Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Dave Crocker <dcrocker@gmail.com> Mon, 01 April 2013 21:57 UTC
Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DC0E11E80F8 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 14:57:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fG7zF-rt5l0U for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 14:57:53 -0700 (PDT)
Received: from mail-qe0-f51.google.com (mail-qe0-f51.google.com [209.85.128.51]) by ietfa.amsl.com (Postfix) with ESMTP id 9B6C211E80F5 for <dmarc@ietf.org>; Mon, 1 Apr 2013 14:57:51 -0700 (PDT)
Received: by mail-qe0-f51.google.com with SMTP id nd7so1513118qeb.10 for <dmarc@ietf.org>; Mon, 01 Apr 2013 14:57:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:message-id:date:from:organization:user-agent :mime-version:to:cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=yTfPvK5eZ5iknNbu0/XPNMdSSHauHXhpwjHrffcJvaA=; b=TxXFev3iM/4+UbuaKEz3OYUl80Dt+iWit8ZfEfAtFzZ8yvfB8iZWvGiCyUZuQXm/Q8 LccNKt5k9jU8l3cuSUd1Kz/jiYbKk/O7eivXbr/oow2l1s544cFf7MGiVvN52WcnAcrf DKVA7RKotgyPd+Iw6VLfPJTrzWXDSAJCt+/v8RZYyPOUqt7djtWBasJyx8zQoLhi1MGT FkinFekJusrf4mvEHZG1ENJ1gDtva3Ov//mDEnMxGStjuBCawoDOT8NiDjeQHerFE2nl 3KP3zAo2obr7iNrPl0ddH4gS9PSfTTKFBDj2XlCLnJjJIgIEBr5RUQWApHBOriATc2IX Wg3w==
X-Received: by 10.224.71.77 with SMTP id g13mr5310001qaj.93.1364853470988; Mon, 01 Apr 2013 14:57:50 -0700 (PDT)
Received: from [192.168.1.66] (76-218-9-215.lightspeed.sntcca.sbcglobal.net. [76.218.9.215]) by mx.google.com with ESMTPS id hm4sm166678qab.2.2013.04.01.14.57.48 (version=TLSv1 cipher=RC4-SHA bits=128/128); Mon, 01 Apr 2013 14:57:50 -0700 (PDT)
Message-ID: <515A02DB.2010309@gmail.com>
Date: Mon, 01 Apr 2013 14:57:47 -0700
From: Dave Crocker <dcrocker@gmail.com>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: Terry Zink <tzink@exchange.microsoft.com>
References: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
In-Reply-To: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 21:57:56 -0000
Terry, On 4/1/2013 2:15 PM, Terry Zink wrote: > I am proposing an extension to DMARC. Whereas today DMARC requires > one of a DKIM pass or SPF pass, I propose we extend DMARC so that is > has the*option* to require both. The draft working group charter that Murray just circulated would make this effort out of scope, since it explicitly prohibits protocol enhancement. Are you suggesting a change to the draft charter? An alternative might be to find a way for this example scenario to provide the basis for some discussion, in the draft BCP, about the proper limits of DMARC. It wouldn't solve your protocol problem, but it might provide good pedagogy. Perhaps there are other alternatives? > Let's assume that BigBank.com has been dutiful and has published a > DMARC record. The problem occurs when Learning.edu gets compromised > and starts sending out spam. If a user starts sending out spam > fromjoe@learning.edu, we can detect this and shut it down. But what > happens if they start sending out mail assecurity@bigbank.com? I tend to draw a distinction between protection against internal problems, versus protection against external ones. Internal means that the misbehavior is caused by an activity within the administrative scope of the entity needing protection. External means that the problem behavior comes from some other administrative scope. The usual examples of the distinction are misbehaviors by a department, within the company owning the domain name, versus misbehavior from a classic spammer who is using the domain name without authorization. On the average, the tendency has been to pursue standardization that protect against external threats rather than internal ones. Internal ones are thought to be best handled... internally. > 1. example.com ----+ > | > 2. BigBank.com ----+----> Microsoft Forefront IPs ----> Internet > | > 3. Learning.edu ---+ The scenario you give might be considered as internal misbehavior, since there is a contractual relationship between Forefront and the sources of messages that you list. That is, the essence of the challenge is for Forefront to have mechanisms that distinguish what mail is authorized from what source, and what mail isn't. Per your example, it would require that it enforce its /own/ dmarc-ish policy to require that mail it is relaying for learning.edu be attributed to learning.edu, and so on. If I understand your note correctly, the problem that you cite with this is that Forefront doesn't know all of the acceptable domains for a given customer. Wouldn't it make more sense to fix this issue, rather than change the public standard and burden all recipients with the added complexity in software and operations? Without have thought about it much, I suspect that one approach to fixing this is for Forefront to /privately/ assert the type of dmarc-ish enhancement that you propose. That is, impose the requirement on its customers, thereby assuring that the mail it is relaying to the public Internet is 'safe', at least along this one line of concern. d/ -- Dave Crocker bbiw.net
- [dmarc-ietf] Proposing an extension to DMARC to o… Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Dave Crocker
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Murray S. Kucherawy
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Tim Draegen