[dmarc-ietf] Proposed rework of the wording in section 2.1 of draft-dmarc-interoperability
"Kurt Andersen (b)" <kboth@drkurt.com> Mon, 07 December 2015 15:23 UTC
Return-Path: <kurta@drkurt.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086591A8702 for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2015 07:23:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzz7QEPcyIoi for <dmarc@ietfa.amsl.com>; Mon, 7 Dec 2015 07:23:54 -0800 (PST)
Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD04C1A86E3 for <dmarc@ietf.org>; Mon, 7 Dec 2015 07:23:53 -0800 (PST)
Received: by qkdb5 with SMTP id b5so32178972qkd.0 for <dmarc@ietf.org>; Mon, 07 Dec 2015 07:23:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=XIVRtVbTJL8DPxpAZyVgvIDDlsAAvs/RSMIpFk7HbFM=; b=Z5MEt+dncAxEcDypuyWmlpDodkI8ySv0Yx8PCwUTDLgFW+AhWCMNHdQLlrzKUT+WBQ +MO2biPDJcVD8ZkZW4sWeutBMjdAoZCoY3R041fM94BgqNBmTatcG5uG2H10o9LdN8N3 snlro7XkTvqqlsQJRFomgdJdB6XceaM05V6RA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:date:message-id:subject:from :to:content-type; bh=XIVRtVbTJL8DPxpAZyVgvIDDlsAAvs/RSMIpFk7HbFM=; b=Up3aWcgW1tzp8eqGC/V8rhFccKQfzElnU/kE3muJUPfx+TcpWX1LyFJHMOavGxfpBR ZbddMsEP4pJzEPV/HfyhrW2bKjSr89RW2ivbrT9KJr0iAiOXvXS10e06KZbM2Zb9HuLr VV6ehpppWSSHZ5fem9qVV0wnSs8y2MrvPWY4/ZUkloGjST4UtifVTKUiY9iiZn2sZQLp EOTPaZnrSC5nM+3VBQkPfCw+uBQljtjn1OdQ1az8DgJtj5m2fBza0td+06A1VZIPHJWv 4s7tXe7of832Je1S56/G6whN7GhPnLCfTvjbfbsc52MbvSH1ckuj65Whi+OOmSKxktyZ gerw==
X-Gm-Message-State: ALoCoQksQ7o7QKFv+XCFPoknW+Uz1V2oWmOHrjoBL5jQm8ekgi67RrIJteWXt6mL78DVCYHWkxtn
MIME-Version: 1.0
X-Received: by 10.55.79.141 with SMTP id d135mr36737244qkb.41.1449501833051; Mon, 07 Dec 2015 07:23:53 -0800 (PST)
Sender: kurta@drkurt.com
Received: by 10.55.198.219 with HTTP; Mon, 7 Dec 2015 07:23:52 -0800 (PST)
Date: Mon, 07 Dec 2015 07:23:52 -0800
X-Google-Sender-Auth: BAmmDsI7utNM8uvqywXixrQoj9I
Message-ID: <CABuGu1pKn-nH57JzNQSqLHHxTZXe9CXWvz7bB6ynZ8PC7QOtTQ@mail.gmail.com>
From: "Kurt Andersen (b)" <kboth@drkurt.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>, Eliot Lear <lear@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dmarc/fKVnpXpfJoXqk7TTrXldmU4vwE8>
Subject: [dmarc-ietf] Proposed rework of the wording in section 2.1 of draft-dmarc-interoperability
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2015 15:23:56 -0000
Rather than submit this directly as a draft update, I wanted to circulate my proposed change for "pre"comment to see if it addresses the concern with undue textual density in section 2.1, particularly the last paragraph about SPF identifiers. My proposed rework for section 2.1 follows below. I have split the section into subsections dealing each with the DKIM and SPF identifiers and expanded the discussion around the SPF identifiers. Comments welcome. --Kurt Andersen Currently, section 2.1 reads: 2.1. Identifier Alignment DMARC relies on DKIM [RFC6376] and SPF [RFC7208] to perform message source validation. The DMARC [RFC7489] mechanism refers to source domains that are validated by DKIM or SPF as Authenticated Identifiers. DMARC requires an Authenticated Identifier to be related to the domain found in the message's RFC5322.from header field [RFC5322]. This relationship is referred to as Identifier Alignment. DMARC allows for Identifier Alignment to be achieved in two different modes: strict and relaxed. Strict mode requires an exact match of either of the Authenticated Identifiers to the message's RFC5322.from header field [RFC5322]. Relaxed mode allows for Identifier Alignment if Authenticated Identifiers and the message's RFC5322.from header field [RFC5322] share the same Organizational Domain. In general, interoperability issues between strict and relaxed modes are the same, with strict mode constraining the application of possible solutions. The mitigations described in this document generally require a relaxed mode of Identifier Alignment. DKIM provides a cryptographic means for a domain identifier to be associated with a particular message. As a standalone technology DKIM identifiers are not required to be relevant to the content of a message. However, for a DKIM identifier to align in DMARC, the signing domain of a valid signature must be part of the same Organizational Domain as the domain in the RFC5322.from header field [RFC5322]. In addition, DKIM allows for the possibility of multiple valid signatures. The DMARC mechanism will process Authenticated Identifiers that are based on DKIM signatures until an aligned Authenticated Identifier is found (if any). However, operational experience has shown that some implementations have difficulty processing multiple signatures. The