Re: [dmarc-ietf] p=reject

"John Levine" <johnl@taugh.com> Tue, 19 March 2019 03:01 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA765130F63 for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2019 20:01:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=uMxgvK/T; dkim=pass (1536-bit key) header.d=taugh.com header.b=SxoxaX+R
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7HIuLkOM8EW for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2019 20:01:31 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64DD130F67 for <dmarc@ietf.org>; Mon, 18 Mar 2019 20:01:30 -0700 (PDT)
Received: (qmail 10000 invoked from network); 19 Mar 2019 03:01:28 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=270e.5c905b88.k1903; bh=RUF6A6w6CvS+MLQWY0gcvAPlUJruTsxJ1hpuY8U0ORQ=; b=uMxgvK/TF7qCjsASGnVOMuf8rkG69T/Unifm2UyiFC1pOiPPPHcmQcATaIpKhC+Fnef0KM1S8o4MPe/27/hRFbbRfw4aHVL1T4ES26yZMc3zuYTfNYPFwrqNwLlphCxPmE3AiUM/qO+fnafPZ0vecyrTlKIIwE6D0ZQ32HlQirJ7NgIRhLGjOLdSzoeqJOu/1dtF2SbcDJkXA2+fLhAoPBF0UYl2xCG2uT/vyBCxhDZMHqeDDMGG2M9eCCPFNIoz
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=270e.5c905b88.k1903; bh=RUF6A6w6CvS+MLQWY0gcvAPlUJruTsxJ1hpuY8U0ORQ=; b=SxoxaX+R6mynIrUaaW9u3rnDceGAofsHW7OeDqjRYwuwJw8hVfr10YyQisdrKsgvDgPVW43RXIJT/9olbvwYHcEfF3vxxAcf2oaF0s0Ay+P4qeddcaTVwfTJ+E9OBYQrj32Ua9Wixj1t6IMpi+tCmk1nhAi/69KadHHHi9veFJ7oE1kJGNCleB+akF1pCdcKLQ34HJXZbUKoHdcLFKgflVoy2EevlFKv3ZCIIocbkW+ynzmydpp5JCm9neXoYxdp
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 19 Mar 2019 03:01:28 -0000
Received: by ary.qy (Postfix, from userid 501) id 650AB201032169; Mon, 18 Mar 2019 23:01:28 -0400 (EDT)
Date: 18 Mar 2019 23:01:28 -0400
Message-Id: <20190319030128.650AB201032169@ary.qy>
From: "John Levine" <johnl@taugh.com>
To: dmarc@ietf.org
Cc: mikedup84@gmail.com
In-Reply-To: <CAOXFXsuLdsZgA-uJEDApRgW6bmzx5cORbiy=2KM9tNxHjqBxNA@mail.gmail.com>
Organization: Taughannock Networks
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset=utf-8
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YcO4J69D7uvUoX3ozpwnBJZSR0w>
Subject: Re: [dmarc-ietf] p=reject
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Mar 2019 03:01:33 -0000

In article <CAOXFXsuLdsZgA-uJEDApRgW6bmzx5cORbiy=2KM9tNxHjqBxNA@mail.gmail.com> you write:
>-=-=-=-=-=-
>
>If a sender's IP is in SPF, so SPF passes; and the applied DKIM signature
>is successfully decrypted, so DKIM passes; what good is checking alignment
>and rejecting a message?

The short answer is that bad guys can publish SPF and DKIM just as
well as good guys.  Anecdotally, it appears that bad guys are better
at it than good guys.

The point of DMARC is not just that a message is authenticated, but
that it is authenticated by the same domain that's on the From: line,
which makes it highly likely that the message is actually from who it
appears to be from, rather than from some random crook with an SPF
record and a DKIM signer.

There are certainly plenty of ways that DMARC can do unfortunate
things but in this case it's working as intended.