IETF Logo Mail Archive

Re: [dmarc-ietf] p=quarantine

Todd Herr <todd.herr@valimail.com> Sun, 20 December 2020 17:10 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A65B93A10A9 for <dmarc@ietfa.amsl.com>; Sun, 20 Dec 2020 09:10:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3_i6tpwd5-wC for <dmarc@ietfa.amsl.com>; Sun, 20 Dec 2020 09:10:21 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 223723A0B60 for <dmarc@ietf.org>; Sun, 20 Dec 2020 09:10:20 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id h4so6964516qkk.4 for <dmarc@ietf.org>; Sun, 20 Dec 2020 09:10:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=gJwmOhOaImMtP2uJrSEdAL1REBUifSxHA+rhBiFXI8M=; b=HVg69XAdeXy7MFc5Km19Lgr1ticmXuuSCG1I2NrQJAPw1bPIWbpxdh2U4dSJu3v6+E r5Hcm5P8YusMlsBj2briESZMJesHc3AenII/Thrlc7TdjiDUkqPDZxCSb+9kujuYTdVj sb1bsFsiKiEI+3N0DBfC5cEez0/OWK1dFudeWtpWFDhQgxtkAn9NKG+2b1Z+oE17eYdM PKeHA8BN6h/tFT+qqs+lROak5VjPdf94u+DU3SnIx4nqui4tjlsrJ6/NTfgeCxP13Uko 2J2KvqxkiDbw1huQJIvpZepRFysztklv6rxXOdH4QnQXnysj8adCQ7FaeJ+5ZeOLNnie sp7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=gJwmOhOaImMtP2uJrSEdAL1REBUifSxHA+rhBiFXI8M=; b=fphFZgxeN1K4JS1m1GFqQd0Vm3Df4oBTwUuI19IgRp6M1cq9m3INHKjR9w4suA5Gfq ZRdFpAJfulh3H7i8I1+T221q1sl1fo7WVZc0owxq8sOt69t57XNu1Q5zj/1c5RHaFYF3 IebBlUox1pBi5m4uG8cq/G9Ffm2xW1OmVnXAluehXp/h3UXoNkHdnInh3LYCHv03znkE 9iE28YQ5Mdt4wLddeqlh8akpHaLGxA8ChMmB/V+/BnhuXruTZrn70y9cLHe+wxUQ8Hlk txrOEFrsTFGA+L0sTDumNGp+Egts//waEpFUznLqUAXvbRo41FdWspT8uHaddgQSGDmN tZBQ==
X-Gm-Message-State: AOAM533Gh+A+yET0dFkF+1Gub+Fvi0B6gLpwKEjIcuZowZCo+gbbULcM RkbuLXbOGlOXJ9AgL8cX6784OwV6fM7qwYMq9troPHOUUMr70A==
X-Google-Smtp-Source: ABdhPJx80/udodXA3p5GNxG+eBQmuWqVw6kjAQS01bGeU6bIWwOWNldZO7lSTSogJPN2KnmQH1Buwrxwrmqffkr4IL8=
X-Received: by 2002:a37:e20d:: with SMTP id g13mr14249482qki.325.1608484219437; Sun, 20 Dec 2020 09:10:19 -0800 (PST)
MIME-Version: 1.0
References: <20201211173722.6B4DF29782C7@ary.qy> <ea074aad-971b-abc6-d557-ea2f433b3cc7@gmail.com> <CAH48ZfxEjGHv99z3RGj+Z+KJaFVPvm6RG4UzkKuOoDQDVCmb3g@mail.gmail.com> <A5E108DC-2692-4927-B2C1-AE3FED6DA8AA@wordtothewise.com> <CAH48ZfwkPEgexwGvyMT_PevMM5ngBT_XRfHYi7Wy1yxMw1LP1A@mail.gmail.com> <A07FA3DE-4C51-48C4-A2E7-067987200E1F@wordtothewise.com> <CAH48ZfwykEJM9AXKrp+SS4SgM4N1W70eLqHW+PXB18a_TrV6iw@mail.gmail.com> <02f786e5-b7cd-9a89-e3e3-73594f3bcda0@mtcc.com> <CAHej_8nHfn4uT4oeFJN-pbd-u3vrv2WiSnmAH-2v35OBmSi1cg@mail.gmail.com> <e715de9a-5f24-8077-0038-14c664850bd1@mtcc.com>
In-Reply-To: <e715de9a-5f24-8077-0038-14c664850bd1@mtcc.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Sun, 20 Dec 2020 12:10:03 -0500
Message-ID: <CAHej_8=FoTmCg8goD-yC2nTPKzoMUTNjfJ4aeTC4j7vYJEf0sw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000086d42805b6e86acd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ZxlnnmDogkttj7yvFvpLJEq2mj4>
Subject: Re: [dmarc-ietf] p=quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Dec 2020 17:10:24 -0000

