IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Dotzero <dotzero@gmail.com> Wed, 05 August 2020 19:52 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA0093A0EE5 for <dmarc@ietfa.amsl.com>; Wed, 5 Aug 2020 12:52:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gpeyrq3Y6SPb for <dmarc@ietfa.amsl.com>; Wed, 5 Aug 2020 12:52:29 -0700 (PDT)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 466573A0EE0 for <dmarc@ietf.org>; Wed, 5 Aug 2020 12:52:29 -0700 (PDT)
Received: by mail-wr1-x42b.google.com with SMTP id 88so41789646wrh.3 for <dmarc@ietf.org>; Wed, 05 Aug 2020 12:52:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+68YhEvrU00ywzEiBT0y0mdG/XqfZ1RSHUvHJXq68nc=; b=D/15fLqI0aqWKJacBWG4EEus36oCq5Rz/Vch1hz8B4l5DJpYT2NYUB+qdZJmUvRjO3 odv3vqtcfhCAe0lv+fbp2X39aBxrgNMPHulcptEc8zCng81uPe0NWMKtJ2le4RfTKtPw gG4KMn+/pEnURk/oegMuHg570tl5So7saPSC+u6b4pllyRqehJ3KvqxVTVaXmExRBsul HyYLpN98ZurxkbC5lBCNNwBnMOrbQSYqiY80Vgq/PKCoSYgDyO00vRtZvzKwkHt/zL7J s/UR0MURus1FgrrN2ao9SY6zW2kk9Sr2bjp66ewf8WT8Ayq+LO62SuqGExfFLg6hbpn/ C8ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+68YhEvrU00ywzEiBT0y0mdG/XqfZ1RSHUvHJXq68nc=; b=WS2epNRq5lyAbgQnGdMY7etgswj57IXUj1cMCwpP59z/7Q2jGlKwB9536MNnLlyQxP txwvEYRr7h+6MGUTMCTOrL1OfwIRJnWjweF232cZ6O458bPhrZT2X1UZpjQi/G7Lipzg at7aqfhRMCjtMYyf8vpt1rNph99dVYeCIIBTm7PyHS24AE/lxOnEOeYtxXgXEMSLhdtw LsnoZOLANDY3T9IGXAhezfXa9TPFmEKDXRIELhD6msBIftzbjfC4UYECAVQ9Ik43c5UE hiwW0vVvY7GQ4ejYR7b6TtWJUryOEeAqNN0Rr4y4AbjHRnSnWeAglgJFB7wXuzw9U7kg a5Dg==
X-Gm-Message-State: AOAM530IzoEi/x77Q++Os3mK1JtPBmTQUfFQ+BwApP6vwGKiozBVhmrG +LQvzOdTs7eJbGXIQ0w9DjCFlTKZrTuJvWhTIN5nIQ==
X-Google-Smtp-Source: ABdhPJy3j7F3Sunen6WbrVjXWkB0rqivpqS3KbZmNfdeJIZoN2Onq+suO7LcXiaj2Ih3rh8eRqe0Mh/ftBdh4yG2ACY=
X-Received: by 2002:a5d:4ecf:: with SMTP id s15mr4165191wrv.202.1596657147657; Wed, 05 Aug 2020 12:52:27 -0700 (PDT)
MIME-Version: 1.0
References: <20200802165756.3892C1DC82FD@ary.qy> <719dce3edbc54b25b6ebf248170e7eb2@bayviewphysicians.com> <CAL0qLwYFoGHL13tLOnbgf97qtgLFDo4AmutZdQvMVsuX56Vz0Q@mail.gmail.com> <fa39426a-c14b-493c-85f2-58a682461c2d@dcrocker.net> <0bc56bf161c54870b4655e98d7297f64@bayviewphysicians.com> <be655ca9-52b0-0fa6-1293-06f64a4984f0@bluepopcorn.net> <CAJ4XoYc3+uUg+1pLPxg_cS+ULTrRZFCXh3sCwmWqeF0iFetv7A@mail.gmail.com> <6053db20-b888-d597-476b-e76f47633fb3@tana.it> <df79dfef-0fd7-805e-d3ec-5373513155a6@wisc.edu>
In-Reply-To: <df79dfef-0fd7-805e-d3ec-5373513155a6@wisc.edu>
From: Dotzero <dotzero@gmail.com>
Date: Wed, 05 Aug 2020 15:52:15 -0400
Message-ID: <CAJ4XoYesOjwEHnZo2wdJVxYqXXmJ0XF+GDtKDvota-m_0JyGmw@mail.gmail.com>
To: Jesse Thompson <jesse.thompson=40wisc.edu@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001d423705ac26b6c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/djpEggveg7vf2XnyMNQ5x0qbdWw>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 19:52:32 -0000

On Wed, Aug 5, 2020 at 12:39 PM Jesse Thompson <jesse.thompson=
40wisc.edu@dmarc.ietf.org> wrote:

> On 8/4/20 11:52 AM, Alessandro Vesely wrote:
> > On 2020-08-04 6:10 p.m., Dotzero wrote:
> >> On Tue, Aug 4, 2020 at 11:39 AM Jim Fenton <fenton@bluepopcorn.net>
> wrote:
> >>> On 8/2/20 5:43 PM, Douglas E. Foster wrote:
> >>>> As to the transparency question, it should be clear that there will be
> >>>> no simple solution to the ML problem.
> >>>
> >>> Actually, there is: If your domain has users that use mailing lists,
> >>> don't publish 'reject' or 'quarantine' policies. Generally this means
> to
> >>> just use those policies for domains used for transactional email.
> >>>
> >>> Unfortunately we seem to be focused on very complex technical solutions
> >>> to a misdeployment problem.
>
> I've never heard this misdeployment viewpoint in the context of M3AAWG, so
> that might be a good audience to validate the viewpoint that users' domains
> can't benefit from p=quarantine|reject.  Perhaps it should be included in a
> BCP?  Maybe it is, and I'm misremembering?  Granted, I've only been a
> member for a few years.  Maybe it was a common understanding years ago and
> no one talks about it anymore?
>