impact on DMARC processing is clear: implementations that cannot process multiple DKIM signatures may incorrectly flag messages as "failing DMARC" and erroneously apply DMARC based policy to otherwise conforming messages. SPF can provide two Authenticated Identifiers. The DMARC relevant Authenticated Identifiers that SPF provides is the RFC7208.MAILFROM [RFC7208] based on the RFC5321.mailfrom [RFC5321] domain, or, if the RFC5321.mailfrom address is absent (as in the case of "bounce" messages), on the RFC5321.HELO/EHLO SMTP domain. The SPF validated domain in RFC7208.MAILFROM must be part of the same Organizational Domain as the domain in the RFC5322.from header field to be aligned. It is important to note that even when an SPF record exists for the domain in RFC5322.from [RFC5322], SPF will not authenticate it unless it is also the domain checked by SPF. Also note that the RFC7208.MAILFROM definition is different from the RFC5321.mailfrom [RFC5321] definition. ----------------------- Proposed rework: 2.1. Identifier Alignment DMARC relies on DKIM [RFC6376] and SPF [RFC7208] to perform message source validation. The DMARC [RFC7489] mechanism refers to source domains that are validated by DKIM or SPF as Authenticated Identifiers. DMARC requires an Authenticated Identifier to be related to the domain found in the message's RFC5322.from header field [RFC5322]. This relationship is referred to as Identifier Alignment. DMARC allows for Identifier Alignment to be achieved in two different modes: strict and relaxed. Strict mode requires an exact match of either of the Authenticated Identifiers to the message's RFC5322.from header field [RFC5322]. Relaxed mode allows for Identifier Alignment if Authenticated Identifiers and the message's RFC5322.from header field [RFC5322] share the same Organizational Domain. In general, interoperability issues between strict and relaxed modes are the same, with strict mode constraining the application of possible solutions. The mitigations described in this document generally require a relaxed mode of Identifier Alignment. 2.1.1. DKIM Identifier(s) DKIM provides a cryptographic means for one or more domain identifier to be associated with a particular message. As a standalone technology DKIM identifiers are not required to be relevant to the content of a message. However, for a DKIM identifier to align in DMARC, the signing domain of a valid signature must be part of the same Organizational Domain as the domain in the RFC5322.from header field [RFC5322]. In addition, DKIM allows for the possibility of multiple valid signatures. The DMARC mechanism will process Authenticated Identifiers that are based on DKIM signatures until an aligned Authenticated Identifier is found (if any). However, operational experience has shown that some implementations have difficulty processing multiple signatures. The impact on DMARC processing is clear: implementations that cannot process multiple DKIM signatures may incorrectly flag messages as "failing DMARC" and erroneously apply DMARC based policy to otherwise conforming messages. 2.1.2. SPF Identifier(s) The SPF specification [RFC7208] defines two Authenticated Identifiers for each message. These identifiers derive from: a. the RFC5321.mailfrom [RFC5321] domain, and b. the RFC5321.HELO/EHLO SMTP domain. In the SPF specification, the RFC7208.MAILFROM [RFC7208] value is defined to be based on RFC5321.mailfrom unless that value is absent (as in the case of "bounce" messages) in which case, the second (RFC5321.HELO/EHLO) identifier value is used. This "fallback" definition has occasionally been misunderstood by senders since "bounce" messages are often an "automatic" feature of MTA software. For the purposes of DMARC validation/alignment, the hybrid RFC7208.MAILFROM [RFC7208] identifier's domain is used if, and only if, it is aligned with the RFC5322.from [RFC5322] domain. The alignment of the validated domain is determined based on the DMARC record's "strict" or "relaxed" designation as described above for the DKIM identifiers and in [RFC7489].
- [dmarc-ietf] Proposed rework of the wording in se… Kurt Andersen (b)
- Re: [dmarc-ietf] Proposed rework of the wording i… Eliot Lear
- Re: [dmarc-ietf] Proposed rework of the wording i… Kurt Andersen (b)
- Re: [dmarc-ietf] Proposed rework of the wording i… John Levine
- Re: [dmarc-ietf] Proposed rework of the wording i… Kurt Andersen (b)
- [dmarc-ietf] Proposed rework of the wording in se… Stephen J. Turnbull
- Re: [dmarc-ietf] Proposed rework of the wording i… Murray S. Kucherawy
- Re: [dmarc-ietf] Proposed rework of the wording i… Stephen J. Turnbull