Re: [dmarc-ietf] ARC questions
Brandon Long <blong@google.com> Tue, 24 November 2020 23:25 UTC
Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0982A3A03EE for <dmarc@ietfa.amsl.com>; Tue, 24 Nov 2020 15:25:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5nOsTsD06mgu for <dmarc@ietfa.amsl.com>; Tue, 24 Nov 2020 15:25:07 -0800 (PST)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C2E53A02DC for <dmarc@ietf.org>; Tue, 24 Nov 2020 15:25:07 -0800 (PST)
Received: by mail-vs1-xe2a.google.com with SMTP id m16so223707vsl.8 for <dmarc@ietf.org>; Tue, 24 Nov 2020 15:25:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vtsP6+5wY3foiFxCRzGKxe/cBPmQNHkHkrOa+vfUSGc=; b=FlHxPQOEDUlgDzcE/meXD/0Gw3wF3boUaB80vaI3+pGlTsbKtDJPFvYxmXVDZ/kSQy eFCwMAqS3k6MMg1S9hnBzTmKZL2XOwUOyRhitlwtt9cIEtpqjZNkxxcA05dAXxLbC7tC 3chQfgYqKfiuQC/HmopduTxuLmO9o0L7bM3A3EtEVAOlC+WL9N7v7/6rwnpz695Cr2j0 KkM4U/6PwkWmlutzC3pVO2cv9LpMorSDTvTXjuwpQ3AGiMphB/B13gueDnq4sXYzNj9P 77DGo8eLaDYms5J+Maj+EWXjCGPzr2OgVcdAdm9+qV+ik1qfEI4B02eeLayDbo4RVjHH VIpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vtsP6+5wY3foiFxCRzGKxe/cBPmQNHkHkrOa+vfUSGc=; b=J1zbhcAGvmnlr3UO9Zn7fFWtK7ZhV+Z5PUM7LIFW6V7phAThwt312NezMZhQi7/RC0 O1FU7gXYmwHrvEHXBOG+oBhkjxBXTmX3VcBhofjQhsdAaNLJLB/ua0Wrfr0OgzcsQ7qB DcVs67vrclUa1+atYnFgtzi205kxH56GIz3v27hEXjgYAZmeTfsE7S1Jh4QrAbx0U1Aw uPpJqW2iTwodJudJ3dcd+2tYiW7pgc9PUuElYP+ABQEVZgUQDv2x0ET3iHiF3teCcuv5 +iM4pPMFBScUdSt4ENfAebtyj/06m7lJwcNCOSILqMYCCQCInqhJyz4e+spGlMK7d70e K9ew==
X-Gm-Message-State: AOAM5322s3Pk6ORf+zJ8mT0bJykey9OFTlE7PZYuTMoyp7Ec3PZAbGI0 QQRPzWQIMLEn+56daNJ0AACcY9zgKcDh9uuu1D/L38ymCQ==
X-Google-Smtp-Source: ABdhPJx7YLTIt16LaeboQ0/T/OU+b//6o7vQ42khgGS5UaFK0Crm2mYTZdqA4ZmfVQ2Wp5/VRS42qxyTxvu4ovz6ZxE=
X-Received: by 2002:a67:df8b:: with SMTP id x11mr403818vsk.37.1606260305638; Tue, 24 Nov 2020 15:25:05 -0800 (PST)
MIME-Version: 1.0
References: <20201124020453.AFDC027CE5C8@ary.qy> <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com>
In-Reply-To: <cd855b53-d9bd-3412-3bd5-dc4b7720dc5c@mtcc.com>
From: Brandon Long <blong@google.com>
Date: Tue, 24 Nov 2020 15:24:52 -0800
Message-ID: <CABa8R6s0bfs87Fu9eOq_R3WH1pngauVXrw3RSPe9iWWCtf3AmQ@mail.gmail.com>
To: Michael Thomas <mike@mtcc.com>
Cc: John Levine <johnl@taugh.com>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000efbb4b05b4e29e61"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/X6mESSzdsE_przULddbrDS6o0ds>
Subject: Re: [dmarc-ietf] ARC questions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2020 23:25:09 -0000
On Tue, Nov 24, 2020 at 2:49 PM Michael Thomas <mike@mtcc.com> wrote: > > On 11/23/20 6:04 PM, John Levine wrote: > > In article <e8e1d300-fbe7-6d10-c15f-30c29ab74237@mtcc.com> you write: > >> What I'm struggling to understand is what having authenticated auth-res > > >from a previous hop helps. this is what i found: > > > > See some of the previous messages. My usual example is a mailing list > > message that fails DMARC at the final recipient but passed DMARC (as > > recorded in AAR) when it arrived at the list. This lets the final > > recipient distinguish between real messages from subscribers and mail > > from spambots that happened to scrape both the list address and some > > subscribers' address and sends mail to one pretending to be from the > > other. (That definitely happens, I've seen it on lists I'm on.) > > > > I agree that the ARC document does not do a great job of explaining that. > > > >> It would be kind of nice to understand what gap ARC actually plugs and > >> why it's important if you ask me. Also: there seem to be a lot of ways > >> to achieve this, but this one is probably the most complicated one that > >> I can envision. > > If you want to pass the A-R results through multiple rounds of > > forwarding, you can't do much less. > > > Sorry, changing the auth-res to old-auth-res and dkim signing the > message would be completely sufficient, and far easier to understand > with a lot less bloat. All of this hand wringing about dozens of message > manglers in the path before it get to the destination and not be able to > figure out which auth-res was which seems wildly out of proportion for > what the normal case is: 1 message mangler in the path before it arrives > at the receiver's domain. Just like this message right here. That's why > I asked how common that was, which was dismissed, but not answered. > Note that this was exactly what we started with, X-Original-Authentication-Results and with Google's implementation signing that with X-Google-DKIM-Signature. Our version didn't just sign with DKIM-Signature because of the reasons already stated in this thread, that our understanding of how DKIM-Signature was being used made it a poor choice. Our experience also showed that more than one hop is quite common in enterprise deployments, and those are also the places where the most complexity arises. Others shared our experience as well. You say that your message had 1 mangler in the path, but really you don't know that. It is likely that some people on this list are on enterprise accounts who are behind mangling inbound gateways (rewriting urls to go through safety checking hops is common, for example). Or maybe they are on with University accounts using exchange but forward their mail to a personal or department gmail account. It may be that ARC is too complicated, that other, simpler, solutions would have worked for 90% of cases and would have been better than what we've got (From rewriting), and that the real pain for receivers having lots of hops should be borne by those receivers. Brandon
- [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Kurt Andersen (b)
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Douglas E. Foster
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Douglas E. Foster
- Re: [dmarc-ietf] ARC questions Joseph Brennan
- Re: [dmarc-ietf] ARC questions Todd Herr
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Doug Foster
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Todd Herr
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Dave Crocker
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Seth Blank
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Douglas Foster
- Re: [dmarc-ietf] ARC questions Murray S. Kucherawy
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Murray S. Kucherawy
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Murray S. Kucherawy
- Re: [dmarc-ietf] ARC questions Alessandro Vesely
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John Levine
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions John R Levine
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Michael Thomas
- Re: [dmarc-ietf] ARC questions Benny Pedersen
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Brandon Long
- Re: [dmarc-ietf] ARC questions Michael Thomas