[dmarc-ietf] Abolishing DMARC policy quarantine

Дилян Палаузов <dilyan.palauzov@aegee.org> Tue, 11 June 2019 21:00 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8C72C1200B3 for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 14:00:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 1QQyO7iS5pAF for <dmarc@ietfa.amsl.com>; Tue, 11 Jun 2019 14:00:55 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2445D12004A for <dmarc@ietf.org>; Tue, 11 Jun 2019 14:00:54 -0700 (PDT)
Authentication-Results: mail.aegee.org/x5BL0pU1009483; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1560286852; i=dkim+MSA-tls@aegee.org; r=y; bh=Wq5hiVKEbj8yE4q+RxjSXLDyoCQKUWYWx1UmESeEkcc=; h=Subject:From:To:Date; b=BSR/0BpYwMDHs231PMY1jUHzD8Kz8RnLeHaJwuqx4VgGhbloa3tJwe/+YT/66qqr9 iwE8ZaoljjRKQ3FHi5Vcdl0kG9tN4q/vzF0RlIdUksM80SOryzRCohQnyECL8SPz+6 GFjnvwhYTIIcIgap0/wRf00Cy8O5WDnTsCwm/KMNrszNLkCOxVGGSSI7usrNn62t9b yFVtv7c/U5JGBPaBo4C27vMnlsKHvxggGIm/iTh1/ZZZnycpon7vr3ZxO4FpIGWUjl 3DQjn9WNk5pVOrFdrIMdyk+b+WIkqFh8YaXHd2nIioTv/b9MxqzU1vrLqijyVbsatx QICPZ4qpNBNvfXLUow6xbkgHyySxqCDJQPSqxDtuxs+RWcDQzreUKoSw2Huk85HsSK 8KPajVfN+3SS79geq8aconVexfs8gZJGSBxiSukl5FlAixQsaeoaOgWh0CExSIfx5x 9U7CTgbHLxgu1pBPfLxGJhFUNG8PyzCxvFw5lrf6hZrFZGNKS3dZzpQRXnSBndJ+Ea 1n+Vbsl2G91Ne0y0c1FAkvvnWu3juO1jjOmvbKuBOo9qoD91Bl/ktYVkKxAtJbq+Jm 3erGOCLqdTKpQ3B6/jfQOHK0TW1y11HkDE3BRomTMXyNFO/UdnAxA/HDseYEcRPQg4 RjvTr4cMOMr7ctYeaUEdX9qI=
Authentication-Results: mail.aegee.org/x5BL0pU1009483; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg []) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x5BL0pU1009483 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Tue, 11 Jun 2019 21:00:52 GMT
Message-ID: <a8ac130a671f5bcd1bf9f09781325e84a9f1fda6.camel@aegee.org>
From: Дилян Палаузов <dilyan.palauzov@aegee.org>
To: dmarc@ietf.org
Date: Tue, 11 Jun 2019 21:00:51 +0000
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.3
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fR905EgS6tXpsJTHzWCRCeR9L_0>
Subject: [dmarc-ietf] Abolishing DMARC policy quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 21:00:57 -0000

Dear all,

when DMARC passes, there is no difference between p=reject and p=quarantine.

When DMARC fails validation, this means extra work for humans.  This work can be done by the sending or by the receiving

With p=quaratine, the sending organization (domain owner) indicates, that the extra work is supposed to be done by the
receiving organization.  So for the senders it is just cheaper (in terms of less work) to publish p=quarantine.

With p=reject, the sending organization (domain owner) indicates, that the extra work has to be performed by the sending
server, which might be the domain owner or some suspects.

However, it is ultimately up to the receiving site to decide, whether it wants to accept this extra work.  If it does
not accept the extra work, it just handles quarantine as reject.  This does not violate the DMARC specitification.

Do you have a story, why one wants to publish p=quaratnine?  What is the use case for it?  It just makes emails less
reliable, as they end as Junk and this is very similar to discarding the emails.

Imagine a mailing lists, where the recipient of an email address expands to several mailboxes on different domains.  An
incoming email fails DMARC validation before being distributed over the ML.  The domain owner for that mail origin has
published p=quarantine, this email cannot be delivered in the Junk folder of the recipient, because the mailing list
itself does not have a junk folder.

How about, deleting policy Quarantine and instead rephrasing policy Reject:

It is up to the receiving server if it rejects messages failing DMARC, or accepts and delivers them as Junk.

(This does not change the protocol, just the wording)