IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling MLMs

Alessandro Vesely <vesely@tana.it> Wed, 19 April 2023 17:02 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAEBBC14F747 for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 10:02:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="5PNJ/0ZV"; dkim=pass (1152-bit key) header.d=tana.it header.b="Bq7yYZFi"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3RMDjWqM0q_f for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 10:02:42 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38E3AC14CE54 for <dmarc@ietf.org>; Wed, 19 Apr 2023 10:02:39 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1681923756; bh=hJ5XxZpzvq//7yinNxkaQjT2qKMk/612CtzsMtpUMH8=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=5PNJ/0ZVTm9iu3CEEUU8K+VdCRD6GNBM+rTE1E5lN0wk9mZ1J2YLynDQ5Y7/7wttf jeaXfmjDyqAtlArsdM1BQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1681923756; bh=hJ5XxZpzvq//7yinNxkaQjT2qKMk/612CtzsMtpUMH8=; h=Date:Subject:To:References:From:In-Reply-To; b=Bq7yYZFiWS0mBBa/N/uLPDBqs9GiT/dfFIBluGQTrVIWtFwVe38EoFvJhR9uMuRrc dIO1SiMKAv+XC2L3uFVlW8tyug9DB2b5zvOL2akuC1pB8ork3zZhemBm51BoIdRO98 flUzyBs5PsPIxpV/1jgsYko0UV9NVOW8kc51d69g3OrfkedMlyO+mIehQELV9
Original-Subject: Re: [dmarc-ietf] Signaling MLMs
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0BC.0000000064401EAC.000077E9; Wed, 19 Apr 2023 19:02:36 +0200
Message-ID: <f86b3ab6-cf2d-858a-7a97-9992d81d4c5f@tana.it>
Date: Wed, 19 Apr 2023 19:02:36 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.9.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <5DAE096A-B547-4569-A3C6-34ED9EC91B2D@isdg.net> <AA303EAF-76DA-4FAD-877D-C7B0143E21D3@marmot-tech.com> <643CB79E.7060309@isdg.net> <01ffe451b5f6e748cdcd295221f085e4@junc.eu> <D791743D-9E7F-4724-8181-44EF6148F5B3@isdg.net> <c19d02bdc96f8f016af430710ccb4247@junc.eu> <10c5dcb4-4eca-b6f4-6a76-29faf2700f76@tana.it> <A8C8D8CA-47D5-40FC-B164-E8CB221B3F35@isdg.net> <0e65af20ba017692818670b156151e4f@junc.eu> <dee4a66a-4741-264f-07d6-19c4db957748@tana.it> <b218707b5da0e0d143a158728a51d59c@junc.eu>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <b218707b5da0e0d143a158728a51d59c@junc.eu>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XbKRPU29OQnTJ24PXnqadU-_RCw>
Subject: Re: [dmarc-ietf] Signaling MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 17:02:47 -0000

On Wed 19/Apr/2023 15:50:54 +0200 Benny Pedersen wrote:
> Alessandro Vesely skrev den 2023-04-19 11:09:
> 
>>> if all maillist did arc on incoming mails before mailman scraped dkim then 
>>> all will be good, only left is dmarc is not in all places tests arc results
>>
>> It is all too easy to spoof an ARC chain offering false authentication
>> results.
> 
> ARC chains is untrusted by default, where is the problem ?


Just pointing out that "if all maillist did arc on incoming mails before 
mailman scraped dkim" then that is not enough.


>> Allowing ARC to override DMARC result requires the ARC
>> signer to be whitelisted.
> 
> whitelisted is not right word for it, its either trusted or untrusted


Yes, I meant to say a site can make a list of all the ARC-sealers they trust 
and call it a whitelist.


>> Now, one can object that whitelisting could be done by DKIM, by SPF,
>> by DNSWL, without the need to introduce a new, long-winded protocol.
>> However, ARC brings a couple of advantages:
>>
>> 1) In case of multiple forwarding steps, ARC delivers an ordered and
>> cohesive chain which is easier to verify than a messy mass of DKIM
>> signatures.
> 
> recipients should only care of dmarc, not dkim/arc/spf fails
> 
> to make this work dmarc must trust arc


Here a lost you.  DMARC is a protocol.  It cannot give credence or believe.  It 
can pass or fail.  It is receivers who can trust an ARC chain and override 
DMARC results; that is, allow the message even if dmarc=fail and p=reject.


Best
Ale
--

v2.23.0 | Report a Bug | By Email