IETF Logo Mail Archive

Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows

Jesse Thompson <zjt@fastmail.com> Wed, 26 April 2023 02:24 UTC

Return-Path: <zjt@fastmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C7D3C1519B1 for <dmarc@ietfa.amsl.com>; Tue, 25 Apr 2023 19:24:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="jEJLG8QH"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="K86zBTkk"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7dqMApm4gt0q for <dmarc@ietfa.amsl.com>; Tue, 25 Apr 2023 19:24:13 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 901E6C1516F2 for <dmarc@ietf.org>; Tue, 25 Apr 2023 19:24:13 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A3F3A5C0164 for <dmarc@ietf.org>; Tue, 25 Apr 2023 22:24:12 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Tue, 25 Apr 2023 22:24:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm3; t=1682475852; x=1682562252; bh=YP eTyD4Ir2ujGHuyBBej7dZqbjbwFc6XaeNYDG2m65I=; b=jEJLG8QHQQynARSdBF 88LjrV2XSLz9u6owFn/aax84XgjJrla05NdV3+OkKQ3ouPukkOXkD6j011ByWXqp 7K3842TmMIpxuo978lhVapDRymReq4GGqgAdr+/n3Wotfchk1ZLxoY+OdF5DTR7y cBt3DK8RlE8Igkq0DbbK2ILQ9bwxxL6ZKOXnH71H2LHeApvrA5x5ysV2oTTluh8Y jhOhToPsmWSoHgOr+p9w4FYKqXiK4A7ByuLKMrCONAyDZh8JVqkw7IYTNfUhaKqq CooeTCK4Uwl78c3batxGqLopZ2HG/hQnZChJEEPSsHSQESdW+rkScOdaZ8KRDrTS PORA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; t=1682475852; x=1682562252; bh=YPeTyD4Ir2ujG HuyBBej7dZqbjbwFc6XaeNYDG2m65I=; b=K86zBTkksA0a2KAuu2H/3tSi6UWoP jULYiFP8vG2ldYGizFHpOm0sP/Khei2vO6rxXGOuxQV0rFwEnCEJ2SnddyYPnfpG YbEXyaVZ3qMB8uj/IY3uyXJvnYGdDvWA1gycpGDGEjVZC7NMfxC1JR0xcTzBjYqd BEquvdRUU+jVuWujXjF9aaNCqRltaAQRpDGvYs0eh3Opjw5egGItsowyp95psb1s JUAv1rrA0GZkqvsJF/2thH86nvgy+gzm2XjZDZNnRyY+JkV+ZG/WF3afkyYB9knq dIFZlytOjCM6o5b/ed7ceCR/xiNg52e4rs2fgavxy2L44wdEoYRI23KcA==
X-ME-Sender: <xms:TItIZN-0YMlk-NgR2TB0eCfClwK0G_XKDOpSdn9TuGvQPra0VYjKsg> <xme:TItIZBt5NwjS5K3hl_JYLpSpqFLSIH-hwrvG-wOhdQLnr4bYcJ38M88TK5ROa7RgP Z7HKT4BuwXw_UxmmF8>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrfedufedgiedtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsegrtd erreerredtnecuhfhrohhmpedflfgvshhsvgcuvfhhohhmphhsohhnfdcuoeiijhhtsehf rghsthhmrghilhdrtghomheqnecuggftrfgrthhtvghrnhepgeeulefhfedtheeguedvud evkeduveelffevueehuddutdduhfejfeegleffieegnecuvehluhhsthgvrhfuihiivgep tdenucfrrghrrghmpehmrghilhhfrhhomhepiihjthesfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:TItIZLAqsVzx24UVZ2uT5kjTmQ3vwrzebcpyu2nZZmSScvY0BHcEQw> <xmx:TItIZBe57OK477MWXy8p9ZZ-UDyDiLVeIastph2Y5HZ81sUghLlnfg> <xmx:TItIZCM9jRzPUB2BaTLyc1MrSlYIM_3fnFWkvY422cUvVT9lLUPDWQ> <xmx:TItIZIY8WTear6bflpJkwcKutTurc-warGKYfh35WftUpMiFGOFadA>
Feedback-ID: i1a614672:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 5F5A2BC0078; Tue, 25 Apr 2023 22:24:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-374-g72c94f7a42-fm-20230417.001-g72c94f7a
Mime-Version: 1.0
Message-Id: <a0b5e634-529f-4b6e-8737-661e9fedba4b@app.fastmail.com>
In-Reply-To: <20230426010600.BDEC4C4E1FC2@ary.qy>
References: <20230426010600.BDEC4C4E1FC2@ary.qy>
Date: Tue, 25 Apr 2023 21:23:52 -0500
From: Jesse Thompson <zjt@fastmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="668d91bb18ae4c0c9977a964680e882c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YNUw_Em2sPIYrZmSi03tGIs_jrA>
Subject: Re: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2023 02:24:18 -0000

On Tue, Apr 25, 2023, at 8:06 PM, John Levine wrote:
> It appears that Scott Kitterman  <sklist@kitterman.com> said:
> >My recollection is that a general formulation that I proposed had at least 
> >some traction out of both groups:
> >
> >> [some appropriate description] domains MUST NOT publish restrictive DMARC
> >> policies due to interoperability issues
> 
> This seems like a reasonable approach. As a purely practical point, I
> cannot imagine this document getting through the IESG without some
> clear guidance about DMARC's interop issues.
> 
> R's,
> John
> 
> PS: If anyone was going to suggest we just tell people how to change
> their mailing lists to work around DMARC, don't go there.

How about:

Domains owners who have users who individually request 3rd parties to emit mail as an address within the domain MUST NOT publish a restrictive DMARC policy if they wish to support their users' usage of any potential 3rd party. Examples of 3rd parties include mailing lists and email service providers. These 3rd parties are not always aware of, or willing to work around, DMARC. Domain owners implementing DMARC as a means for governance by restricting the unauthorized usage of the domain MUST be aware that not all of the 3rd parties will make changes to work around DMARC, resulting in interoperability issues for their users' usage of the 3rd parties. Domain owners SHOULD provide an alternative address for these users within a cousin domain or subdomain that is not directly associated with the organization's brand-associated domain that is used for marketing and transactional email that needs the security benefits of DMARC. These users MUST use an address within a domain that does not have a restrictive DMARC policy.

(Not a troll. Not directly aware of humming (sorry, it's on my bucket list). Hopefully, didn't touch the 3rd rail. Honestly, in good faith, representing the perspective of an extremely large domain owner, users within said policy-restricted domain, and as a 3rd party commonly used by these, and similar, users.)

Jesse

v2.23.0 | Report a Bug | By Email