IETF Logo Mail Archive

Re: [dmarc-ietf] WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)

Hector Santos <hsantos@isdg.net> Sun, 20 July 2014 20:01 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DADFC1A0B0C for <dmarc@ietfa.amsl.com>; Sun, 20 Jul 2014 13:01:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.002
X-Spam-Level:
X-Spam-Status: No, score=-102.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HAcA-AcWCmdu for <dmarc@ietfa.amsl.com>; Sun, 20 Jul 2014 13:01:36 -0700 (PDT)
Received: from news.winserver.com (dkim.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id 2625B1A0089 for <dmarc@ietf.org>; Sun, 20 Jul 2014 13:01:36 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=8796; t=1405886489; h=Received:Received: Message-Id:From:Subject:Date:To:Organization:List-ID; bh=3Axh0Cd PPkhOcNM04E5iXW2nMmI=; b=kwxLzxNtvE9m8G8LCw5xjuhIORoKMijPM4YSgI/ WKO/4nQtacq9OD/SqK53K5gABDZ85JUXPT2XOc7u0mgGq/YM49ynPQVVIVto5+59 k8/GHcMJAqijPu7Gufsk2LrG8hxOsDTF7qSjWHTYY4DS5Wdoy73ddvZLPdoMUy9H +NJs=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for dmarc@ietf.org; Sun, 20 Jul 2014 16:01:29 -0400
Received: from [192.168.1.162] (99-72-160-212.lightspeed.miamfl.sbcglobal.net [99.72.160.212]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 1071605033.3783.3520; Sun, 20 Jul 2014 16:01:28 -0400
References: <20140714164212.22974.20340.idtracker@ietfa.amsl.com> <D1E6E3BC-EC43-4FBA-894C-5A0C8EF1705D@standardstrack.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <D1E6E3BC-EC43-4FBA-894C-5A0C8EF1705D@standardstrack.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <9198FB23-31CC-421E-B5F2-DDE063CD9959@isdg.net>
X-Mailer: iPad Mail (11B651)
From: Hector Santos <hsantos@isdg.net>
Date: Sun, 20 Jul 2014 16:01:27 -0400
To: Eric Burger <eburger@standardstrack.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/dmarc/egrDZKogZuKZCPMFbV6H5SVS6ZE
Cc: dmarc WG <dmarc@ietf.org>, IETF <ietf@ietf.org>
Subject: Re: [dmarc-ietf] WG Review: Domain-based Message Authentication, Reporting & Conformance (dmarc)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Jul 2014 20:01:40 -0000

I would like to see a better integrated, cross-area engineering effort.  There is much to do in the integrated area of new domain authorization "permission-based" policy concepts.   We have a tendency of repeating the similar concepts across proposed multiple protocols.  In an evolved, modern SMTP receiver, it could perform 3-6 or more DNS redundant lookups for each transaction, and they are not flexible enough to be lumped together.

