IETF Logo Mail Archive

Re: [dmarc-ietf] Guidance around constructing an AAR when multiple AR headers are present?

Scott Kitterman <sklist@kitterman.com> Sun, 28 May 2017 03:28 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 002DE127866 for <dmarc@ietfa.amsl.com>; Sat, 27 May 2017 20:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.698
X-Spam-Level:
X-Spam-Status: No, score=0.698 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aUrWmfl3t6xT for <dmarc@ietfa.amsl.com>; Sat, 27 May 2017 20:28:44 -0700 (PDT)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3F671272E1 for <dmarc@ietf.org>; Sat, 27 May 2017 20:28:44 -0700 (PDT)
Received: from android-df929938bd25e485.home.kitterman.com (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id A0537C40643; Sat, 27 May 2017 22:28:41 -0500 (CDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1495942121; bh=Y+XM0BAGcshhovFn0xwkFSaRvjWLEkpCSwDVjWy6fYA=; h=Date:In-Reply-To:References:Subject:To:From:From; b=vJ12H34Q75ehnmkJnLpLGtQmdVXmuwGtD48A5t5NwcmZOcfsTnlRiFDVRzSnQbzFx cI2AuNL3on7f8HJV352LccTrRIftX8z8cbRUiy4s2ZLiuTAx0PJEk65d7//QagVTBb q6P1uwIUT1nip2Af7ciME9s0raJRAkZIX3BrP4wQ=
Date: Sun, 28 May 2017 03:28:40 +0000
In-Reply-To: <43d13efe-c0c4-62a6-490c-4e92eb265d65@gmail.com>
References: <CAOZAAfOsRrQF2M3NzcB3h2Tc03mtFfG8mOJ0pqU+_cx=whcBLQ@mail.gmail.com> <20170524192617.36732.qmail@ary.lan> <CABa8R6v4oGpFYeO8qGaKpbocr6f8V_+Hf7XavZ0h12d1RgWLBQ@mail.gmail.com> <CAOZAAfOrHku8x9UmxtkFNpRPdfgAzn2B2Kq6=Wngwk7bY1YpWw@mail.gmail.com> <alpine.OSX.2.21.1705241941430.29429@ary.qy> <CABa8R6s22u8E6zn5sBOc1C4B6kyLk8L7YaYnsz3VVHukm7CWFA@mail.gmail.com> <alpine.OSX.2.21.1705242026410.29429@ary.qy> <43d13efe-c0c4-62a6-490c-4e92eb265d65@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
To: dmarc@ietf.org
From: Scott Kitterman <sklist@kitterman.com>
Message-ID: <8F87F9DE-C87E-406E-BA49-6AEA5DC17283@kitterman.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/aKh9eGuR9tpMykrmUeIKf_jOS6s>
Subject: Re: [dmarc-ietf] Guidance around constructing an AAR when multiple AR headers are present?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 May 2017 03:28:46 -0000


On May 24, 2017 8:34:38 PM EDT, Dave Crocker <dcrocker@gmail.com> wrote:
>On 5/24/2017 5:27 PM, John R Levine wrote:
>>>> Seems reasonable, give or take a word or two to make it clear we're
>just
>>>> talking about the ones for the current hop.
>>>
>>> There should only be the ones from the current hop if the admd is 
>>> stripping
>>> previously existing ones prior to adding any new ones per the
>authres 
>>> rfc.
>> 
>> I meant not to use a-r with different admds.  Should be obvious, but
>you 
>> never know.
>
>
>I'd expect a spec to declare that there must be only one A-R header 
>field, and that it is applied within the current, integrated mail 
>processing environment.  (I'd say within the current ADMD, but I think 
>there are valid scenarios where that characterization doesn't quite
>fit, 
>although the language can probably be contorted to make that 
>more-limited language sufficient.)
>
>Unless there is a very compelling need for multiple A-R header fields
>-- 
>and I don't think I've seen that asserted -- then the simplest thing is
>
>to declare them illegal and any occurrence of them as invalidating the 
>authentication mechanism(s).
>
>Really.  The goal here needs to be to make this a simple as possible. 
>It's the only way to get large scale support that interoperates well.

Nothing other than potentially ARC requires multiple AR header fields for different authentication types to be combined.  These different verification operations (e.g. SPF, DKIM, and DMARC) are generally performed be different processes that add their own AR field.

Requiring a single AR field will not make the system any less complicated, it only changes where you put the complexity.

It probably makes sense to stick the sender with the complexity of dealing with multiple AR fields and combining then, but let's not pretend there's an overall simplification here.

Scott K

v2.23.0 | Report a Bug | By Email