IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate reporting - one DKIM signature

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 01 November 2022 02:08 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33BEBC14CF04 for <dmarc@ietfa.amsl.com>; Mon, 31 Oct 2022 19:08:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.104
X-Spam-Level:
X-Spam-Status: No, score=-7.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bl0ypnSRCiZK for <dmarc@ietfa.amsl.com>; Mon, 31 Oct 2022 19:08:49 -0700 (PDT)
Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31475C14F73B for <dmarc@ietf.org>; Mon, 31 Oct 2022 19:08:49 -0700 (PDT)
Received: by mail-lj1-x230.google.com with SMTP id k19so18678134lji.2 for <dmarc@ietf.org>; Mon, 31 Oct 2022 19:08:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=ElrYJ9QowSVcS/cenm76rehhnwU8vJVcdYZpMd3bF1g=; b=FMVaBq5cIK0440X4yb+9hhE3b7YQQsHP0NlAAKoanVeYEpe1d+jjzi//RN7uHP7Hvq ytuzJSWJkJ6xEDC01+kI58xM96FWKBtPNWZbvdtQBMNsQq8n+fTDBYHrlJ3tzpfjOcMD 15DHkc3KfNcxP3xINSXKSSibqHi3ltPzSMUZBodpnhZpKKKJjSZAkgtAA67jR0oj7KlY JyPjHESGT3LNgS2KUL50xwPO0HF8yGHW1H3sJmrwQ08yeKWIaxVDnnDUNrhq8rTbNYWI 4bEzF7n0SVfE9+jYJ5Vq/P2/u5DkP9vh25WQR8MdKYPv79mwsgHPxVlkxonodqdZJO8q 7TaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ElrYJ9QowSVcS/cenm76rehhnwU8vJVcdYZpMd3bF1g=; b=jw7lGMQRlgEVG7H9qSA2PuSMTV/iU6SymVM94n67/Wl4OjWvu6I4VGfyj4YOHDz8et D00hYXiW6OpwMaYFoho/oV8AXw1PBwIuje6owdBykUMcYcx15AdSRUaTW0yEQHj9YjSA DrkRyeEs+FBc1xpMfFWua3ckTEDrBtuF2PlJEGbx4oAdYvC/LDr3gOcwUzcFHH5xvWj6 7sdvGWR3bOTEDqkfzxN3vJY+tyXYwpb6n741mDzzXzsgspZ7VlXOOwWY2pFEkLRS2GHc 1izHOaHsRKkCVaNXxhOLqAl84HSwgdOC4zFBogE9QDezZjsGI7vc1HElOL/8uubYEPGW apqg==
X-Gm-Message-State: ACrzQf1a2vzXp6nwRm0Utd+jt6xqmJhsiMM//fueO1pQaMM0sq7V2s3F MqdYz+Qh+suSo01mdYPyizNU94Ids27QjdjRNWkXS2RQHVI=
X-Google-Smtp-Source: AMsMyM72tv/4QuxchUPmjRo21deRpD14aQKQCsSapR1vY/wuFjhnlD1IzuxApJ+5JP1pnInajLHb0PGFDrDvLEPQMus=
X-Received: by 2002:a2e:8081:0:b0:277:b:33db with SMTP id i1-20020a2e8081000000b00277000b33dbmr6170014ljg.228.1667268526089; Mon, 31 Oct 2022 19:08:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48Zfw0sK9cyCrCHFa2p-_CPyot2MaHLMaCPKPAK09jiCHv1A@mail.gmail.com> <6afc54a2-08df-fb7f-1ee3-798f98d2bc59@tana.it>
In-Reply-To: <6afc54a2-08df-fb7f-1ee3-798f98d2bc59@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 31 Oct 2022 22:08:34 -0400
Message-ID: <CAH48ZfzONWX31ZLrrGEuLroRGriZwLnhpSQGpEMiNqu8j6-vsw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e285505ec5f34ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/aag6D8dcKpvXdhuu5latonDtI_4>
Subject: Re: [dmarc-ietf] Aggregate reporting - one DKIM signature
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2022 02:08:53 -0000

Let's skip past the wording issues and head to the core issue:   one
signature or many?