--
Hector Santos
http://www.santronics.com

> On Jul 20, 2014, at 2:23 PM, Eric Burger <eburger@standardstrack.com> wrote:
> 
> I will not comment on the 85 messages in the thread.  However, I would like to point out that STIR is working on a similar problem with similar goals but in a more constrained environment.  I would offer coordination between WG’s, should DMARC be chartered, would be “a good thing.”
> 
>> On Jul 14, 2014, at 12:42 PM, The IESG <iesg-secretary@ietf.org> wrote:
>> 
>> A new IETF working group has been proposed in the Applications Area. The
>> IESG has not made any determination yet. The following draft charter was
>> submitted, and is provided for informational purposes only. Please send
>> your comments to the IESG mailing list (iesg at ietf.org) by 2014-07-24.
>> 
>> Domain-based Message Authentication, Reporting & Conformance (dmarc)
>> ------------------------------------------------
>> Current Status: Proposed WG
>> 
>> Assigned Area Director:
>> Pete Resnick <presnick@qti.qualcomm.com>
>> 
>> Mailing list
>> Address: dmarc@ietf.org
>> To Subscribe: https://www.ietf.org/mailman/listinfo/dmarc
>> Archive: http://www.ietf.org/mail-archive/web/dmarc/
>> 
>> Charter:
>> 
>>  Domain-based Message Authentication, Reporting & Conformance (DMARC)
>>  uses existing mail authentication technologies (SPF and DKIM) to
>>  extend validation to the RFC5322.From field. DMARC uses DNS records
>>  to add policy-related requests for receivers and defines a feedback
>>  mechanism from receivers back to domain owners. This allows a domain
>>  owner to advertise that mail can safely receive differential
>>  handling, such as rejection, when the use of the domain name in the
>>  From field is not authenticated. Existing deployment of DMARC has
>>  demonstrated utility at internet scale, in dealing with significant
>>  email abuse, and has permitted simplifying some mail handling
>>  processes.
>> 
>>  The existing base specification is being submitted as an Independent
>>  Submission to become an Informational RFC.
>> 
>>  However, DMARC is problematic for mail that does not flow from
>>  operators having a relationship with the domain owner, directly to
>>  receivers operating the destination mailbox. Examples of such
>>  "indirect" flows are mailing lists, publish-to-friend functionality,
>>  mailbox forwarding (".forward"), and third-party services that send
>>  on behalf of clients. The working group will explore possible updates
>>  and extensions to the specifications in order to address limitations
>>  and/or add capabilities. It will also provide technical
>>  implementation guidance and review possible enhancements elsewhere in
>>  the mail handling sequence that could improve could DMARC
>>  compatibility.
>> 
>>  Specifications produced by the working group will ensure preservation
>>  of DMARC utility for detecting unauthorized use of domain names,
>>  while improving the identification of legitimate sources that do not
>>  currently conform to DMARC requirements. Issues based on operational
>>  experience and/or data aggregated from multiple sources will be given
>>  priority.
>> 
>>  The working group will seek to preserve interoperability with the
>>  installed base of DMARC systems, and provide detailed justification
>>  for any non-interoperability. As the working group develops solutions
>>  to deal with indirect mail flows, it will seek to maintain the
>>  end-to-end nature of existing identifier fields in mail, in
>>  particular avoiding solutions that require rewriting of originator
>>  fields.
>> 
>> 
>>  Working group activities will pursue three tracks:
>> 
>>     1. Addressing the issues with indirect mail flows
>> 
>>  The working group will specify mechanisms for reducing or eliminating
>>  the DMARC's effects on indirect mail flows, including deployed
>>  behaviors of many different intermediaries, such as mailing list
>>  managers, automated mailbox forwarding services, and MTAs that
>>  perform enhanced message handling that results in message
>>  modification. Among the choices for addressing these issues are:
>> 
>>     - A form of DKIM signature that is better able to survive transit
>>       through intermediaries.
>> 
>>     - Collaborative or passive transitive mechanisms that enable an
>>       intermediary to participate in the trust sequence, propagating
>>       authentication directly or reporting its results.
>> 
>>     - Message modification by an intermediary, to avoid authentication
>>       failures, such as by using specified conventions for changing
>>       the aligned identity.
>> 
>>  Consideration also will be given to survivable authentication through
>>  sequences of multiple intermediaries.
>> 
>> 
>>     2. Reviewing and improving the base DMARC specification
>> 
>>  The working group will not develop additional mail authentication
>>  technologies, but may document authentication requirements that are
>>  desirable.
>> 
>>  The base specification relies on the ability of an email receiver to
>>  determine the organizational domain responsible for sending mail.  An
>>  organizational domain is the 'base' name that is allocated from a
>>  public registry; examples of registries include ".com" or ".co.uk".
>>  While the common practice is to use a "public suffix" list to
>>  determine organizational domain, it is widely recognized that this
>>  solution will not scale, and that the current list often is
>>  inaccurate. The task of defining a standard mechanism for identifying
>>  organizational domain is out of scope for this working group. However
>>  the working group can consider extending the base DMARC specification
>>  to accommodate such a standard, should it be developed during the
>>  life of this working group.
>> 
>>  Improvements in DMARC features (identifier alignment, reporting,
>>  policy preferences) will be considered, such as:
>> 
>>     - Enumeration of data elements required in "Failure" reports
>>       (specifically to address privacy issues)
>>     - Handling potential reporting abuse
>>     - Aggregate reporting to support additional reporting scenarios
>>     - Alternate reporting channels
>>     - Utility of arbitrary identifier alignment
>>     - Utility of a formalized policy exception mechanism
>> 
>> 
>>     3.  DMARC Usage
>> 
>>  The working group will document operational practices in terms of
>>  configuration, installation, monitoring, diagnosis and reporting. It
>>  will catalog currently prevailing guidelines as well as developing
>>  advice on practices that are not yet well-established but which are
>>  believed to be appropriate.
>> 
>>  The group will consider separating configuration and other deployment
>>  information that needs to be in the base spec, from information that
>>  should be in a separate guide.
>> 
>>  Among the topics anticipated to be included in the document are:
>> 
>>     - Identifier alignment configuration options
>>     - Implementation decisions regarding "pct"
>>     - Determining effective RUA sending frequency
>>     - Leveraging policy caching
>>     - Various options for integrating within an existing flow
>>     - Defining a useful, common set of options for the addresses to
>>       which feedback reports are to be sent
>>     - When and how to use local policy override options
>> 
>> 
>>  Work Items
>>  ----------
>> 
>>  Phase I:
>> 
>>     Draft description of interoperability issues for indirect mail
>>     flows and plausible methods for reducing them.
>> 
>>  Phase II:
>> 
>>     Specification of DMARC improvements to support indirect mail flows
>> 
>>     Draft Guide on DMARC Usage
>> 
>>  Phase III:
>> 
>>     Review and refinement of the DMARC specification
>> 
>>     Completion of Guide on DMARC Usage
>> 
>> 
>> 
>>  References
>>  ----------
>> 
>>  DMARC - http://dmarc.org
>>  SPF - RFC7208
>>  DKIM - RFC6376
>>  Internet Message Format - RFC5322
>>  OAR / Original Authentication Results -
>>     draft-kucherawy-original-authres
>>  Using DMARC -  draft-crocker-dmarc-bcp-03
>> 
>> 
>> Milestones:
>> 
>> TBD
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email