IETF Logo Mail Archive

Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field

Alessandro Vesely <vesely@tana.it> Mon, 17 August 2020 09:57 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A278C3A1473 for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 02:57:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.047
X-Spam-Level:
X-Spam-Status: No, score=-3.047 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.949, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wrBO4f4FTC0F for <dmarc@ietfa.amsl.com>; Mon, 17 Aug 2020 02:57:57 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 369F93A146F for <dmarc@ietf.org>; Mon, 17 Aug 2020 02:57:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1597658274; bh=yt+eoysYM8S3MhIM8pOOumRDtTDOdl6t5gIaKm2QmjQ=; l=4122; h=To:Cc:References:From:Date:In-Reply-To; b=CriJD8Vm/ySfiyzE0QtCqryunx7kI3y332OAQI2DwRiFj6CU9r+Z+jRNn5JouaiC8 qay3s86XelpwPQ//qmLaratHgk0YVXA802HHp/8pEJN1jko5azMWJ5ulCudHVPRym2 t259cY8ZlIPZt0/0XTG9ieJR/HEbH5l1TIA2ZHJ6k4x8wbPvlti3pt0WPJDNy
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [192.168.1.102] ([5.170.69.62]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC026.000000005F3A54A1.00006FC7; Mon, 17 Aug 2020 11:57:53 +0200
To: dcrocker@bbiw.net
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <CAJ4XoYcFbh8-nAxjxzzRgUahFfhcgcZQ2yMF2ewv_-DgUmhL=g@mail.gmail.com> <20200814164237.313071E971DB@ary.local> <CAJ4XoYeqj_5mpZu1PZP4rNfrWRyC5gC-2dfK7oX9xQHiR24QeA@mail.gmail.com> <085c6a5f-5451-ae8c-4873-133673ba1754@tana.it> <CAL0qLwaVUi9QtV4zcCwncuy4N3YPwsGZPzFfd1q19io79UG2VQ@mail.gmail.com> <c1844590-4b12-9763-21c5-6ac5b730321b@tana.it> <6358f3da-806b-f4eb-b9a0-8ee8ce4121d7@dcrocker.net> <4e549ca6-6047-6ff2-325c-fe8d7247e157@tana.it> <c972e0af-b589-1780-47b3-8cb2a2024ec2@dcrocker.net> <13a0ed72-2c5a-8ba6-84ab-b857e29403f1@tana.it> <1703e878-e20a-8ae2-09e8-25470c0cf5f8@dcrocker.net>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <e89a5551-f8cc-2d8e-4bfb-65fef943e9fe@tana.it>
Date: Mon, 17 Aug 2020 11:57:48 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <1703e878-e20a-8ae2-09e8-25470c0cf5f8@dcrocker.net>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XzgHCOQopr_SIjF1ELcX8rthbUg>
Subject: Re: [dmarc-ietf] Call for Adoption: DMARC Use of the RFC5322.Sender Header Field
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 09:57:59 -0000

On Sun 16/Aug/2020 20:16:17 +0200 Dave Crocker wrote:
> 
>>>>> If I put my gmail address into the from field, there is no 
>>>>> pretending, no matter what platform I am using.
>>>>
>>>>
>>>> That conflicts with the coarse-grained authentication strategy, 
>>>> established at the FTC Email Authentication Summit in November
>>>> 2004, as Doug^W Michael recalled >>>
>>> 1. I was making a semantic point, not a technical or technical 
>>> policy one.
>>
>> They have to match at some point.
> 
> it would be nice, wouldn't it?
> 
> but that's separate from the factual statement I made.


Separate but related.


>>> 2. There was nothing 'established' at that event.  There were 
>>> interesting discussions, but that's all.
>>
>>
>> I wasn't there.  Can't it be considered the historic event that 
>> marked domain-level authentication as the promising strategy to 
>> counter email abuse?
> 
> Reference to that event as if it 'established' anything is misguided, 
> at best.  The meetings were helpful, but not definitive.  And the 
> efforts at domain level authentication were wholly independent of 
> these events.


Would it be still correct to mention that summit as a conspicuous 
event that testifies the emergence of domain-level authentication 
around the early 2000s?


> As already noted on this list, the events served as a plea from the 
> government and, therefore, a signal that the government was concerned.


A noteworthy historical detail.


>>>> Your gmail address needs to be authenticated by gmail. 
>>>
>>> Good grief, no.  There is no system rule to that effect.  DMARC 
>>> created that, but no policy before it was in place, never mind 
>>> accepted.
>>
>>
>> DMARC took that strategy to the extremes.  A number of users and 
>> operators seem to have accepted it.  Why cannot we accept it too?
> 
> That DMARC does something and that some people use it is quite 
> different from claiming that there was some grand change in the 
> semantics and operational policy of email.  Why can't THAT be accepted?


There's been a combination of events, from IETF's reluctant 
laissez-faire to Yahoo/AOL adoption, which brought up the illusion 
that email authentication can provide a global means to counter 
spoofing.  To believe that such illusion will come true makes for a 
strong motivation.

Couldn't we meet somewhere halfway?  I can see that you, John, Herr 
Hammer, and other relevant participants don't accept that domain-level 
authentication is semantically mandatory.  What d'you reckon about the 
possibility that such grand semantic change can be made official 
within the next 10~20 years?  I think that by just spelling the 
technical means /as if/ such change is going to happen, we can design 
a consistent authentication protocol.


>>>> Sending From: bbiw.net, SPF-authenticated as dcrocker.net, and 
>>>> whitelisted as yet another domain (songbird.com) can hardly be 
>>>> verified.  There is no "pretending", since it's you, but it is not 
>>>> formally distinguishable from spoof, is it?
>>>
>>> Whether valid and invalid uses can be distinguished does not alter 
>>> the fact that valid uses are valid.
>>
>> The problem is to find the technical means that allow receivers and 
>> recipients to verify such validity.
> 
> Of course.  But when it's at the expense of valid use that has worked 
> for 45 years, then those means are problematic.  Highly.


It seems to me most expenses have been paid already, for example this 
mailing list is applying From: rewriting.  We don't need to propose 
further restrictions.  To the opposite, there are means on the 
table[*] that can enable us to sketch a time horizon where From: 
rewriting can cease.

16 years have passed since the FTC event, which is 1/3 of those 45. 
What I see looks much like a very mild shift.  Lazy operators have 
plenty of time before the semantic change is established, at some 
point in the medium-term future, if ever.


Best
Ale
-- 

[*] For MLMs to resume traditional address usage, the most promising 
I-D's is dkim-transform, IMHO.

v2.23.0 | Report a Bug | By Email