Ale has restated the conventional wisdom, which is based on intuition:
 more data is always better than less data.    Only a few weeks ago, I
accepted that axiom.   But the conventional wisdom does not hold up to
scrutiny.    Server identity, MailFrom identity, and one aligned signature
provide all of the data needed.

Identifying and configuring authorized servers:

First, cull out data servers that pass DMARC on both SPF and DKIM.   This
mail was received directly and the source servers are properly configured.

Second, cull out the data for servers that pass aligned SPF but not DKIM.
 These appear to be internally-controlled servers that do not apply correct
DKIM signatures.   Find them and assign a DKIM scope ID.  This will reduce
the number of suspect servers because non-altering forwards will begin
producing DMARC PASS.   Of course, if your SPF scope is allowing an
unauthorized server to send messages on your behalf, fix your SPF record
and fire the vendor who broke your trust.

Third, if an IP address is identified as under organization control but not
passing SPF, find and fix the problem with your SPF record, as well as
assigning a DKIM scope ID.

Fourth, identify messages from well-known email service providers.   These
vendors do not forward and do not impersonate.  If you see a
ConstantContact server sending unsigned mail for your domain, you can know
that somebody in your organization has hired them to do so.   Find that
person and assign a DKIM scope ID.

That should be enough to identify all authorized servers.


Evaluating unauthorized servers

Once all authorized servers are identified and properly configured, we can
move onto the possibility of evaluating unauthorized servers.   The IP
representing a source of unauthenticated messages can be playing one of
three roles:
- It originated an unauthenticated message.
- It received an authenticated message but made alterations that caused it
to lose authentication.
- It received an unauthenticated message and chose to deliver it anyway.

In the first and second case, the reported server is fully responsible for
the unauthenticated state of the message.   In the third case, if the
message is malicious, then the reported server is guilty of reckless
forwarding.   The last case is also the least important, because forwarding
is a tiny portion of the total mail stream.   Whatever source is hidden by
reckless forwarding, it will be exposed by all of the unauthorized messages
that are received directly.

Of course, some unauthenticated mail is malicious and some is wanted.
 Evaluators carry the responsibility of protecting their users from
unwanted email.   If a reporting system consistently accepts
unauthenticated messages from a particular IP address, server organization,
or MailFrom domain, then they may have determined that those messages are
wanted and non-malicious.  So acceptance behavior helps to segregate
acceptable sources from malevolent ones.

None of this requires unaligned signatures.  If there is a case when those
extra signatures are important, please present it.

