IETF Logo Mail Archive

[dmarc-ietf] Mandatory Sender Authentication

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 03 June 2019 13:57 UTC

Return-Path: <btv1==0578190657c==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F294912023E for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 06:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6M0FEUI4tYC for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 06:57:13 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CA3F120222 for <dmarc@ietf.org>; Mon, 3 Jun 2019 06:57:13 -0700 (PDT)
X-ASG-Debug-ID: 1559570230-11fa3116c82ba9b0001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id iCAeiNEHO8OBWa7t (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Mon, 03 Jun 2019 09:57:11 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=D9KpZcCuAR2YG0tBLYYzW8WEwUHB3592pNsueWXNq0Q=; b=LG6UkCJNiLd0vflzabrA3D2t9aQNYFb+YCPfGBXa7zrijbIReN1kiNihO/7yeHRqw LBWWueK0E2bDIT2OMiBx1YDla8yx/xQGPUA6eiUGSm+owxVHYRigiIOFbpfWVU9Vf zlONe0i5Y9X3OLYi6Im/F0xkScBKbYMqEu/nEqDp4=
Received: by webmail.bayviewphysicians.com via HTTP; Mon, 3 Jun 2019 09:57:02 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Mon, 03 Jun 2019 09:57:02 -0400
X-ASG-Orig-Subj: Mandatory Sender Authentication
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <e5ee6809b78b45ea937105f86d84f499@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="d261a4af988142feb0e8de7196c97574"
X-Originating-IP: [192.168.72.245]
X-Exim-Id: e5ee6809b78b45ea937105f86d84f499
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1559570231
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 4016
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/amX7WVi9MmmyEfNkQtkPPq4K3Ac>
Subject: [dmarc-ietf] Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 13:58:56 -0000

Our real goal needs to be mandatory sender authentication.    Any secure 
email gateway must go through these steps:
  	Source Analysis:  Filter message from unwanted sources 	Sender 
Authentication:  Filter messages that are attempting impersonation 	Content 
Analysis:  Filter messages with unwanted content 
 Content filtering always requires exceptions, and those exceptions are 
granted based on the sender.   Such exceptions are only safe and 
appropriate if the sender is verifiable.    If the exception is applied to 
an unverified sender, it is possible for a spamming impersonator to gain 
the elevated trust and reduced filtering which was only intended for the 
trusted sender.
  
 So Sender Authentication needs to become mandatory:
  	Senders MUST implement SPF or DKIM,  and SHOULD implement both.  
Although the MX list becomes a default SPF list for those who do not 
publiish a policy. 	MTAs MUST ensure that DKIM signatures remain 
verifiable.  If they are unwilling or uinable to do so, they should reject 
the message with a PermError. 	Forwarders MUST either forward with breaking 
DKIM signatures, rewrite messages under their own identity, refuse the 
message, or discard the message as spam. 	IETF MUST provide a way for 
intermediate systems (both spam filters and list fowarders) to insert 
content under their own signature, without breaking original signatures.    
This will have implications for MUAs. 
 Sure it will be hard, but has this not been what you have been trying to 
achieve for 15 years?  SPF and DKIM provided the enabling technology, but 
they were deployed as sender options.
  
 Doug Foster

v2.23.0 | Report a Bug | By Email