IETF Logo Mail Archive

Re: [dmarc-ietf] Next steps for RFC 7489 (DMARC)

"Murray S. Kucherawy" <superuser@gmail.com> Fri, 27 March 2015 06:59 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C7001A8AB0 for <dmarc@ietfa.amsl.com>; Thu, 26 Mar 2015 23:59:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WiLscbDEDtfJ for <dmarc@ietfa.amsl.com>; Thu, 26 Mar 2015 23:59:04 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 800D71A8A7C for <dmarc@ietf.org>; Thu, 26 Mar 2015 23:59:04 -0700 (PDT)
Received: by wiaa2 with SMTP id a2so18455106wia.0 for <dmarc@ietf.org>; Thu, 26 Mar 2015 23:59:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/kvJG4yZGBERHyuFWMG1fEWwNlsToTWycbxPVwqyzFg=; b=tT1Hkqq86vNsLsSlS5IeqAvVUzD65J7UeAkJIv6BkENIrZn1Cj+Lm0tvyzwAtbUVAC qCQbGWys6L6uUN0e/3SxysAyQPePg7+OqvbNXBW4+VCtZY1oNgQapXXiIr5SjIAeIZCV zO5qg3MPkHH5pGgikhoAieQG3vnjIqRBrBuzrH7mDTAllBThek8XQS5znGaopYC3Rklk zCPDzspHUyg/wRRxC/iLMLuhylnfTKDbcUMbJCn60p9Uo6bBFTVbTNaccZZA5cQaYARn AFp8qft/hF/YLkqYcJhxN8aorGR4RjoxNiDJXWSGz1HQkINlKXk3KjK3GXLl4Xjt7002 RpqQ==
MIME-Version: 1.0
X-Received: by 10.194.179.194 with SMTP id di2mr34744716wjc.4.1427439543260; Thu, 26 Mar 2015 23:59:03 -0700 (PDT)
Received: by 10.27.179.212 with HTTP; Thu, 26 Mar 2015 23:59:02 -0700 (PDT)
In-Reply-To: <87twx7j6yb.fsf@uwakimon.sk.tsukuba.ac.jp>
References: <20150318200459.23F9B18020A@rfc-editor.org> <CAL0qLwbvp_-zt61ZBFUkChHoB55Z3RjCoMmD-uHaU3RD4RZM9Q@mail.gmail.com> <C50BF729-D096-438C-A4A6-F720E59BFC9C@gmail.com> <BL2SR01MB60534ABA5171ABD31679F4A96000@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <CAL0qLwZF2=0rDC=6bSW-koGYJN_Dpx6Otpfh_LDW59gUNY3adg@mail.gmail.com> <550CAFEE.8060706@dcrocker.net> <CAL0qLwbO4ZhpdawCG6OcYeijbRVC9sCu7za+6dVKqRBKj0n_+A@mail.gmail.com> <550D6A2D.7050500@gmail.com> <87vbhunw0v.fsf@uwakimon.sk.tsukuba.ac.jp> <550E10C5.1070509@dcrocker.net> <CAL0qLwaoxqa9f6m3+gG3tGuNG+=otQz8HbavgGVPE7z_6zpPrA@mail.gmail.com> <55100395.4060003@dcrocker.net> <30834.1427141274@vindemiatrix.encs.concordia.ca> <55107A81.6000702@dcrocker.net> <3262.1427212761@vindemiatrix.encs.concordia.ca> <6F28A207601345BBAF012FED7BE612EE@fgsr.local> <CE39F90A45FF0C49A1EA229FC9899B0525FDC496@USCLES544.agna.amgreetings.com> <B7F274B2A3B54CBC9C527223DB36F65D@fgsr.local> <55136A23.8080306@isdg.net> <CAL0qLwZp-_ahqo13KM9-XXJYcECj5H7cuK_QCjWDEYVj_6XEGA@mail.gmail.com> <201503262312.t2QNCDeF002084@shadrach.encs.concordia.ca> <87twx7j6yb.fsf@uwakimon.sk.tsukuba.ac.jp>
Date: Thu, 26 Mar 2015 23:59:02 -0700
Message-ID: <CAL0qLwbS2My9Xmr1pc3LoB1ksST1GkOKg479J6uBS-cWatOj8g@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
To: "Stephen J. Turnbull" <stephen@xemacs.org>
Content-Type: multipart/alternative; boundary="089e01419d1cea1aad05123faac9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/ZX7NyW-s2TATw3lpXHqaPR3ZP4c>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, Michael Jack Assels <mjassels@encs.concordia.ca>
Subject: Re: [dmarc-ietf] Next steps for RFC 7489 (DMARC)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 06:59:07 -0000

On Thu, Mar 26, 2015 at 11:22 PM, Stephen J. Turnbull <stephen@xemacs.org>
wrote:

> Murray's point is that "proof of illegitimacy" is probably a pipe
> dream, as shown by past experience with "policy frameworks".[1]
> Legitimacy, on the other hand, is fairly easy to prove, as DMARC shows
> in daily use by financial institutions and in other transactional mail
> flows.
>

Put another way, you only really know something when DMARC, DKIM, SPF, etc.
produce a passing result.  (Due credit to Dave for this observation.)  All
of them have false negatives with respect to anything that's not a direct
mail flow, so "fail" results don't tell you anything conclusive if you plan
to accept any sort of mail that isn't direct.  What Hector characterizes as
a watering down of SPF with the publication of RFC7208 was merely this fact
put into text, even though it's been true since RFC4408.


> Footnotes:
> [1]  Hector is right that they haven't really been tried, but I don't
> think the chance that they'll be tried in the future is high, because
> the reasons they've been hard to implement in the past remain true.
>

I agree.  And although Hector likes to ascribe considerable power and
influence to me, I'm not the one standing in the way of their success.  I
would happily embrace any such solution that stood a chance of working.  I,
and others, simply ask some basic questions about scalability of such
solutions, their complexity, and their ability to be "gamed", and then they
never go anywhere because there simply aren't any good answers to those
questions.  Thinking I might be wrong, and since the same people insist I
am, I published RFC6541 (ATPS) as an experimental draft to try to tackle
the third-party problem, and made a free version of it available via open
source.  That was over three years ago.  There has been exactly one site
(one person, rather) that tried it besides me and reported back about its
effectiveness.  Though Doug will shortly claim that ATPS saw no uptake
because it is "flawed", I also had a grand total of zero operators report
that they were using it in any modified form or asking me to add this or
that to it before they would deploy it to production.  It wasn't just an
idea, it was a reality, but nobody came to play.

Policy and third-party solutions haven't failed because of some cabal
keeping them from seeing the light of day, unless by "cabal" you mean
"group of people who agree that this won't work."

These are hard problems, and the last thing any of us should want to do is
foist yet another blob onto the global email infrastructure that has not
been properly vetted.  If an idea doesn't stand up to scrutiny or gets no
uptake, or can't even get consensus in a small working group, what prayer
does it have for success on the greater Internet?  I want to make things
better, not worse.

There are those among you that disagree, I know.  Does anyone have actual
data (not theory, not passion, but data) that any of the policy or
third-party solutions we've discussed before can work, work just about
everywhere, and work at scale?  If the answer to that is "no" (or, as
usual, silence), then I suggest this (still!) isn't a productive use of our
precious time or energy.

-MSK

v2.23.0 | Report a Bug | By Email