[dmarc-ietf] Improving feedback using additional status codes
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Sat, 25 May 2019 19:43 UTC
Return-Path: <btv1==048afe71f87==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D382120096 for <dmarc@ietfa.amsl.com>; Sat, 25 May 2019 12:43:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tbUZd8Qd_iJd for <dmarc@ietfa.amsl.com>; Sat, 25 May 2019 12:43:09 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5EE1120021 for <dmarc@ietf.org>; Sat, 25 May 2019 12:43:08 -0700 (PDT)
X-ASG-Debug-ID: 1558813386-11fa3116c81a5aa0001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id WgxZthJYvz4eAjhB (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sat, 25 May 2019 15:43:06 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=xknvgjwCx6DrcYRZPN3ZamXdls0W0B0djyRgicfnlWE=; b=mNNLC3kZKOS8F+O5NWRB3l3olKmOuCkYxX2+E+0L1z+nEIpQvCsdPNMmbOm30tMS+ 91x7B4ldbs7TJmb+adOyoQdSGi6goEcqRJEL3mbfMSaccB6+/zd0veNaOmvEywE4f i6zVWoeorLI2+A5PS15IO14e8lpqb6nDPkmLQ835I=
Received: by webmail.bayviewphysicians.com via HTTP; Sat, 25 May 2019 15:42:57 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Sat, 25 May 2019 15:42:57 -0400
X-ASG-Orig-Subj: Improving feedback using additional status codes
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <1ee3bd2ebd204746a0d0641e186ca8a8@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1fe53739a78e4e45b7b0b47bfca05dde"
X-Originating-IP: [192.168.1.239]
X-Exim-Id: 1ee3bd2ebd204746a0d0641e186ca8a8
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1558813386
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 6138
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/X9SaHSk0f39qJhVUfnBJjJicC1Y>
Subject: [dmarc-ietf] Improving feedback using additional status codes
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 19:49:13 -0000
The genius of DMARC, as compared to DKIM and SPF alone, is the feedback component. Unfortunately, sender authentication remains challenged by these issues: Limited deployment of DMARC feedback between senders and receivers. Significant levels of SPF and DKIM validation errors, on legitimate mail, even when indirect mail is not involved. Handling false positives becomes a significant obstacle to implementation of Sender Authentication by receivers. When the sender has not implemented DMARC, the recipient has difficulty communicating with the sender about Sender Authentication problems. Finding a knowledgeable employee is difficult and time consuming, so it will rarely be attempted. (And I have tried it.) I propose two improvements to deal with this issue. The first is to define another feedback mechanism using message reception status code. The second is intended to reduce DKIM verification errors, and will be posted later. PROPOSAL When a recipient detects an SPF or DKIM problem, it can provide immediate feedback to the sender with message status codes. I think these are a complete list of the conditions which would need a result status defined. The approach should be entirely upward-compatible with the existing infrastructure. Message Success with SPF warning Accepted despite SPF=NONE & Source IP not in MX list Accepted despite SPF=NEUTRAL Accepted despite SPF=SOFTFAIL Accepted despite SPF=FAIL Accepted despite SPF TempError Accepted despite SPF PermError Message PermFail because of SPF Rejected because of SPF=NONE & Source IP not in MX list Rejected because of SPF=NEUTRAL Rejected because of SPF=SOFTFAIL Rejected because of SPF=FAIL Rejected because of SPF TempError Rejected because of SPF PermError Message TempFail because of SPF TempFail due to SPF TempError Message accepted despite DKIM Accepted despite DKIM PermError Accepted despite DKIM TempError Message PermFail because of DKIM (not recommended) Rejected because of DKIM PermError Rejected because of DKIM TempError Message TempFail because of DKIM TempFail because of DKIM TempFail Since DMARC evaluation is based on SPF and DKIM evaluated together, the above codes would seem applicable even with DMARC enforcement. I think these additional codes should be sufficient: DMARC PermError (invalid policy record) DMARC TempError (problem retrieving policy record.) Is this reasonable? Doug Foster
- Re: [dmarc-ietf] Improving feedback using additio… Dilyan Palauzov
- [dmarc-ietf] Improving feedback using additional … Douglas E. Foster
- Re: [dmarc-ietf] Improving feedback using additio… John Levine