On Fri, Dec 18, 2020 at 4:55 PM Michael Thomas <mike@mtcc.com> wrote:

>
> On 12/15/20 8:01 AM, Todd Herr wrote:
>
>
> I'm not sure there's anything actionable about DMARC's policy values.
>
> you mean p=quarantine, or p=* in general?
>

Depending on the level of sophistication of a receiving email system, a
given email message can have dozens of signals (or data points) associated
with it, of which the relevant DMARC policy record, if it exists, is one.
Those signals can all be actionable, individually or collectively, or
ignored entirely, in that receiving system's decision to accept or reject
the message, and if it accepts it, the decision of where to place that
message.

If an applicable DMARC policy record exists for the RFC5322.From domain in
a message, the receiver can:

   - Perform the necessary authentication checks for DMARC validation, and
   use those validation results and the p= value as the sole or primary
   determining factor in how to handle the message, strictly applying the p=
   value in cases where it's not 'none' and validation checks fail
   - Perform the necessary authentication checks for DMARC validation, and
   use those validation results and the p= value as the sole or primary
   determining factor in how to handle the message, loosely applying the p=
   value in cases where it's not 'none' and validation checks fail (e.g.,
   placing the message in the spam folder even if p=reject is specified in the
   policy record)
   - Perform the necessary authentication checks for DMARC validation, and
   use those validation results and the p= value as one data point in a larger
   data set in how to handle the message
   - Ignore the DMARC policy record entirely



> Obviously indirect mail flows, such as mailing lists and forwarding,
> complicate matters greatly here, as the handling by the intermediary
> host(s) can and will lead to a higher percentage of authentication
> failures. The community has attempted to mitigate this problem;
> RFC5322.From header rewriting, RFC5321.From header rewriting (e.g., SRS),
> and ARC are among the attempts put forth so far, but none have been deemed
> The Solution(tm) yet. In my opinion, ARC has promise, because if a message
> reaches me as a receiver or even intermediary and fails the authentication
> checks I perform, ARC header sets in the message can tell me whether or not
> such checks passed at previous hops *if I trust the entities that inserted
> those ARC header sets*. In an earlier thread, I floated an idea about ARC
> sealer reputation, but it didn't draw much response, so I'll float it here
> again in the hopes that it does.
>
> We've always been able to check the reputation of lists that resign the
> message. The reputation is the previously (un)solved problem.
>
>
> Lists are a specific instance of the more general case of indirect mail
flows.

Any intermediate host can ARC seal and ARC-sign (a term I use as distinct
from re-sign) a message, an act that is meant to capture the results of
authentication checks done when it reached the intermediary. Whether or not
the receiver trusts those results (especially those results that claim that
authentication checks passed at the intermediary) when the message reaches
the receiver depends on the intermediary's reputation for being a truthful
sealer and signer, meaning whether or not it has established a history of
capturing authentication results that are true and accurate.

Since the receiver typically can't perform the same checks under the same
conditions that existed when the intermediary performed them (if it could,
we wouldn't need something like ARC) then the receiver has to decide if the
message is consistent with messages it's previously seen through direct
mail flows using that same authenticated identity that was captured by the
intermediary in the ARC header set.

If the indirect mail flow looks like the direct mail flow, then the sealer
is showing evidence that it can be trusted, and so the indirect mail flow
can receive the same treatment by the receiver that it would give to the
direct mail flow associated with the authenticated identity.

If the indirect mail flow looks different than the direct mail flow, then
the receiver can either decide to not trust the sealer and so treat the
indirect mail flow as unauthenticated, or perhaps it can dig into matters
further to see why the difference exists. A mailing list, for example, that
has subscribers whose domain is a consumer mailbox provider might just show
an indirect mail flow for that domain to the receiver that has a
substantially better overall reputation than the direct mail flow for that
domain to the receiver; rather than letting this difference impact the
level of trust in its sealing reputation that a receiver would assign to
the list, it may very well have to put in an override to its system for
tracking sealer trust.

-- 

*Todd Herr* | Sr. Technical Program Manager
*e:* todd.herr@valimail.com
*p:* 703.220.4153


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email