IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Hector Santos <hsantos@isdg.net> Tue, 27 June 2023 18:56 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575CEC14CE51 for <dmarc@ietfa.amsl.com>; Tue, 27 Jun 2023 11:56:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="VTFzPrQm"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="rPFqSPao"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HdlQQrW43KjM for <dmarc@ietfa.amsl.com>; Tue, 27 Jun 2023 11:56:34 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03B95C14CE2B for <dmarc@ietf.org>; Tue, 27 Jun 2023 11:56:32 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=15702; t=1687892184; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Subject:Date: Message-Id:To:Organization:List-ID; bh=jEZg8GZ5GxXwOI9p2xMDRXZ7A itiWrGzfxw3I7EtDiw=; b=VTFzPrQmcajgqp8zJ2VLNW/OIdEI2+06ieJ3hnXBC kZY90QoPcKALE+A1JGcPDGKcp+hMzF8GA7JcWB7Y0OmNyFA/IwVo+JyVHiFd21Zc wnyN/ZqbZOMwbtNYImNocOrGp1rKKB8oylgarYTnoEPPWuS3jvzT9rYfP0nTEuQ+ /I=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Tue, 27 Jun 2023 14:56:24 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3989895583.1.980; Tue, 27 Jun 2023 14:56:23 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=15702; t=1687892178; h=Received:Received: From:Subject:Date:Message-Id:To:Organization:List-ID; bh=jEZg8GZ 5GxXwOI9p2xMDRXZ7AitiWrGzfxw3I7EtDiw=; b=rPFqSPaoL7zrhnmqSYBcORm ckynFqEgBHmI+lf49NUUaJ+uTAE9n5ParZeTP1KzP7pQhIayrwl9eTadPZQzOqHD ogKh8SN2UttQ2Tt+Rjj7uj5xW2/BwSsq9dsUIr1ppBCBqmKiLA4V3X9N1cazlfDe CWu73kVACzahijXVARuw=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Tue, 27 Jun 2023 14:56:18 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 140980521.1.13220; Tue, 27 Jun 2023 14:56:17 -0400
From: Hector Santos <hsantos@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3EB828E0-7E26-4EFA-A8A9-73BD8B26A504"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Tue, 27 Jun 2023 14:56:06 -0400
In-Reply-To: <CAH48ZfwB-U_c=8KFcvSpSp-oXo4esy=x=cSgrWE6k4aF2hfFog@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CAH48ZfwB-U_c=8KFcvSpSp-oXo4esy=x=cSgrWE6k4aF2hfFog@mail.gmail.com>
Message-Id: <06619093-563E-454A-959C-37D90CBCCDEF@isdg.net>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
X-Comment: Missing recipient address appended by wcSMTP router.
To: dmarc@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_chdPxO4etsXt8_OoyTzIUl8vk0>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2023 18:56:38 -0000

Since 2003, here is my out of the box, Wildcat! SMTP with wcSAP and wcDKIM add-on support, mail flow: 

(Note: for the record, email is a small Part, but a supportive part for many customer operations)

At SMTP, starting with connection

1) If Enabled, Check for DNS-RBL IP check, respond at step 8
2.0) Check for smtpfilter-connect.wcx script, run it if found
2.1) Check for Geo-Location IP Blocks, very unethical practice.
3) HELO/EHLO: Check EHLO/HELO on technical merit like IP Literal matching Connect IP (CIP)
4) MAIL FROM: Check for Local domain MAIL FROM spoof
5) MAIL FROM: Accept 250 pending RCPT validation
6) RCPT TO: not valid 550 
7) RCPT TO: Valid starts WCSAP.WCX (p-code) Wait for Response.

At WCSAP:

8)  WCSAP: Record if DNS-RBL IP blocked at 1, exit response 55z
9) WCSAP: Run sysop-defined text-based simple White/Block Accept/Reject If rules
10) WCSAP: Run SPF.  Failure return 55z or 45z
11) WCSAP: Run CBV,  Failure return 55z or 45z
12) WCSAP: return 250

Back to WCSMTP RCPT state

8) RCPT response provided, reject 55z/45z or 250 continue, Receiver-SPF header prepended.
9) DATA is transferred, Received: trace line prepended.
10 Before DATA response, run stack of SMTP mail filters written in-house or 3rd party:

At  SMTPFILTER-xxxxxxx.wcx, specifically SMTPFILTER-DKIM-VERIFY.WCX

11) Check for ADSP + ATPS
12) Check For DMARC + ATPS
13) Record Authentication-Results
14) DMARC Rejection Failures are DISABLED. Auth-Res Prepended.
15) Return any 55z, 45z or 250 based on SMTPFILTER-xxxx,wcx filters.

