IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

"Murray S. Kucherawy" <superuser@gmail.com> Sun, 09 April 2023 18:15 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 203FAC14CE25 for <dmarc@ietfa.amsl.com>; Sun, 9 Apr 2023 11:15:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rzf5VzI6g0-P for <dmarc@ietfa.amsl.com>; Sun, 9 Apr 2023 11:15:28 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97E81C14CF1A for <dmarc@ietf.org>; Sun, 9 Apr 2023 11:15:28 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id ga37so8317541ejc.0 for <dmarc@ietf.org>; Sun, 09 Apr 2023 11:15:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1681064127; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=DqdUSsaxLy1Vh+wISfYhI1tXMG/sDlpktMV6yi9IYdM=; b=mqcUiko72wtmxOJvnjEbAOuSOip5uuZEw6oRcmqFpRfeJy1LAospCVgMqvToyCtgzP ++xWC4VuwdEUuTrkilGy1F7Bqmf4zVfQi6BKvRt6/cC3Vxw9N1a+UYxUrJZ66nIhEyBL 1YFsx4fxCWNXy8iR9++homONpIBJdQgeJ7CabRdl0Pypzqj+MBOLlBGkPDnsm+Qs+flX pIfrrOeJOrwoQzC3n31cWt1NiHRYm1Z304D8sihjKu6hqzPWQJrk2nOmbL3cQQhnKHIM C4lQpw/6kyeeUafP5vidccaszQ6E++qbkssON0pX1LZva5N988KZyHwikwH+DfUkrYwD t48A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1681064127; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=DqdUSsaxLy1Vh+wISfYhI1tXMG/sDlpktMV6yi9IYdM=; b=TNUYmBKy8d1tkqx50KCOhvW2IW6rHKCNjIlRQF0dwIOL/nhM/1X7dtHdXPIGhxuQs8 OR3YzyvFuexXyMTd1BisZez+jKSrT5d1Ks+vKFjFdMg93V6izcA4fsvPk+P6zAo3skpR TCKS1Ql5t8grCHtyB60ecuW1x1xstxL0KRDQpzx5Mod0R21UwHwEwM5VoFa1I8SI5dJy 0elWouLnwv9/LyMAtADca+/zLZgvOykhfSythNTuw2IALw7ZXpiteveQwOsHM4saV9O7 EmF09VRWDqtWnQRMG+K8b9CI0OhI0jWW9tx88roxlKmHxIHNlNGMOf6QUsYXqillhZOi YQNg==
X-Gm-Message-State: AAQBX9fLgp57w8yzP5sSZV0rGSzvpHNDtsRA/UvKmbixEN7IVDIm9mtZ +i8wU+xdSjsU2ssgNIMLLxur54bv42eZ4jey3rU=
X-Google-Smtp-Source: AKy350bBZeBjwVePqgUv1NyzfMTW2ZBgIUpEmEfbko0Q8VUnGVz34BzZ70DePrcZPemgxyGbGiVkyw8lXUK5TE8BOFQ=
X-Received: by 2002:a17:906:f916:b0:94a:5bad:44ef with SMTP id lc22-20020a170906f91600b0094a5bad44efmr1327335ejb.11.1681064126661; Sun, 09 Apr 2023 11:15:26 -0700 (PDT)
MIME-Version: 1.0
References: <20230409005207.DCA8BBD1CC17@ary.qy> <4a0dba74-3e25-b9cb-dd64-20bf04ae76ba@tekmarc.com> <7b599a98-922a-44db-af91-2f8aa0f74181@app.fastmail.com>
In-Reply-To: <7b599a98-922a-44db-af91-2f8aa0f74181@app.fastmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Sun, 09 Apr 2023 11:15:13 -0700
Message-ID: <CAL0qLwbPzS-XfncBjrtunP8OQ=Z-yRLfnWZKQ0v1acvuWTvnZQ@mail.gmail.com>
To: Jesse Thompson <zjt@fastmail.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001d487705f8eb3e89"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/d4coVFh77pKQL60FNNToz4WomC4>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 18:15:33 -0000

On Sun, Apr 9, 2023 at 6:33 AM Jesse Thompson <zjt@fastmail.com> wrote:

> As Todd previously stated, my preference is for language that acknowledges
> the primacy of the domain owner over interoperability. CISOs have been sold
> (arguably, by the DMARC deployment companies' marketing) on the idea that
> there are security benefits. Maybe oversold, but there are benefits and the
> motivation will not change. Let's not also overlook the primary benefit of
> _the process of deploying DMARC_ gives to an organization: increased
> management and governance (enabled by the observability from the reports).
> In any case, the domain owner is motivated to deploy DMARC and gain the
> perceived benefits. If we are going to tell these motivated domain owners
> to MUST do something, at least make it something they might consider doing.
>

I don't think the way DMARC has been marketed is germane to discussions
about interoperability, which is what "MUST NOT" type language seeks to
resolve.

Nobody is denying that there's a security problem to be dealt with here.
It's a question of whether the side effects are acceptable.  And given that
DMARC only addresses direct domain attacks, and not lookalikes or similar,
I suggest that there's a clear imbalance when comparing the net benefits to
the aggregate costs.  If we're going to argue that that's not true, the
document probably needs to give that a much more thorough treatment than it
currently does.


> "Before a general purpose domain publishes p=reject|quarantine, the domain
> owner MUST emit mail from, or provide to their stakeholders/end-users, an
> alternative domain or subdomain with a p=none policy for any email that
> needs to traverse a non-DMARC-mitigating MLM or (more generally) from any
> 3rd party that cannot be authorized by SPF or DKIM alignment."
>

I think something like this is worthy of consideration.  It (or something
like it) is the very least we can do.  It is the very least we must do.

-MSK, participating

v2.23.0 | Report a Bug | By Email