could also determine this by querying the current DMARC policy of the
>>> author's domain, to be sure, so it's a choice between MLMs looking for a
>>> header field (which they already know how to do) or becoming DNS-aware
>>> (relatively simple, but pulls in some complexities and dependencies they
>>> may not want).
>>>
>>
>> My preference here would be to add text for Domain Owners to make them
>> understand the ways that p=reject might cause some mail using their domain
>> to not make it to its destination, with "mailing lists might reject your
>> mail" being one such example.
>>
>
> And a good example, given it's the most obvious one.  But is it enough to
> say that and nothing else?  What about MLMs actually doing something like
> this?
>
> -MSK
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email