IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Douglas Foster <dougfoster.emailstandards@gmail.com> Sun, 17 March 2024 15:10 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94B0EC14F61B for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 08:10:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JAJkWnGDme9h for <dmarc@ietfa.amsl.com>; Sun, 17 Mar 2024 08:10:45 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FE29C14F619 for <dmarc@ietf.org>; Sun, 17 Mar 2024 08:10:45 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-513d4559fb4so3982626e87.3 for <dmarc@ietf.org>; Sun, 17 Mar 2024 08:10:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710688244; x=1711293044; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=Jd7tuzk4Br5RN0IgPBz0w013lGhRHy+MR4/JwVTHxWE=; b=iwv6UZ9WX4ks9yoigHdOQKBqoNILYvYUApixMHX4sxIvDl3izOCiaXPDTSVWW1TBH4 NB/HAeHsfxnSus8yQezfppUsdRpR2UTAzhgNavreoEvZqmTIEo/i68DuAAYGe1xsEglD fm1rKh3PaMr+8dTNwz6H+qxrbSYnjKno1QsMW2WoLwd1Ahh73vcCtHIuVk5gN7JG+tjQ cBOlE2s8v3jprzr1v0Kl1tqJP1fBsKb5udgqWM36dqdAvNJ69txojIGimnrG+Lky7O8+ cNBiBrwwiFiB7JKq4b0Qno9N5WbWSvWmVplkJAgZHeDp8BoRxWQHVtaIVU8jBhxPgBpH L3Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710688244; x=1711293044; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Jd7tuzk4Br5RN0IgPBz0w013lGhRHy+MR4/JwVTHxWE=; b=VFbWOzM/myR6naqJdlWOzwvgtbOKhSafVTY9NRQF+yvYM+KsvdKbRlDa8hI7WEQfNR nMwCeYe8ecoa0FaTDk6Wrv+/DU8abteEWyon5TRuDmMmKhwPnyDM5zNh+YX2sSfQkuUu qzGPmFnhv5BFlN1zXttPj17IqcyaaVEMjz9FLUI3vzAM4DkHUKTVxSKfZzK1lHSKxgd+ c9gm5AbLhDVBfyyCqAX78ozIOptDy5Og7y4/O+JoB6j2sv6uCE2FTUe0Okf8nEMY5rCl FI2spLKXEGpbFkGhXERIXUE2yvHnc8Nm1442T6ofGIqvfGwrUdFfWakdgLdC6rOD4ppE PAsw==
X-Gm-Message-State: AOJu0YyHo2aYc3YuIu/FUJRVcd1B1tTOqyldg3RKl5efMMmgAex5E68C 7d/v3ZnGsircLQEz8QELGzZqVUPG8LuCyZcVBYDlV/0XHKxP5ziLVAgmPWiR8hCTI6uHp3STjus FKwUhwCeCcayL5CTiC118fR3jQx2AelJ/
X-Google-Smtp-Source: AGHT+IFrcTOjxXsBntw8eoqjrMs0G/sIm/EG8odWMOR4rmef7ajuu0j5PBobGcYK3BILxo3YHL7dN4m08kSI6wW9rp4=
X-Received: by 2002:a05:6512:52d:b0:513:d963:41cf with SMTP id o13-20020a056512052d00b00513d96341cfmr5000202lfc.25.1710688243429; Sun, 17 Mar 2024 08:10:43 -0700 (PDT)
MIME-Version: 1.0
References: <CAHej_8nrQG3XN5k=p0x5KzV3ZLAzzGQaXNpG9cFvPS338uS0dw@mail.gmail.com> <2956306.Z6hNudi34S@zini-1880> <2068150.yCtiIVWOOC@zini-1880> <cf416f6b-3de2-4bf3-a3e2-0b634157050d@tana.it> <D3C7E666-5AB3-4E87-B83A-F909E3389039@kitterman.com>
In-Reply-To: <D3C7E666-5AB3-4E87-B83A-F909E3389039@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sun, 17 Mar 2024 11:10:33 -0400
Message-ID: <CAH48ZfyzTt-xzjzrGb70O06LTahgCz-D37PwRD-UwJg7GLYqMA@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000123bbe0613dca541"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/e6fbXzF9Ct_vqVqiqM979utN8Ec>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 15:10:49 -0000

But if we have no advice on how to detect a false Pass, how is this
useful?   Are we helping evaluators or just giving ourselves cover that
"your disaster is not our fault because we warned you"?