Doug Foster



On Mon, Oct 31, 2022 at 8:36 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Sun 30/Oct/2022 19:31:04 +0100 Douglas Foster wrote:
> > Here is proposed language to amend the Aggregate Reporting draft.
> >
> > 1) Replace section 2.1.2 with this:
> >
> > DMARC Aggregate Reporting provides information needed for domain owners
> to
> > ensure that their messages originate with SPF PASS for the
> RFC5321.MailFrom
> > domain and aligned DKIM PASS for the RFC5321.From domain.
>
>
> Section 2.1.2's title is *DKIM Signatures in Aggregate Report*.  Are you
> proposing to change its title?  Otherwise why a generic sentence about SPF?
>
> I wouldn't say that a message /originates/ with SPF PASS.  An spf=pass
> result
> will only be obtained on reception.  Messages originate at MUAs and may be
> revamped at MSAs.  Neither of those has to have an IP registered at the
> domain's SPF record.  SPF IPs are those of the boundary servers.
>
>
> > As a side effect, Aggregate Reporting also provides information about
> servers
> > that choose to deliver messages which are not authenticated by the
> domain
> > owner's DMARC policy.  DMARC is not designed to determine the motivation
> behind
> > a server which delivers unauthenticated messages.
>
>
> Allowing domain holders to have insight into which IP addresses are
> sending on
> their behalf is not a side effect, it is the primary focus of DMARC
> reporting.
>
> There is a field in aggregate reports which states the reason why the
> domain's
> policy was overridden.  And it is there by design.
>
>
> > Consequently, only aligned identifiers are relevant for Aggregate
> Reporting,
> > in the same way that only aligned identifiers are relevant for
> determining a
> > DMARC result.
>
> How you derive that consequence is obscure to me.  Any identifier,
> especially
> if authenticated, is relevant.
>
>
> > DMARCbis allows non-aligned identifiers to be included in report rows,
> for
> > compatibility with RFC 7489, but the practice is deprecated.
>
> Disagreed.
>
>
> > DMARCbis seeks to maximize reporting participation by minimizing the
> processing
> > burden placed on evaluators during both message evaluation and report
> > generation.  A specific design goal is to require only that
> evaluation-time
> > processing which is required to determine a result for the SPF and DKIM
> > components, both of which MUST be evaluated for each reported message.
>
>
> Evaluating DKIM signatures is indeed a burden, especially if using long
> keys.
> The cost of adding an evaluated identifier to a report, in comparison, is
> totally negligible.  Nobody is going to evaluate a signature at report
> generation time, because the message might have been deleted and/or DKIM
> keys
> revoked after some hours.  The only issue is how to store and retrieve the
> results.  That's how the content of aggregate reports is determined.
>
> Considerations on what to evaluate don't belong to aggregate reporting
> spec.
>
>
> > DMARCbis requires only one aligned DKIM identifier to be reported per
> message.
>
>
> Disagreed.
>
>
> > When the aligned DKIM result is PASS, the identifier which generated the
> > PASS result is reported.   When all aligned DKIM identifiers produce
> FAIL, the
> > aligned signature which is closest to the top of the message should be
> chosen,
> > because it is most likely the last one applied and therefore the one
> least
> > likely to be superceded.   Additional aligned identifiers MAY be
> reported at
> > the discretion of the evaluator.
>
>
> As long as aggregate reporting also serves to convey an insight on abuse,
> authenticated identifiers have some relevance.  Reporting failed
> identifiers
> serves to direct domain owners to fix their signing practices, and is only
> relevant during the initial period of deploying the signing software.
>
>
> > By reporting on the most important DKIM identifier only, aggregation
> levels are
> > increased, report generation complexity is reduced, and report sizes
> will be
> > reduced.   Smaller reports lower the bandwidth burden for message
> transmission
> > and reduce the need to fragment reports into multiple messages.
>
>
> I don't think this leads to significant savings.  My understanding is that
> the
> size limiting suffix of the rua= URI was stroked because reports exceeding
> the
> commonly accepted 10Mb size have not been observed.  That is to say,
> fragmentation doesn't seem to be an issue.
>
>
> > Because an excessive number of signatures might be used as an attack
> method,
> > evaluators are cautioned to limit the maximum number of DKIM signatures
> that
> > they evaluate.
>
>
> Agreed, but this statement doesn't belong to aggregate report spec.
>
>
> > For similar reasons, and to ensure interoperability between report
> > generators and report receivers, report generators that provide more than
> > the one required DKIM result, must limit results to a maximum of 10
> > concurrent DKIM signatures.
>
> I don't recall a report with more than 10 signatures, but if it arrived it
> couldn't cause any DoS nor any interoperability issue.
>
>
> > 2) Change the XML schema to limit the maximum number of DKIM results:
> >
> > <xs:complexType name="AuthResultType">
> >    <xs:sequence>
> >      <!-- There may be no DKIM signatures, or multiple DKIM
> >           signatures. -->
> >      <xs:element name="dkim" type="DKIMAuthResultType"
> >                  minOccurs="0" maxOccurs="10"/>
> >      <!-- There will always be at least one SPF result. -->
> >      <xs:element name="spf" type="SPFAuthResultType" minOccurs="1"
> >                  maxOccurs="unbounded"/>
> >    </xs:sequence>
> > </xs:complexType>
>
>
> I see no reason to put such a limit.
>
>
>
> Best
> Ale
> --
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email