IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

"MH Michael Hammer (5304)" <MHammer@ag.com> Mon, 01 April 2013 23:01 UTC

Return-Path: <MHammer@ag.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63DDA21F8F17 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 16:01:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_BIZOP=0.7]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2-NI1-BwzPw for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 16:01:16 -0700 (PDT)
Received: from agwhqht.amgreetings.com (agwhqht.amgreetings.com [207.58.192.4]) by ietfa.amsl.com (Postfix) with ESMTP id C179221F8F0F for <dmarc@ietf.org>; Mon, 1 Apr 2013 16:01:15 -0700 (PDT)
Received: from USCLES544.agna.amgreetings.com ([fe80::f5de:4c30:bc26:d70a]) by USCLES532.agna.amgreetings.com ([::1]) with mapi id 14.02.0328.009; Mon, 1 Apr 2013 19:01:14 -0400
From: "MH Michael Hammer (5304)" <MHammer@ag.com>
To: Dave Crocker <dcrocker@gmail.com>, Terry Zink <tzink@exchange.microsoft.com>
Thread-Topic: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Thread-Index: AQHOLyQDr9vuaJVnrUmomkiXMf3sBZjB9p9w
Date: Mon, 01 Apr 2013 23:01:13 +0000
Message-ID: <CE39F90A45FF0C49A1EA229FC9899B05633D4E@USCLES544.agna.amgreetings.com>
References: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <515A02DB.2010309@gmail.com>
In-Reply-To: <515A02DB.2010309@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.104.254.232]
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 23:01:20 -0000

Comments in-line.

> -----Original Message-----
> From: dmarc-bounces@ietf.org [mailto:dmarc-bounces@ietf.org] On Behalf
> Of Dave Crocker
> Sent: Monday, April 01, 2013 5:58 PM
> To: Terry Zink
> Cc: dmarc@ietf.org
> Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally
> require SPF and DKIM
> 
> Terry,
> 
> On 4/1/2013 2:15 PM, Terry Zink wrote:
> > I am proposing an extension to DMARC. Whereas today DMARC requires
> one
> > of a DKIM pass or SPF pass, I propose we extend DMARC so that is has
> > the*option*  to require both.
> 

This is a bad idea. While it solves your internal problem it potentially increases false positives for bigbank.com externally, thus trading one problem for another. I've been implementing SPF (ending with -all) and DKIM with private channel assertions since the end of 2007. One of the reasons for using the combination of SPF and DKIM ( and requiring only one to pass) is the reduction of false positives. 

Before trying to extend DMARC to account for internal problems - as Dave points out - I would look for other ways of resolving the problem. As I have said many times regarding email authentication implementation, one needs to get control of their mail flows. That is true in this case. If bigbank.com cannot control it's managers/employees and how they send mail then that is an internal problem that bigbank needs to address. There are plenty of other mechanisms for bigbank to control what it emits (in the case of spam). Perhaps MS should offer bigbank dedicated IPs - ESPs do this all the time for their customers. It may not be so critical for other customers. Sounds like a business opportunity to me.

> The draft working group charter that Murray just circulated would make this
> effort out of scope, since it explicitly prohibits protocol enhancement.
> 
> Are you suggesting a change to the draft charter?
> 

I prefer to avoid relying on limitations in the charter and focusing on the merits which IMHO don't rise to a level justifying this extension. One of the key merits of DMARC is that it focuses on solving a particular problem and based on the data it does that very well.

> An alternative might be to find a way for this example scenario to provide the
> basis for some discussion, in the draft BCP, about the proper limits of
> DMARC.  It wouldn't solve your protocol problem, but it might provide good
> pedagogy.
> 

This sounds like a good idea.

> Perhaps there are other alternatives?
> 
> 
> > Let's assume that BigBank.com has been dutiful and has published a
> > DMARC record. The problem occurs when Learning.edu gets compromised
> > and starts sending out spam. If a user starts sending out spam
> > fromjoe@learning.edu, we can detect this and shut it down. But what
> > happens if they start sending out mail assecurity@bigbank.com?
> 

It sounds like someone needs btter internal controls to prevent this.

> I tend to draw a distinction between protection against internal problems,
> versus protection against external ones.  Internal means that the
> misbehavior is caused by an activity within the administrative scope of the
> entity needing protection.  External means that the problem behavior comes
> from some other administrative scope.
> 

+1

> The usual examples of the distinction are misbehaviors by a department,
> within the company owning the domain name, versus misbehavior from a
> classic spammer who is using the domain name without authorization. On the
> average, the tendency has been to pursue standardization that protect
> against external threats rather than internal ones. Internal ones are thought
> to be best handled... internally.
> 
> > 1. example.com ----+
> >                    |
> > 2. BigBank.com ----+----> Microsoft Forefront IPs ----> Internet
> >                    |
> > 3. Learning.edu ---+
> 
> 
> The scenario you give might be considered as internal misbehavior, since
> there is a contractual relationship between Forefront and the sources of
> messages that you list.  That is, the essence of the challenge is for Forefront
> to have mechanisms that distinguish what mail is authorized from what
> source, and what mail isn't.  Per your example, it would require that it
> enforce its /own/ dmarc-ish policy to require that mail it is relaying for
> learning.edu be attributed to learning.edu, and so on.
> 
> If I understand your note correctly, the problem that you cite with this is that
> Forefront doesn't know all of the acceptable domains for a given customer.
> Wouldn't it make more sense to fix this issue, rather than change the public
> standard and burden all recipients with the added complexity in software
> and operations?
> 

+1

> Without have thought about it much, I suspect that one approach to fixing
> this is for Forefront to /privately/ assert the type of dmarc-ish enhancement
> that you propose.  That is, impose the requirement on its customers, thereby
> assuring that the mail it is relaying to the public Internet is 'safe', at least
> along this one line of concern.
> 
>

v2.23.0 | Report a Bug | By Email