IETF Logo Mail Archive

Re: [dmarc-ietf] auth-res vs. dmarc

Alessandro Vesely <vesely@tana.it> Wed, 30 December 2020 19:10 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B4433A0C0F for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 11:10:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5jvZOmSp5Pi for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 11:10:11 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 826DA3A0C04 for <dmarc@ietf.org>; Wed, 30 Dec 2020 11:10:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1609355409; bh=WBUUATnfkqbKQncxWucaFpYqvAuEXCk8A2k2PBz1CLk=; l=3227; h=To:References:From:Date:In-Reply-To; b=CNygKeON35qjLkjBl/8YueSTx+THTpGrWQKjsAdOIRdwW03vDqo4LcmcQ8dO0+hrV VzKEqJi/F2ITwcZKoTbgvSS8F0RTt+vVa76MX28H5IdZLPX+WqJ5rPoNnzZZsdJlii 1qE3R7bARl/JhC7jZqow17QA4prahu1Uvv+sIYQX+4lIqtUw/4mcV6n/AVJOn
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC056.000000005FECD091.00006344; Wed, 30 Dec 2020 20:10:09 +0100
To: dmarc@ietf.org
References: <9f6782b1-e85b-1a9c-9151-98feff7e18ea@mtcc.com> <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com> <140485eb-020f-4406-3f2f-e2c475ea51e5@mtcc.com> <CAHej_8mApfoF2ORgL+DoYTanrdhMjvT9H27kORwLKCQc1C9sRw@mail.gmail.com> <5588dbbe-b876-ed80-c80f-792380e3718f@mtcc.com> <CAHej_8=kW_t_JkOxUud1Uz8+PrbMh5CfwfxZK=mhe0wjW8wQpw@mail.gmail.com> <54dd9978-bcd1-6757-ad27-dcef6db6e5f7@mtcc.com> <CAHej_8kCi=7oqojDH_rbjn7kRg-PTDJWLgcKTGK9z-baUnKeMw@mail.gmail.com> <ef32de1e-d47e-1d0f-3cec-5994c7fdb7ae@mtcc.com> <CAHej_8kjSsQK_XEbdjWzV5npa29YjGadzD06Fmx3QLB4p+n_Cg@mail.gmail.com> <937f1019-a028-308d-2a0f-1e720fd49dcd@mtcc.com> <d8014c2a-c1c9-9eac-e64a-5f285bab7fd3@tana.it> <CAHej_8mgYr9ERAxmup+keZT5u8L+qgCxcSLH7Z=BEuZLouttpg@mail.gmail.com> <72e20c17-e991-e82a-9120-a27097e3ac58@mtcc.com> <CAHej_8=6huc-N4ymDTOWZXHGjQQ-3RFDdomRzmGp4kOseHckMQ@mail.gmail.com> <7863d250-f56a-1fe1-44ee-fbc7486d48b4@mtcc.com> <5FECB4F6.2020702@isdg.net>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <f95be573-1fe5-eddd-a140-27ed0ed7e75d@tana.it>
Date: Wed, 30 Dec 2020 20:10:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <5FECB4F6.2020702@isdg.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WdvRV55rd261MlZf07AD2FMfhGE>
Subject: Re: [dmarc-ietf] auth-res vs. dmarc
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 19:10:13 -0000

On Wed 30/Dec/2020 18:12:22 +0100 Hector Santos wrote:
> 
> Any A-R evaluation looking for the specific DMARC verification bits as part of 
> its algorithm, but sees none, MUST use the default input and output values for 
> a domain that lacks a DMARC record.  For DMARC, when no record exist, the 
> default values are (please confirm, I am going off my 
> https://secure.winserver.com/public/wcDMARC wizard form values).
> 
> p=none
> sp=none
> adkim=relaxed
> aspf=relaxed
> pct=100%
> rua=0
> ruf=0
> rf=afrf
> ri=86400
> 
> The dmarc= value SHOULD not be dmarc=fail nor dmarc=pass because no DMARC 
> record exist.  So if an A-R is written for a non-DMARC domain, it should be 
> perhaps write:
> 
>    dmarc=unknown author.d=gmail.com signer.d=gmail.com (originating signer);
> 
> or
> 
>    dmarc=none author.d=gmail.com signer.d=gmail.com (originating signer);


I like better the latter (except that author.d should be header.from and 
signer.d is useless as there must be one or more dkim=pass with a matching 
header.d=gmail.com or spf=pass with matching helo/ mailfrom property.)


> Although the dmarc=none could erroneously suggest a DMARC record exist with a 
> p=none policy


Having no record or just "v=DMARC1; p=none;" should be equivalent.  ADSP 
explicitly said so, preferring an existing record with default values for DNS 
caching performance.

IMHO, we're being somewhat fussy by /requiring/ p=none.


> when a real policy exist, then a policy= tag used in our A-R, like:
> 
>    dmarc=dkim-fail policy=none author.d=gmail.com signer.d=gmail.com 
> (originating signer);


should be:

     dmarc=fail policy.dmarc=none

The moment that you deploy existing software, using unregistered properties 
becomes problematic.  Reporting the domain where a DMARC record was found might 
be useful.  However, if you want to use it you should register it.  I'd suggest 
dns.zone=gmail.com, as that ptype.property is already registered, albeit for a 
different method.


> which reads:
> 
> The author.d=gmail.com has a DMARC none policy. It has an aligned author and 
> signer domain, but DMARC failed due to a dkim-fail signature which the A-R dkim 
> line shows:
> 
>    dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=gmail.com header.s=20161025 
> header.i=gmail.com;


Obviously, SPF failed too.  It makes little sense to specify all possible 
failure reason on the A-R line.


> I am not suggesting this or no DMARC A-R line should be written when the domain 
> lacks a DMARC record.
> 
> If a A-R dmarc line is recorded, it should be readable by humans. It should not 
> erroneously misdirect an A-R evaluator routine when a DMARC does not exist. 
> Using the comment field SHOULD be reserved for non-standard HUMAN readable 
> data.  But some of used it to fill in the gaps we wanted A-R for verification 
> results, i.e. for SPF, the ip name field.
> 
> Overall, I agree, resolving the A-R name space technical issue SHOULD be 
> resolved in the WG for DMARC-bis. I think it is well worth the effort to define 
> what we need and then use this for the update up the A-R specs to create a more 
> common and useful name space to all.


Right.


Best
Ale
--

v2.23.0 | Report a Bug | By Email