IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Douglas Foster <dougfoster.emailstandards@gmail.com> Wed, 29 March 2023 18:41 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB7C5C15C2B0 for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 11:41:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1fRb3N9McfyK for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 11:41:45 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7BE6C15C522 for <dmarc@ietf.org>; Wed, 29 Mar 2023 11:41:44 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id y15so21443243lfa.7 for <dmarc@ietf.org>; Wed, 29 Mar 2023 11:41:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680115303; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=d3YwZrjY5pwksdVqB1icw+apweKbtG5DBty3ABn+KIM=; b=HIQTiIuMgLIeriVhO5dYlsOSRKijPKO+VCtOPahe81Roby8f9gVWJfk2k/l1TWH5j9 Q+8BFkMMXYJ33T+V5kDpj874SLbs33dnMWYA0gNiyKjsd1PYjaRerzB00uBXZ6YDX5Se 1GqDZZPrlo/+/64JV1o9WPyXHQCZQsk7CMg8MlMvbsOHeJQwvIeXzKoRgX437Bizb4eO 0vaLUahbGucfMaOL+PhWIltUhXcjXW0Qao/5j9tBp6/CzDV63FEscWsi79++cYmZMbWI 6l5dmID3OyZy0Dm+DXtKL9FSl7El31fzJlFUVHDIi3N8ZRgxCtyKo50qJdjAQyWX+Ws9 GNJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680115303; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=d3YwZrjY5pwksdVqB1icw+apweKbtG5DBty3ABn+KIM=; b=q0jTZmHfSR/CETDVmxVwCpzZFZPBZjHrfYPX6ltUWo5AIsgt6x604JROooDzmgz9/4 hPWHLXWZN4btlYrVZqr2rs0SFLqxtxuDXa21HlhBiW46p5ySE3RlXWcgGf8JQmciJKtG Gg9Zm4HRb13pPjrVtfgJ55cD8Gkwkf3WQoOadL8z27dEiqqKNeQs461j9UoqhbsOJMTr olUs9ZUlUuovCNRvdwvLuim3hcUsBrddeem7M3MrXkLZ62rxFOobZr9IwTQRAtfrDVyP +Vy64Iw2pkHPdYLEXvuVHgZBi+5xhZPEJ4dpOU88/iihNecpqcH/mRa1LrLsHbfzQYiZ Xt9w==
X-Gm-Message-State: AAQBX9cOH9Ph5NvCQDnpVBC+2R2Iq8rIKpzQlFD71IJuld9fimvFftDR EDcAlbkIQbWT0UgWK7A1ocS9Dll0GIoL3QmduIA=
X-Google-Smtp-Source: AKy350b8RiusVK1R5nuxu6lyB/Mr57RJccPt/wIRuHCOcfBqAuGE58hCLGrF4XpVw9YbLDr1ZFIDaU4NmEc5wrU8RVo=
X-Received: by 2002:ac2:5e81:0:b0:4e8:5371:c884 with SMTP id b1-20020ac25e81000000b004e85371c884mr6204359lfq.5.1680115302843; Wed, 29 Mar 2023 11:41:42 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <6319292.vCqnBZbX7o@localhost> <CAHej_8nd1xyAgwASLJbuJHyXEAfHbjqxNH1XtJxKFyfyOneyug@mail.gmail.com> <13145172.pEV04Z3DvM@localhost> <CAHej_8msLJQ0vbZ2jzitjxrQ1wdim5bHJkiD-QrU5F0EJvQp0g@mail.gmail.com> <FCFEB95E-63F9-46C3-A5F4-FA6B02FA8EB5@episteme.net> <CAHej_8=GbmzyXaeEkyLkv6uKc0-owuMC6UspPNq9irT7nF8b7w@mail.gmail.com> <CALaySJLmRyyBLE7ZKy88XUS_hXr9M2uwc8jOCYBrBPeC+pCdCg@mail.gmail.com>
In-Reply-To: <CALaySJLmRyyBLE7ZKy88XUS_hXr9M2uwc8jOCYBrBPeC+pCdCg@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 29 Mar 2023 14:41:32 -0400
Message-ID: <CAH48ZfwPxCZrzM1-o9ioeJp67u88c9SXa44jquf7JYS5JtvGDQ@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000cec88b05f80e530d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Zut-2RV2RBFxrHEZI_YQvzu83jE>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 18:41:48 -0000

Suppose we use your language.  Some domains will still reject your advice,
so evaluators still need to apply intelligence to their disposition
decisions, if they care about  pleasing their account holders.