Not a knock on M3AAWG but many of the members are more interested in
deliverability than anti-abuse. The Sender side of M3AAWG is dominated by
ESPs rather than Brand Senders. I say this as the Founder and Chair of
Brand SIG for 10 years until I left my employer that was a member of M3AAWG.

>
> For example, when I was invited by the technical committee to present our
> strategy and challenges deploying DMARC for our institution, no one told me
> we were misdeploying.  The session was pretty well attended, and I don't
> think I put everyone to sleep.  Now I feel like my speech was
> counterproductive because I may have encouraged others to misdeploy DMARC
> too.
>

You were presenting what you did. It may or may not have been
counterproductive.

>
>
> >> There is another solution. Move users to a separate domain from the
> domain
>
> Long ago we put users on our org domain as a way to unify users (in a very
> decentralized institution) under a single domain identity, and that
> branding decision is not going to be undone, politically.  Any project to
> move users from one domain identity to another is a huge lift; it takes a
> lot of time, effort, and never actually completes due to stragglers with
> very legitimate reasons to not give up sending from their old address.
>

I implemented for an Enterprise with large ecommerce/social sites and 20k
seats. The only people that were allowed to keep accounts on the primary
domains were people who directly supported the websites and they were not
allowed to use those accounts for anything other than supporting the
websites. They had accounts at the other domain just as all the other users.

>
> I think that end-users would rather see their list mail be rewritten than
> be told to change their identity.  I know that some people on this list
> think that the domain in the from header isn't commonly visible anymore,
> but the domain is extremely important to users' sense of identity.
>

Their identity at that organization is subject to the determinations of the
organization. It is amazing how quickly after a one time transition that
users get used to  their new "identity".

>
>
> >> your transactional mails are sent from. You can also put users on a
> >> separate subdomain.
>
> To the idea of clean separation:  We only encourage (without DMARC there
> is no way to enforce) subdomains for transactional email despite "brand
> minded" people insisting on using the org domain (or just using it without
> asking).  Despite everyone having an address in the org domain, we still
> have many users using legacy subdomains, and some of those subdomains are
> mixed-use.
>

You need buy-in from senior management for any email authentication
efforts. When you add up the costs of customer support contacts for dealing
with fraudulent email claiming to be from your organization, reputation
damage, etc., management becomes more willing to buy into a comprehensive
strategy.

>
> DMARC is great for getting visibility on this "separation" problem.  It's
> not until we moved past p=none that we could get any sticks behind our
> carrots.
>
> What I'm saying is that mixed-use domains are common and they proliferated
> due to the lack of domain alignment enforcement prior to DMARC.  Even when
> there is intention by IT to separate the use cases, they need DMARC to get
> both the visibility and the manageability/enforcement.
>

If it is only IT pushing this, you are probably doomed to failure.


>
> I've observed other universities using their single org domain for
> everything, and they don't find out they have a problem until they try to
> implement DMARC.  It's easier for them to move the transactional email to
> subdomains than to move users.  That is, unless they just give up on the
> idea of DMARC altogether.
>

Organizations make choices based on perceived benefits and costs.

>
> This might be a stretch, but I think the "DMARC is different for user vs
> transactional domains argument" dovetails with the need for sp to walk the
> domain tree.  If the assertion is that the domain with users is
> fundamentally different than domains used for transactional email, and most
> institutions use their org domain for their users, and subdomains are a
> mixed bag of varying use cases, then the org domain's DMARC policy isn't
> the best candidate for inheritance.
>

The assumption was/is that the organizational domain most closely tracks
the risk for abuse and is therefore the one that most needs protection.
Therefore inheritance should be the rule rather than the exception. It also
means you don't have to walk the full tree. You only need to check the base
domain if the subdoain doesn't specify a policy.

>
>
> > Yet another solution would be to not use DMARC.  The status quo ante.
> >
> > While p=none is a technically valid position, there seems to be a
> > demand of a mail infrastructure where spoofing is not allowed.
>
> Not only a demand, but a requirement: https://cyber.dhs.gov/bod/18-01/
>
> I don't think DHS got the memo about misdeploying DMARC, either.  I know
> that around 2018, the person maintaining the MLM for our astrophysics
> center had to scramble to implement header munging because of all of the
> .gov's publishing p=reject
>
> The .gov space has an interesting and long history with regard to email
authentication. In 2011, Pat Peterson (Agari) and I were asked by EOP
(Executive Office of The President) to create and give training on email
authentication for .gov that was turned into a virtual training environment
that was available for all government employees. The specific impetus were
a series of incidents that included fake malicious White House ecards
purporting to be online Christmas cards that were sent to government
contractors and others. Required authentication for .gov domains moved
forward in fits and starts up to the point of the DHS mandate. DHS
approached the use of DMARC and authentication as a blunt one size fits all
instrument.

The reality is that the devil is always in the details.

Michael Hammer

v2.23.0 | Report a Bug | By Email