[dmarc-ietf] Mandatory Sender Authentication
"Douglas E. Foster" <fosterd@bayviewphysicians.com> Mon, 03 June 2019 13:57 UTC
Return-Path: <btv1==0578190657c==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F294912023E for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 06:57:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6M0FEUI4tYC for <dmarc@ietfa.amsl.com>; Mon, 3 Jun 2019 06:57:13 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com [216.54.111.133]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CA3F120222 for <dmarc@ietf.org>; Mon, 3 Jun 2019 06:57:13 -0700 (PDT)
X-ASG-Debug-ID: 1559570230-11fa3116c82ba9b0001-K2EkT1
Received: from webmail.bayviewphysicians.com (webmail.bayviewphysicians.com [192.168.1.49]) by mail.bayviewphysicians.com with ESMTP id iCAeiNEHO8OBWa7t (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Mon, 03 Jun 2019 09:57:11 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-Barracuda-RBL-Trusted-Forwarder: 192.168.1.49
X-ASG-Whitelist: Client
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=D9KpZcCuAR2YG0tBLYYzW8WEwUHB3592pNsueWXNq0Q=; b=LG6UkCJNiLd0vflzabrA3D2t9aQNYFb+YCPfGBXa7zrijbIReN1kiNihO/7yeHRqw LBWWueK0E2bDIT2OMiBx1YDla8yx/xQGPUA6eiUGSm+owxVHYRigiIOFbpfWVU9Vf zlONe0i5Y9X3OLYi6Im/F0xkScBKbYMqEu/nEqDp4=
Received: by webmail.bayviewphysicians.com via HTTP; Mon, 3 Jun 2019 09:57:02 -0400
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: dmarc@ietf.org
Date: Mon, 03 Jun 2019 09:57:02 -0400
X-ASG-Orig-Subj: Mandatory Sender Authentication
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <e5ee6809b78b45ea937105f86d84f499@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="d261a4af988142feb0e8de7196c97574"
X-Originating-IP: [192.168.72.245]
X-Exim-Id: e5ee6809b78b45ea937105f86d84f499
X-Barracuda-Connect: webmail.bayviewphysicians.com[192.168.1.49]
X-Barracuda-Start-Time: 1559570231
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 4016
X-Barracuda-BRTS-Status: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/amX7WVi9MmmyEfNkQtkPPq4K3Ac>
Subject: [dmarc-ietf] Mandatory Sender Authentication
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 13:58:56 -0000
Our real goal needs to be mandatory sender authentication. Any secure email gateway must go through these steps: Source Analysis: Filter message from unwanted sources Sender Authentication: Filter messages that are attempting impersonation Content Analysis: Filter messages with unwanted content Content filtering always requires exceptions, and those exceptions are granted based on the sender. Such exceptions are only safe and appropriate if the sender is verifiable. If the exception is applied to an unverified sender, it is possible for a spamming impersonator to gain the elevated trust and reduced filtering which was only intended for the trusted sender. So Sender Authentication needs to become mandatory: Senders MUST implement SPF or DKIM, and SHOULD implement both. Although the MX list becomes a default SPF list for those who do not publiish a policy. MTAs MUST ensure that DKIM signatures remain verifiable. If they are unwilling or uinable to do so, they should reject the message with a PermError. Forwarders MUST either forward with breaking DKIM signatures, rewrite messages under their own identity, refuse the message, or discard the message as spam. IETF MUST provide a way for intermediate systems (both spam filters and list fowarders) to insert content under their own signature, without breaking original signatures. This will have implications for MUAs. Sure it will be hard, but has this not been what you have been trying to achieve for 15 years? SPF and DKIM provided the enabling technology, but they were deployed as sender options. Doug Foster
- [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Seth Blank
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication John R. Levine
- Re: [dmarc-ietf] Mandatory Sender Authentication Hector Santos
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- Re: [dmarc-ietf] Mandatory Sender Authentication Douglas E. Foster
- Re: [dmarc-ietf] Mandatory Sender Authentication Dotzero
- Re: [dmarc-ietf] Mandatory Sender Authentication Dave Crocker
- [dmarc-ietf] Display address, was Mandatory Sende… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Дилян Палаузов
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Dave Crocker
- Re: [dmarc-ietf] Display address, was Mandatory S… Hector Santos
- Re: [dmarc-ietf] Display address, was Mandatory S… Stan Kalisch
- Re: [dmarc-ietf] Display address, was Mandatory S… Dotzero
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely
- Re: [dmarc-ietf] Display address, was Mandatory S… Kurt Andersen (b)
- Re: [dmarc-ietf] Display address, was Mandatory S… Alessandro Vesely