Mailing lists take a calculated risk by forwarding with changes.  Doing so
creates a trust problem between the list and the recipient's evaluator.
DMARC does not create the problem, it merely gives it visibility.

It is not the originator's job to solve the intermediary's trust problem,
especiallysince attempting to do so will facilitate the malicious conduct
of others.

Our job is to document the potential impact of decisions made by each
party: sender, forwarder, and evaluator.   It is not our job to decide
which party's interess must be sacrificed for the benefit of the other
participants

DF

On Wed, Mar 29, 2023, 10:15 AM Barry Leiba <barryleiba@computer.org> wrote:

> I'm very much against text such as this, as I think it encourages
> deployments that are contrary to interoperability and to the intent of
> p=reject.
>
> I contend that p=reject (as with the similar construct in the older ADSP)
> was intended for high-value domains and transactional mail, and that it was
> never intended for use in domains where general users send general email.
>
> I stand by the MUST NOT that I proposed.
>
> Barry
>
>
> On Wed, Mar 29, 2023 at 10:33 PM Todd Herr <todd.herr=
> 40valimail.com@dmarc.ietf.org> wrote:
>
>> On Tue, Mar 28, 2023 at 9:06 PM Pete Resnick <resnick@episteme.net>
>> wrote:
>>
>>> If you agree that interoperability is increased, then I'd suggest that
>>> you actually do agree that the proposed text is appropriate.
>>>
>>>
>>> I don't know that I agree that interoperability is increased...
>>
>> I'm having trouble squaring proposed language that says "Domain owners
>> MUST NOT publish p=reject because it breaks interoperability" with the
>> following language from section 5.8:
>>
>> Mail Receivers **MAY** choose to accept email that fails the DMARC
>>
>> mechanism check even if the published Domain Owner Assessment Policy
>>
>> is "reject". In particular, because of the considerations discussed
>>
>> in [@!RFC7960], it is important that Mail Receivers **SHOULD NOT** reject
>>
>> messages solely because of a published policy of "reject", but that
>>
>> they apply other knowledge and analysis to avoid situations such as
>>
>> rejection of legitimate messages sent in ways that DMARC cannot
>> describe, harm to the operation of mailing lists, and similar.
>>
>>
>> It seems inconsistent to state with certainty that authorized mail will
>> be rejected due to authentication breakage when there is no requirement
>> that a reject policy be honored (and we have plenty of evidence that Mail
>> Receivers are following the 'SHOULD NOT reject messages' guidance).
>>
>> Language that would be more consistent in guidance to the domain owners
>> might look something like this:
>>
>> After careful analysis of the aggregate report data as described in
>> section 5.5.5
>>
>> (Collect and Analyze Reports), Domain Owners **MAY** choose to change
>> their
>> policy from 'none' to 'quarantine' or 'reject'. If, in the Domain
>> Owner's judgement,
>>
>> unauthorized and deceptive use of its domain name in the RFC5322.From
>> field puts
>>
>> at risk the trust it has built with its recipients, then it is
>> **RECOMMENDED** that
>>
>> the Domain Owner make use of the p and/or sp tags to set policy to
>> 'quarantine' or
>>
>> 'reject' for those streams most at risk of loss of trust.
>>
>>
>> If going that route, probably want to consider expanding on 5.5.5, too; I
>> need to think about it some more.
>>
>> --
>>
>> *Todd Herr * | Technical Director, Standards and Ecosystem
>> *e:* todd.herr@valimail.com
>> *m:* 703.220.4153
>>
>> This email and all data transmitted with it contains confidential and/or
>> proprietary information intended solely for the use of individual(s)
>> authorized to receive it. If you are not an intended and authorized
>> recipient you are hereby notified of any use, disclosure, copying or
>> distribution of the information included in this transmission is prohibited
>> and may be unlawful. Please immediately notify the sender by replying to
>> this email and then delete it from your system.
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email