IETF Logo Mail Archive

[dmarc-ietf] Proposed text for p=reject and indirect mail flows

Barry Leiba <barryleiba@computer.org> Tue, 28 March 2023 08:15 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49749C15152D for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 01:15:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.553
X-Spam-Level:
X-Spam-Status: No, score=-1.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id alnwTAjsF451 for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 01:15:18 -0700 (PDT)
Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 390BDC14CEF9 for <dmarc@ietf.org>; Tue, 28 Mar 2023 01:15:18 -0700 (PDT)
Received: by mail-ed1-f44.google.com with SMTP id er13so5178692edb.9 for <dmarc@ietf.org>; Tue, 28 Mar 2023 01:15:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679991316; h=content-transfer-encoding:to:subject:message-id:date:from :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=YPvpo8/7hIpiWYTiYG8qyYJmtT9QlnpptOJwOR7h+xg=; b=C+uhnGS4nBLWsgyHHgI/+Rn93Fh7LkccwQ4jZ28XFoEPwaZUnR2c/uP/FZY+w3JWUb oq0JkCR6kimhV1EDWrEQLjJpDehd2Mk5Ng8CIhfcz3nQmzfLdk0Kl1gRoGSLx9TosHoh n1Zc6Sv5yvmmwPc6noI1RaQiBEMpJ6wFeYdCeDv2z/qsPIcKACThL31Zg+MxE3Hu28FV Vmp5EPX5K73v3ra1QFrexPzUZ6Cjua0sLtotNUabW0VHqDXxx4uGWYYLO3hm4hJ4sruu ZkHnq+HORMN0V8YeOhro/Bw+r41gEYkmigBGxi8emc7jxnLtIQcleUnPzToDasT8q5CX zg4w==
X-Gm-Message-State: AAQBX9e6mpUjjNo1UUMZ+rwOtb+2woxvClbhXJ1um8mmY69Vopgv1Mdc 5MtEsg5IrxM7kUYiXV1HA6eaxVrW1cRRQ2TTww+Ubq89elVZYw==
X-Google-Smtp-Source: AKy350YjnoJLXWw7dBCtmWNW8sbJy9mZACKuA2VF15v025VizCziWMrsrMVvEnHhv+GKYB3lw74fLW73rofoVjfRnM4=
X-Received: by 2002:a50:bb09:0:b0:4fb:30fc:1e98 with SMTP id y9-20020a50bb09000000b004fb30fc1e98mr6683353ede.0.1679991316089; Tue, 28 Mar 2023 01:15:16 -0700 (PDT)
MIME-Version: 1.0
From: Barry Leiba <barryleiba@computer.org>
Date: Tue, 28 Mar 2023 17:15:04 +0900
Message-ID: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Z2hoBQLfacWdxALzx4urhKv-Z-Y>
Subject: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 08:15:20 -0000

I raised this issue in the DMARC session in Vienna, and have let it
sit for a while so as not to derail other discussion.  As we're pretty
close to finished with the DMARCbis document, I'd like to raise it
again, this time with specific proposed text for us to discuss.

And so:

OLD

   5.5.6.  Decide If and When to Update DMARC Policy

   Once the Domain Owner is satisfied that it is properly authenticating
   all of its mail, then it is time to decide if it is appropriate to
   change the p= value in its DMARC record to p=quarantine or p=reject.
   Depending on its cadence for sending mail, it may take many months of
   consuming DMARC aggregate reports before a Domain Owner reaches the
   point where it is sure that it is properly authenticating all of its
   mail, and the decision on which p= value to use will depend on its
   needs.

NEW

   5.5.6.  Decide If and When to Update DMARC Policy

   Once the Domain Owner is satisfied that it is properly authenticating
   all of its mail, then it is time to decide if it is appropriate to
   change the p= value in its DMARC record to p=quarantine or p=reject.
   Depending on its cadence for sending mail, it may take many months of
   consuming DMARC aggregate reports before a Domain Owner reaches the
   point where it is sure that it is properly authenticating all of its
   mail, and the decision on which p= value to use will depend on its
   needs.

   It is important to understand that many domains may never use
   policies of “quarantine” or “reject”, and that these policies are
   intended not as goals, but as policies available for use when they
   are appropriate.  In particular, “reject” is not intended for
   deployment in domains with users who send routine email, and its
   deployment in such domains can disrupt indirect mail flows and cause
   damage to operation of mailing lists and other forwarding services.
   This is discussed in [RFC7960] and in Section 5.8, below.  The
   “reject” policy is best reserved for domains that send only
   transactional email that is not intended to be posted to mailing
   lists.

   To be explicitly clear: domains used for general-purpose email MUST
   NOT deploy a DMARC policy of p=reject.

END

I'm well aware that the MUST will *not* be followed by everyone, and
that some domain owners will feel that they need to use p=reject,
regardless.  I think that's fine: the standard should specify what's
right for interoperability, and I believe that improper use of
p=reject is extremely harmful to interoperability... so "MUST" is
correct here.  And no one will be arrested or fined for choosing not
to follow it.  We should still say it, nonetheless.

OK, have at it.

Barry

v2.23.0 | Report a Bug | By Email