IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling forwarders, not just MLMs

Hector Santos <hsantos@isdg.net> Thu, 13 April 2023 19:46 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6D88C14CE24 for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 12:46:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="MVFEgSD/"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="2SRWnVwg"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R-kErz5dVKOG for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 12:46:24 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D38BC1527A0 for <dmarc@ietf.org>; Thu, 13 Apr 2023 12:46:24 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=9944; t=1681415177; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Message-Id:Subject: Date:To:Organization:List-ID; bh=b5fGN5oNb9FIy8ui2Pg0qZCrh/9WeeK Sp+Pn4SR32AY=; b=MVFEgSD/QV9sH4hl7ZP+1+WqJRSPoqiEZ/h6+SqVNQR8bgb gVOgZAR4yd8t/faNgLa5Nn7yDBU4NT0eVAjaFJRpSU4KiBPdrCKZV6lRcYMF7mlX uPT/cnv21/dLlGMsYdm3K4AZqF9kKs7AksUSAZcyjd7Pufg8tS1ZypE16Kac=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Thu, 13 Apr 2023 15:46:17 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 1807973848.1.5828; Thu, 13 Apr 2023 15:46:16 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=9944; t=1681415172; h=Received:Received:From: Message-Id:Subject:Date:To:Organization:List-ID; bh=b5fGN5oNb9FI y8ui2Pg0qZCrh/9WeeKSp+Pn4SR32AY=; b=2SRWnVwgmXmDVh9JIfdHxJAo0cE9 5Vg9K7XdICi829D7by8eFzUe2ZWFp71RSZGiKLjVP4GstvwH+EfyhlA5Hiv9IL9t vyNtJDKIyxu1b8LwZ15W/26kWdrxIINARuCNNaQTJ0zgZpBI9gFbALRAIMsAGuTl YCJp/1G/Ko+jSBE=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Thu, 13 Apr 2023 15:46:12 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 2254008379.1.12660; Thu, 13 Apr 2023 15:46:11 -0400
From: Hector Santos <hsantos@isdg.net>
Message-Id: <906F4F40-1081-4554-8243-C4E84E300E38@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F54A6C87-BD47-4F8E-B399-45B32E4A9DC2"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Thu, 13 Apr 2023 15:46:00 -0400
In-Reply-To: <CAHej_8nyYrCXPo8aYOb+cVSf=2NQDOBmUgo-FD=ohPBZ=yFuHw@mail.gmail.com>
Cc: Barry Leiba <barryleiba@computer.org>, IETF DMARC WG <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
References: <CAL0qLwYbbLLq-qLg_Wnp5aFw_2my4UTZz3U3LjwbCmpMNdudfA@mail.gmail.com> <20230413151342.B96D0BF17F1F@ary.qy> <CALaySJKM5Kct0u0ekuEBS=DVQTXG_CiewpzNwVyPiAaQ9zx3VA@mail.gmail.com> <CAHej_8nyYrCXPo8aYOb+cVSf=2NQDOBmUgo-FD=ohPBZ=yFuHw@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/X3IePOqo--OjNg9aQ7rYY3Capcw>
Subject: Re: [dmarc-ietf] Signaling forwarders, not just MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 19:46:28 -0000

I didn’t we need to mention the type of people, organization, etc.

“This is particularly important because SPF will always fail in situations where mail is forwarded.”  

The issue applies to all.

> On Apr 13, 2023, at 12:04 PM, Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org> wrote:
> 
> On Thu, Apr 13, 2023 at 11:21 AM Barry Leiba <barryleiba@computer.org <mailto:barryleiba@computer.org>> wrote:
>> > Anyone who does forwarding is damaged by DMARC because there are a lot of
>> > people who do DMARC on the cheap with SPF only.
>> 
>> This brings up another issue, I think: that there should also be
>> stronger advice that using DKIM is critical to DMARC reliability, and
>> using SPF only, without DKIM, is strongly NOT RECOMMENDED.
>> 
> I don't disagree.
> 
> How do we make the following text stronger?
> 5.5.2.  <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2>Configure Sending System for DKIM Signing Using an Aligned Domain <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#name-configure-sending-system-fo>
> While it is possible to secure a DMARC pass verdict based on only one of SPF or DKIM, it is commonly accepted best practice to ensure that both authentication mechanisms are in place to guard against failure of just one of them.
> 
> This is particularly important because SPF will always fail in situations where mail is sent to a forwarding address offered by a professional society, school or other institution, where the address simply relays the message to the recipient's current "real" address. Many recipients use such addresses and with SPF alone and not DKIM, messages sent to such users will always produce DMARC fail. <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2-2>
> The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d= domain in the DKIM-Signature header) that aligns with the Author Domain.
> 
> 
> 
> -- 
> Todd Herr  | Technical Director, Standards and Ecosystem
> e: todd.herr@valimail.com <mailto:todd.herr@valimail.com> 
> m: 703.220.4153
> 
> This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email