IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Todd Herr <todd.herr@valimail.com> Tue, 28 March 2023 15:59 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86D07C1524AE for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 08:59:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 742xd6VAwkwi for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 08:58:58 -0700 (PDT)
Received: from mail-pg1-x52a.google.com (mail-pg1-x52a.google.com [IPv6:2607:f8b0:4864:20::52a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 546AFC14CE40 for <dmarc@ietf.org>; Tue, 28 Mar 2023 08:58:58 -0700 (PDT)
Received: by mail-pg1-x52a.google.com with SMTP id q206so7488167pgq.9 for <dmarc@ietf.org>; Tue, 28 Mar 2023 08:58:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1680019137; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Lwr9xqD29TxGe6dnjM7svxTjsqOjQdd5BWfxMonKGsM=; b=EYcZRLxN9l+OAdkm3bgFc0GRKCsWpX5PDB3GzL04hr/NpY0jed1RjMKeTLh/r4yqF8 WuVTw9TmzCbF6DJ7kllJZy4lVBdto+aV3lsXwrKHUur91QKLD7tHgb7+5rymbzWX/hsf paNzmFwfoCCn6FBeHLG1qsR+9s6Wg0yRp9q9aNOuxZxwtMz/3/zguhTZuXUdySy2rL13 GQBI7VaQXc7TkZJiKX4RXOWuGLzk2sG6wUo4XhFqHyEU3nhGyLzLkoNISbWy0FUM9rFZ GHL0A34krydeSMYwD3Ow+srvx7g1ClwEtxQc/utGBlslll3wXJC+Nxenr30zlKH/u35a jIrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680019137; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Lwr9xqD29TxGe6dnjM7svxTjsqOjQdd5BWfxMonKGsM=; b=2zU23DJ4y2bGVAU2X9kysEmbqJi2QtRlrHRxtMSSG02csGAdcdqJkg6lnPHhuyFM2n N5E6jCkWM3ONs2FvWdRczdrho1Ck45NCgGHVlrDFYkFV5w3cMCkxy7IH+MyLmyySp0Wl pbkZOO/h6Q60BXUSvN7dvlcJ/DEfLlNrHw0IwbY8LFYD+hh4VoekFJzR2NBkMRGG+2Ez t/FhegD3BxkP/fcTfy2aNIPY0wyVEt10rGt4xMAuEr3QvsgxPidjOKn6KJD+8VIVRV0P PnMFTNSLYIRNBa1iozWUt9MSJLZTBIevjcL1WTSCD7Y85Y6npE+tSESDkg5VpVw0l7qr E7gw==
X-Gm-Message-State: AO0yUKXFtClgUks1NQGiFF3qWK7p25oMlmh8mxxUXFfLLLYP9pwbrRTl 2gfTa/pHUbbQgaoLYiEVtrbHxAnElKoc5l8JfQSZtDbD9LMMqROt
X-Google-Smtp-Source: AKy350a3pxzjCp+pyf99b89B+5kbu+MjPugkotU3fdAuhKCvI9FgvZ137TP1uc8ffnVb5p4NHOKzSSAVl/xyxMli1iI=
X-Received: by 2002:a05:6a00:848:b0:626:2343:76b0 with SMTP id q8-20020a056a00084800b00626234376b0mr8656848pfk.6.1680019137195; Tue, 28 Mar 2023 08:58:57 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <3A0C013F-55E6-46FE-92DD-EF31BC58A55D@bluepopcorn.net> <CAHej_8m7m29EiKUzarR1wBVyxfORfdcX_kgUz0-3uDiqoZ+i2A@mail.gmail.com>
In-Reply-To: <CAHej_8m7m29EiKUzarR1wBVyxfORfdcX_kgUz0-3uDiqoZ+i2A@mail.gmail.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Tue, 28 Mar 2023 11:58:40 -0400
Message-ID: <CAHej_8nu8LZCEk2COCk6XUv9oPs2tP-SOZfUhKSqMxx8gBN8iA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e391df05f7f7ef65"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XDWcGyCwiZa6NuGXvGX6rUORkho>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 15:59:02 -0000

Upon further reflection, I find myself liking Barry's proposed text less,
and instead propose the following:

On Tue, Mar 28, 2023 at 9:42 AM Todd Herr <todd.herr@valimail.com> wrote:

> On 28 Mar 2023, at 17:15, Barry Leiba wrote:
>>
>> > NEW
>> >
>> >    5.5.6.  Decide If and When to Update DMARC Policy
>> >
>> >    Once the Domain Owner is satisfied that it is properly authenticating
>> >    all of its mail, then it is time to decide if it is appropriate to
>> >    change the p= value in its DMARC record to p=quarantine or p=reject.
>> >    Depending on its cadence for sending mail, it may take many months of
>> >    consuming DMARC aggregate reports before a Domain Owner reaches the
>> >    point where it is sure that it is properly authenticating all of its
>> >    mail, and the decision on which p= value to use will depend on its
>> >    needs.
>> >
>> >    It is important to understand that many domains may never use
>> >    policies of “quarantine” or “reject”, and that these policies are
>> >    intended not as goals, but as policies available for use when they
>> >    are appropriate.  In particular, “reject” is not intended for
>> >    deployment in domains with users who send routine email, and its
>> >    deployment in such domains can disrupt indirect mail flows and cause
>> >    damage to operation of mailing lists and other forwarding services.
>> >    This is discussed in [RFC7960] and in Section 5.8, below.  The
>> >    “reject” policy is best reserved for domains that send only
>> >    transactional email that is not intended to be posted to mailing
>> >    lists.
>>
>

> >    To be explicitly clear: domains used for general-purpose email MUST
>> >    NOT deploy a DMARC policy of p=reject.
>>
>>
>
NEW

5.5.6 Decide Whether to Update DMARC Policy

Once the Domain Owner is satisfied that it is properly authenticating

all of its mail, then it is time to decide if it is appropriate to

change the p= value in its DMARC record to p=quarantine or p=reject.

Depending on its cadence for sending mail, it may take many months

of consuming DMARC aggregate reports before a Domain Owner reaches

the point where it is sure that it is properly authenticating all

of its mail, and the decision on which p= value to use will depend
on its needs.

The policies "reject" and "quarantine" are more effective than "none" for
accomplishing the chief goal of DMARC, namely to stop the exact-domain
spoofing of the domain in the RFC5322.From header. However, experience
has shown that a policy of "reject" can result in the disruption of
indirect mail
flows and cause damage to the operation of mailing lists and other
forwarding
services; [@!RFC7960] and [@!RFC8617] and Section 5.8, below, all discuss
this topic and/or possible strategies for addressing it.

Because of these challenges, some domains, particularly those with open
signup
capabilities, may prefer to remain at a policy of p=none. This topic is
discussed
further in section 11.4 below.

11.4 Open Signup Domains and DMARC Policies


Certain domains with open signup capabilities, where anyone can register an

account and send mail, may not want to implement p=reject. An example of
such

domains would be consumer mailbox providers that used to be known as
"freemail

providers". Domains with no DMARC policy or a policy of p=none are
vulnerable

to spoofing, but their users can send mail using these registered email
addresses

from unrelated third party systems (such as "forward to a friend" services)
or participate

in mailing lists without impediment. The security challenges that this
presents to the

domain owner are left up to those systems that allow open registration of
users.



-- 

*Todd Herr * | Technical Director, Standards and Ecosystem
*e:* todd.herr@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email