On Sun, Mar 17, 2024, 10:59 AM Scott Kitterman <sklist@kitterman.com> wrote:

>
>
> On March 17, 2024 11:11:04 AM UTC, Alessandro Vesely <vesely@tana.it>
> wrote:
> >On Sat 16/Mar/2024 20:01:22 +0100 Scott Kitterman wrote:
> >> On Thursday, March 14, 2024 12:24:50 PM EDT Scott Kitterman wrote:
> >>> On Thursday, March 14, 2024 11:44:22 AM EDT Todd Herr wrote:
> >>>>
> >>>> Issue 135 is open for the subject topic. Please add your thoughts to
> this thread and/or to the issue in Github.
> >>>>
> >>>> Thank you.
> >>>
> >>> [...]
> >>>
> >>> I think both of these should be addressed as part of this issue in
> Security
> >>> Considerations.
> >>
> >> It seems to me that, to the extent we are going to address this issue,
> there
> >> is agreement that Security Considerations is appropriate.  Here's
> proposed
> >> text:
> >>
> >> 11.X  External Mail Sender Cross-Domain Forgery
> >>
> >> Both of the email authentication methods which underlie DMARC
> fundamentally
> >> provide some degree of assurance that an email was transmitted by an
> MTA which
> >> is authorized to do so.  SPF policies just map domain names to sets of
> >> authorized MTAs [ref to RFC 7208, section 11.4].  Verified DKIM
> signatures
> >> indicate that an email was transmitted by an MTA with access to a
> private key
> >> that matches the published DKIM key record.
> >>
> >> When Domain Owners authorize mail to be sent by sources outside their
> >> Administrative Management Domain there is a risk that an overly
> permissive
> >> source may send mail which will, as a result, receive a DMARC pass
> result that
> >> was not, in fact, authorized by the Domain Owner.  These false
> positives may
> >> lead to issues with systems that make use of DMARC pass results to
> indicate a
> >> message is in some way authentic.  They also allow such unauthorized
> senders
> >> to evade the Domain Owner's requested message handling for
> authentication
> >> failures.
> >>
> >> The only method to avoid this risk is to ensure that no overly
> permissive
> >> sources can successfully DKIM sign the domain's mail or transmit mail
> which
> >> will evaluate as SPF pass.  If there are non-DMARC reasons for a domain
> owner
> >> to include a permissive source in a domain's SPF record, the source can
> be
> >> excluded from DMARC consideration by using the '?' qualifier on the SPF
> record
> >> mechanism associated with that source.
> >
> >
> >That text is too long and lacks an example.
> >
> >The first paragraph can be omitted without losing context.  BTW, Section
> 11.4 of RFC 7208 is about /cross-user/ forgery, not cross-domain.
> >
> >The second paragraph doesn't mention SPF.  Couldn't it be more direct?
> For example:
> >
> >    Domain Owners who set up SPF records which include sources outside
> their
> >    Administrative Management Domain run the risk that an overly
> permissive
> >    source may allow its users to send scam mail which will receive a
> DMARC
> >    pass results that were not intended by the Domain Owner.  These false
> >    positives [...]
> >
> >The third paragraph is also longer than needed.  There's no need to
> mention DKIM if we're talking SPF forgery.  I'd also point out that the
> neutral qualifier prevents quick rejection of the message, and is probably
> useless for those who have ~all.  (Are there MTAs who distinguish between
> neutral and softfail?  Are we prompting them to do so?)  Perhaps mention
> that this is a compromise between striking the SPF record tout-court and
> allowing false positives.
> >
> >Most important, write "?include:example.com".  An example is worth a
> thousand words.
>
> I disagree.
>
> Security considerations should be a complete description of the
> consideration.  While the data that's been discussed about current issues
> has been SPF related, there's no reason a third-party couldn't equally
> screw up and sign DKIM in a similar manner.  We should include both (we
> discussed this pretty extensively already, let's not do it again).
>
> I think we need to be explicit that there are two risks:
>
> 1.  Bad mail gets DMARC pass and so DMARC policy is not applied (avoid
> consequences of DMARC fail).
>
> 2.  Bad mail gets DMARC pass and something else (e.g. BIMI) does a wrong
> thing (gets benefits of DMARC pass).
>
> It's not typical to put examples in security considerations.
> Additionally, I think doing so would over emphasize that aspect of the
> consideration.  We're a technical group and so we like technical solutions,
> but for this one, I think the boring and difficult policy question of not
> authorizing third parties that do bad things is more important.
>
> Scott K
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email