Re: [dmarc-ietf] Ticket #1 - SPF alignment
Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 12 February 2021 04:24 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31C563A11B9 for <dmarc@ietfa.amsl.com>; Thu, 11 Feb 2021 20:24:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.096
X-Spam-Level:
X-Spam-Status: No, score=-1.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_GYGuIWMslY for <dmarc@ietfa.amsl.com>; Thu, 11 Feb 2021 20:24:28 -0800 (PST)
Received: from mail-vs1-xe2f.google.com (mail-vs1-xe2f.google.com [IPv6:2607:f8b0:4864:20::e2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBC693A1133 for <dmarc@ietf.org>; Thu, 11 Feb 2021 20:24:27 -0800 (PST)
Received: by mail-vs1-xe2f.google.com with SMTP id a11so3468418vsm.7 for <dmarc@ietf.org>; Thu, 11 Feb 2021 20:24:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=5TbtbL9HZ903/E0Zizw6nNjEK0Wcb2aOrX/UJtUx5KY=; b=qrK3Eh8S1l5KVoTpLoNXfQ7DwMVmW1PaW5/Oqph4JbA6hAFYWgl1RLDe1On5ev6XCb nlA+ph6Mx7NFYm9bT13RWc/OqzHbcwhPqn/whMe9od+BiXVB+NI1W65bQYtSWZs8c5zh 0BFB5SPhugQaUl3XLFl3aZGtFrDMdRQAQ2BCrdrpDvLzsWp0rDrUBpAWfI+m9AHl94ur HDUmqUl0zOb5Xknze1eWT3dDm+jsEKJbfnkcHKA4NE1qSh0e0OsbLcpNLSsAv85RB6wu PoehAe6fwOs6sHGyQzH6R3H0zwITWacsEDTPXWiXXm4UZcBCXFCOEPYitOFN7ZMo59X5 p3pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=5TbtbL9HZ903/E0Zizw6nNjEK0Wcb2aOrX/UJtUx5KY=; b=rXibdyIlgwU+hc0LQQnG2uLbYWimc7KncEI1R9Zd3myfeT7lvBNb7pI1L4kLA1PFsk mbDhZE0InW+NdvXCb97VLf+NmN1B8Als0n/6WgysCyuo8Y33CqrX2PNsYz8nfuqnZw54 LsE0xE6q0s8s8g4AdV+trskKN1gBg7hLK/CH4B3+84YqGYGB7Fxv+9CxURjIuHKg97tL Oje6a3af2AtiZBaGnfXjqhdYSMCk/ONCjQgZU9Y0ImuM0ZAkqg+XLDrSGJj84p490YPf 7lpFXH5t+YWs/9o3YfudAfQVGIZ6ZYx3Wxhdw5KA3NhTsc7dTIx8kneBYPbeZIcApHNh J1Yg==
X-Gm-Message-State: AOAM531AhwpotscVljQ+7ApO5DuvUXrCrhdcW5xuiinagVrxdhQl2Pou H6umjWWf390q7dV1RLqk9zN6xqklKp209f4UECy8AOy1Aeo=
X-Google-Smtp-Source: ABdhPJzHH0EWmHcTmD+mgELbQc+bSeWEJt88oc9tGayxE6LIpuy2GsxjkKeG/EHKWnVyP4dYkcf3Dj4pSHt+CQP4P9k=
X-Received: by 2002:a67:e888:: with SMTP id x8mr450677vsn.59.1613103865798; Thu, 11 Feb 2021 20:24:25 -0800 (PST)
MIME-Version: 1.0
References: <20210203181226.9AB746D51182@ary.qy> <0d7de3eb-5b14-510c-cb4a-c78bc34610d8@gmail.com> <CAH48ZfwG+7t+inQ7-ijH71buUfTsYFtNPBvsCT266v8Yk0HDOg@mail.gmail.com> <5450463.gl6gDTMLP0@zini-1880>
In-Reply-To: <5450463.gl6gDTMLP0@zini-1880>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 11 Feb 2021 23:24:16 -0500
Message-ID: <CAH48ZfwyMGCam8Mdk=vrYcFaEU6z0RMUoY9LD8n8JWeNi_hCLg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e8211805bb1c025e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/aFxrTAchOEclF4Qx9aK70Fr46oA>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Feb 2021 04:24:30 -0000
You missed my main point. I will restate it, and then address your threat question. If there are N ways to establish authentication, then a recipient only needs to choose one of them, but a sender who wants to be validated by all recipients must implement all of them. One purpose of the specification is to constrain that complexity. So the convenient solution would be to say that SPF HELO must be ignored, except for null sender, because doing so reduces the number of variables that must be considered by senders. It is also probably consistent with the logic of many current implementations. I just do not believe that it is justified to tell recipients that they MUST NOT evaluate SPF HELO when MAILFROM is present. An alternative would be to say that SPF HELO and SPF MAILFROM should both be evaluated. In the long run, this is arguably the best theoretical solution, but the fear of short-term pain from false positives probably makes this unattractive. So, I am back to the only solution that seems justifiable: Senders SHOULD comply with both MAILFROM and HELO policies because SOME recipients may evaluate both criteria, but many will only evaluate MAILFROM because the incremental theoretical benefit seems less than the incremental cost. - - - To your point about threat vectors: DMARC alignment is based on nested layers of trust, and the trust is broken if you skip layers. The server operator provides a mail server environment to a mail domain, and the mail domain provides delivery services for an author. SPF proves that the mail domain (indicated by the MAILFROM address) really uses the services of the server domain, and therefore the server (indicated by IP address, HELO, and