Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
Joseph Brennan <brennan@columbia.edu> Tue, 21 July 2020 19:30 UTC
Return-Path: <jb51@columbia.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85B8D3A083B for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 12:30:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2kso3fKP9tBd for <dmarc@ietfa.amsl.com>; Tue, 21 Jul 2020 12:30:05 -0700 (PDT)
Received: from mx0a-00364e01.pphosted.com (mx0a-00364e01.pphosted.com [148.163.135.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D4EB3A0839 for <dmarc@ietf.org>; Tue, 21 Jul 2020 12:30:05 -0700 (PDT)
Received: from pps.filterd (m0167071.ppops.net [127.0.0.1]) by mx0a-00364e01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 06LJDvdx023028 for <dmarc@ietf.org>; Tue, 21 Jul 2020 15:30:04 -0400
Received: from sendprodmail11.cc.columbia.edu (sendprodmail11.cc.columbia.edu [128.59.72.19]) by mx0a-00364e01.pphosted.com with ESMTP id 32bx1nhfaj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Tue, 21 Jul 2020 15:30:04 -0400
Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) by sendprodmail11.cc.columbia.edu (8.14.4/8.14.4) with ESMTP id 06LJU3ci023145 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <dmarc@ietf.org>; Tue, 21 Jul 2020 15:30:03 -0400
Received: by mail-io1-f69.google.com with SMTP id l1so14010967ioh.18 for <dmarc@ietf.org>; Tue, 21 Jul 2020 12:30:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qs8Cag+r/XIRl11fQ7QXGjT1bYFY20owEUW7Pra54nk=; b=dzb73lQwAqvESJsD550+d94Syv9jNUf6KXFykV9nXJ9+lE6IM6xGLg3sFzZXMGoh57 uXsblpFntLZdtonG2qJhczdaSUybzA5KR3kuePIWAP2+VWOWRn1lh3RddMTaBqeWmE2o MrRpOKo5eUsXPT/KMkWHilFFO2yUywEj8YHZLRb6z6XWP02k/IH2vAXog9t2myt+cTWx 0yx24rh1QA8o/Ty6V7mHgUL7bMb0fWhh+Jxwc77TKP0MOs4dmXr4+Kp5TFBE3oq8pjDh LCox+A1ER/L0oOzT2JGCTN28HCQ8aPibnJXyrcXaU/Ohj01Eol12gQV2FHJdK2fKbi4h Rj8A==
X-Gm-Message-State: AOAM530vbUhcwQceMZgok40ObBD8FHP7iVVs7y/ST3LlMJ5iBOyGwspy emL6VE56OfOslqvGzPnadrVWlJVQqC+ou+YhywAo3b6RaqT50POaZIH9/sk9M81TvT0D7sU7bU0 rKfu//N16a1ddHQlssroissNQ0QJXWA==
X-Received: by 2002:a92:c525:: with SMTP id m5mr28374892ili.67.1595359803031; Tue, 21 Jul 2020 12:30:03 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzJjdZDqTcw8/tD7ReI5ce8OqdSi/O32TN/PAyKKX58mTZFOza8Qg7Qn3Gp5rmwGnDu11OduUwW77nzAUJ50Zc=
X-Received: by 2002:a92:c525:: with SMTP id m5mr28374867ili.67.1595359802613; Tue, 21 Jul 2020 12:30:02 -0700 (PDT)
MIME-Version: 1.0
References: <bf5b68c74a3c487ca8a07a0a27061e47@com> <87zh7ur069.fsf@orion.amorsen.dk> <3829fac4748a48d0b752403450843bd5@bayviewphysicians.com> <c9353a06-ab31-c397-449e-7d36afbf655d@wisc.edu> <c2ad22cd-8b35-733f-bc4c-839e2c4b3e98@dcrocker.net> <5F172EF5.7000508@isdg.net>
In-Reply-To: <5F172EF5.7000508@isdg.net>
From: Joseph Brennan <brennan@columbia.edu>
Date: Tue, 21 Jul 2020 15:29:51 -0400
Message-ID: <CAMSGcLAKowXYir-ueOaWxuPcESmCAQEW5OqeZmu0kq2Cpvxqtg@mail.gmail.com>
To: hsantos@isdg.net
Cc: dcrocker@bbiw.net, Jesse Thompson <jesse.thompson=40wisc.edu@dmarc.ietf.org>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: text/plain; charset="UTF-8"
X-CU-OB: Yes
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-07-21_14:2020-07-21, 2020-07-21 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/cXTLupldagp53-PRJGY0jNPbOm8>
Subject: Re: [dmarc-ietf] Response to a claim in draft-crocker-dmarc-author-00 security considerations
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2020 19:30:06 -0000
On Tue, Jul 21, 2020 at 2:08 PM Hector Santos <hsantos=40isdg.net@dmarc.ietf.org> wrote: > > Second, DMARC is imposing a new security protocol based on the premise > the "From" is not expected to be changed. How will the MLM/MLS fit? > > It can: > > 1) Supports the security protocol and the problem is solved. > Exclusive domains made a published policy statement for exclusive > signing. The Exclusive Domains does not expect its users to be using > their domains outside the work place. The policy is honored. My understanding of DMARC's purpose was to protect transactional messages from sources like banks, credit card issuers, online shopping venues, and the like. It supposed that those messages should pass only directly from the source to the end point, and that that was so important to security that transport through any intermediary should be rejected as possible forgery. For example my bank statements come from a different domain than mail from a person at the bank. What blew it away was Yahoo's implementation of DMARC on end user personal mail. It was at first believed by many that Yahoo would have to roll it back when their users could not contribute to mailing lists or send mail to people who had old-school forwarding. Instead the industry started developing ways to get around DMARC by changing RFC 822 From headers and RFC 821 MAIL commands... which pretty much un-did the DMARC concept of authorization. It has been demonstrated that #1 is not happening, and it's because sheer deliverability of legitimate email is the priority. -- Joseph Brennan Lead, Email and Systems Applications
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- [dmarc-ietf] Response to a claim in draft-crocker… Kurt Andersen (IETF)
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker on behalf of Kurt Andersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] no from addresses nowhere, Respo… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Alessandro Vesely
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Benny Lyne Amorsen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Murray S. Kucherawy
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Response to a claim in draft-cro… Laura Atkins
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Brandon Long
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Doug Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… John Levine
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- [dmarc-ietf] DMARC marketing Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Joseph Brennan
- Re: [dmarc-ietf] Why are MUAs hiding or removing … Benny Pedersen
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jim Fenton
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker
- Re: [dmarc-ietf] Response to a claim in draft-cro… Hector Santos
- Re: [dmarc-ietf] Response to a claim in draft-cro… Douglas E. Foster
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dotzero
- Re: [dmarc-ietf] DMARC marketing Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Jesse Thompson
- Re: [dmarc-ietf] Response to a claim in draft-cro… Dave Crocker