Back to DATA, 

16) DATA response is provided.
17) 250 mail is accepted, router signaled for MDA import or MTA forwarding.
18) Wait 30 seconds for client new transaction command, QUIT and/or DROP

Pretty much it.  

We have too much invested in the integrated Wildcat! Internet Net Server platform — one of the oldest platforms since the 80s.

My long time customers, sysops, sysadms, love the flexibility and  p-code and low code programmability for 3rd party developers!  

I have provided the DMARC option to the SMTPFILTER-DKIM-VERIFY.WCX to return 55z response for DMARC p=reject but it is compiler disabled.  However, anyone can write a new mail filter script to run at DATA for DMARC, but it has yet to happen.  Not surprise there.   If we don’t provide it, I don’t expect them to do it.

In WCSAP, the SPF handling of the result can be set to not reply with 55z for a SPF hard failure.  

This will allow SMTPFILTER-DKIM-VERIFY.WCX to see a SPF=fail Received-SPF header. But at the moment, out of the box, DMARC will never see a SPF reject.

From an innocent IETF implementor, my integration enhancement for DMARC might be:

With SUBMITTER enabled, you will MOST DEFINITELY see this from supportive clients:

	C: MAIL FROM:<return-path> SUBMITTER=pra 

where pra is Purported Responsible Address, normally 5322.From,  Low volume or not, you will see it.

I plan to use the PRA to get DMARC information. 

First I will assume the signer is aligned so the next check is for return-path alignment.  

Second, if auth=dkim tag exist,  I could offer an option to relax SPF in both WCSAP.WCX and SMTPFILTER-DKIM-VERIFY.WCX.

Without some signal at wcSMTP about DMARC,  SPF will most likely remain a hard rejection at WCSAP/SMTP (at RCPT state) before DMARC at DATA.

—
HLS

> On Jun 27, 2023, at 7:58 AM, Douglas Foster <dougfoster.emailstandards@gmail.com> wrote:
> 
> Ale, here is an attempt at a formal model.   Application to the current question is at the very end.
> 
> Any test (DKIM, SPF, ARC) has these result possibilities:
> Pass
> No data or uncertain result
> Fail
> 
> The test results are imperfect, so we have to consider these probabilities
> 
> Probability that PASS is a correct result
>        Probability that a false PASS will be whitelisted or not blocked in content filtering
>              Net result that a false PASS is delivered to the user
> 
> Probability that a NoData / Uncertain result is correct (presumed 100%).
>       Probability that an Uncertain message is wanted or unwanted.
>           Probability that an unwanted message is or is not blocked by content filtering
>                Net probability that an unauthenticated and unwanted message is delivered to the user
> 
> Probability that FAIL is a correct result
>       Probability that a FAIL result is blocked by local policy (presumed 100%)
>            Probability that a false FAIL is actually wanted
>                   Net probability that false FAIL blocks a wanted message
> 
> My strategy is documented in my "Best Practices" draft submission.   To summarize my experience:
> - The frequency of a true PASS is high, so the probability of a false PASS is low
> - The probability of a false PASS being detected by content filtering is pretty good.
> - The frequency of a true FAIL is low, so the probability of a false FAIL is high.
> - Uncertain messages have a high percentage of unwanted messages, but also a non-trivial volume of wanted messages.
> 
> My conclusions:
> FAIL messages should be submitted to content filtering to collect more data
> Blocking on FAIL alone, despite content filtering PASS, has always caused me more harm than good.
> Treating UNCERTAIN as equivalent to PASS is harmful.  Uncertain messages can be as unwanted as FAIL.
> FAIL and UNCERTAIN messages need to be reviewed and confirmed.   When confirmed, the message is allowed or blocked based on local policies which are informed but not controlled by the sender's published policies.
> Quarantine on FAIL or UNCERTAIN is superior to Block, because it allows for ambiguity to be removed and policy rules to be updated
> When FAIL and UNCERTAIN volumes are too high, an arbitrary disposition can be applied immediately, but statistical sampling should be used to review the disposition decision after the fact, so that local policies can be updated.
> Application to the current AUTH proposal:
> I expect SPF AND DKIM will cause sender policies to be less believable, because a high rate of FAIL will occur on wanted messages, so I expect to treat SPF AND DKIM as SPF OR DKIM by local policy.
> I trust DKIM more than SPF so I see no reason to honor SPF ONLY. I will continue to apply SPF OR DKIM .
> I see the advantages of DKIM ONLY and will honor that policy when it is detected.
> Doug Foster

v2.23.0 | Report a Bug | By Email