possibly ReverseDNS) is authorized to send messages on behalf of the mail domain. DMARC proves that the source server for the message was authorized to speak on behalf of the author (indicated by the From address). You suggest that if SPF HELO passes, and aligns with FROM, then we have established that the server is authorized to speak for the author. This is true, but it does not establish that the mail domain in the MAILFROM address has that right. When the MAILFROM domain is different from the HELO domain, this implies that that MAILFROM domain is a client of the server domain. The server domain has the right to emit messages for the client, but the client domain does not have the right to email messages claiming to be from the server domain. - - - It can be asserted that the server domain should be able to use its firewall to prevent unauthorized servers from emitting mail, and should be able to use its outbound gateway to prevent client domains from emitting messages from the server domain, other clients, or any unrelated domain. These commonly implemented measures could eliminate the need for checking SPF HELO. Why should others check what the sender should be able to do for themselves? Are we prepared to make this argument? If so, then the existing wording stands, but needs a solid justification. DF On Thu, Feb 11, 2021 at 8:50 AM Scott Kitterman <sklist@kitterman.com> wrote: > What problem are you purporting to solve? > > By problem, I mean a case were a bad actor can get a DMARC pass result if > SPF > HELO results are allowed to be used that they couldn't already get with a > mail > from result. > > I don't think such a case exists which is why I think this entire line of > argument is a waste of time. > > Scott K > > On Thursday, February 11, 2021 6:35:49 AM EST Douglas Foster wrote: > > Applying SPF to DMARC could become out of scope, if we choose to remove > SPF > > from DMARC and make it dependent only on DKIM. Until then, we need to > > have a shared understanding of how SPF is applied. This question asks > > whether that shared understanding exists. > > > > SPF involves two tests, which can be used together. This WG can insist > > that for DMARC purposes, only one can be used: > > > > "When the sender is not null, DMARC-evaluation only considers the SPF > > evaluation of the MAILFROM Address. SPF evaluation of HELO MUST NOT be > > considered for DMARC purposes." > > > > This wording seems implied by the current language, and by those who want > > to leave it untouched. Implication is different from specification, so > our > > document should make this explicit. Unfortunately, an explicit MUST NOT > > requirement is hard to justify. When two domains are involved, and both > > domains have published policy information, what justification exists for > > ignoring some of the available security-related information? > > > > If we back away from MUST NOT, then we have to consider that some > > recipients MAY evaluate SPF HELO and SPF MAILFROM together, just as the > SPF > > RFC expected them to be used, and as outlined in one of my examples. > If > > some recipients MAY evaluate HELO, then senders SHOULD take care to > ensure > > that HELO will generate a PASS. Our language becomes something like > this: > > > > "When the sender is not null, DMARC-evaluation always uses the SPF > > evaluation of the MAILFROM Address. Some recipients may evaluate SPF > HELO > > as well. To maximize recipient trust, senders SHOULD publish an SPF > > policy which ensures that both MAILFROM and HELO will produce SPF PASS > > results." > > > > DF > > > > On Wed, Feb 10, 2021 at 6:29 PM Dave Crocker <dcrocker@gmail.com> wrote: > > > On 2/10/2021 3:24 PM, Douglas Foster wrote: > > > > Huh? Are you asserting that SPF MAILFROM and SPF HELO are > > > > interchangeable? They are not, but they can work together. > > > > > > Perhaps I misread, but I thought I saw that this really is out of scope > > > for this working group. > > > > > > > > > d/ > > > > > > -- > > > Dave Crocker > > > dcrocker@gmail.com > > > 408.329.0791 > > > > > > Volunteer, Silicon Valley Chapter > > > American Red Cross > > > dave.crocker2@redcross.org > > > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Michael Thomas
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Seth Blank
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine