IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed Introduction and Abstract (was I-D Action: draft-ietf-dmarc-dmarcbis-00.txt)

Dave Crocker <dcrocker@gmail.com> Sat, 12 December 2020 14:45 UTC

Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD6643A1155 for <dmarc@ietfa.amsl.com>; Sat, 12 Dec 2020 06:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVNQmGAyFTo5 for <dmarc@ietfa.amsl.com>; Sat, 12 Dec 2020 06:45:36 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 724E13A114C for <dmarc@ietf.org>; Sat, 12 Dec 2020 06:45:36 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id w16so9322243pga.9 for <dmarc@ietf.org>; Sat, 12 Dec 2020 06:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=h0uLmyN8/axom3+1FrMD2o/3ocugb5RUS8kgAf4hsxU=; b=OwBBKkia/mysoqqHVtF+Gc4EzPbjc66NAcw9I2wxst8jCgyXzg0X0mqets4CT4CuvT t++d/P8FDAVOowmqTUx1H8IKGmcD+nTfGo4jOQj4bn2Y5Ct5x40U6FxSFI2Hxt9/YWaz cPtZdNkKcu5BCahgAXoZA12XTbAnDfYGIeUcfjR5XcQBeWqqF/vZTmyt4WdFHcFie1lr ZL60RST/wLkoZ/CxR37qHKoS9tX9sxxSfeUZlLJ/D1j6gauLsgFN4fZYoJ8dNN45Za1U acpA0Rp1C0dUVP3dDaWCZ4eTO6mR/fWyhTucUIcf4WNNqwAKU3Sqj0LMbeaNXw4oPfFv AWhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=h0uLmyN8/axom3+1FrMD2o/3ocugb5RUS8kgAf4hsxU=; b=YZ6Z1Ql2KODFp3vVykTJ8zt++LLcChcSi3x3uwc9FczsVPsT+Sg/UuVeP3yFV4umg0 IemE/roSEsnmZh8q18BAXrBj3jM7MvEVkHZhtb3aO+XctCMcq5bpvxk78pNGJEHe5hrk s51PFS9oPd6gHqVd92upX2pjbgpFZJmMrmqOe9hKQ1xYQEqCO9mXIvj6TP8BtYi9gCkT c6yOvoa0dfXI/hQRf6I1eVaUv0PM4inBodx4B+JBIi95oH+chRIApF5kmGyB4TPdsE5D 7vc6MiUmBWcGm7Ft4q3JldccA3w6vQiwKrumKJu829gNS0Fh3+BZxlvoN8MHjg0ncNgA YRyQ==
X-Gm-Message-State: AOAM532wVBgvmt963khNbk7cWsydzopQdDrF3ucoBymebVDEaflArpdW SWOdZWRwelFPVgECMwx5wTIEV56tu6w=
X-Google-Smtp-Source: ABdhPJwTrnIDmNN3AZ5CXQn2JJTjuzbPpoUVQYsCeYG6x0OYzCL1fw66M2Lb5yc4AWfmEBzjEgxIqw==
X-Received: by 2002:aa7:8b15:0:b029:196:59ad:ab93 with SMTP id f21-20020aa78b150000b029019659adab93mr16050668pfd.16.1607784335497; Sat, 12 Dec 2020 06:45:35 -0800 (PST)
Received: from [192.168.0.109] (c-24-130-62-181.hsd1.ca.comcast.net. [24.130.62.181]) by smtp.gmail.com with ESMTPSA id h17sm13581464pfo.220.2020.12.12.06.45.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 12 Dec 2020 06:45:34 -0800 (PST)
From: Dave Crocker <dcrocker@gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>, IETF DMARC WG <dmarc@ietf.org>
References: <160513169495.16356.6565556939968267867@ietfa.amsl.com> <CAHej_8=hvo2f6f_d3tYs2xVV1JnGvQsuqxFqJXJKmgfpTiSO3w@mail.gmail.com> <CAHej_8mzRo4cxxLrpeVZTcKC032OexK21=UgNhNDiTcRy713xA@mail.gmail.com>
Message-ID: <3a5548b7-cb41-1533-93c3-dbecc800be19@gmail.com>
Date: Sat, 12 Dec 2020 06:45:31 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <CAHej_8mzRo4cxxLrpeVZTcKC032OexK21=UgNhNDiTcRy713xA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FBC624D15EE5ED74A86A8B1A"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fcYTbe13wTgTfLgmtP4MXFKctTk>
Subject: Re: [dmarc-ietf] Proposed Introduction and Abstract (was I-D Action: draft-ietf-dmarc-dmarcbis-00.txt)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2020 14:45:39 -0000

Some comments and suggestions...


On 11/19/2020 2:55 PM, Todd Herr wrote:
> This thread hasn't generated any discussion or momentum yet, and I 
> know that's not because y'all have found the proposed text for the 
> Abstract and Introduction to be acceptable, so I'm going to add the 
> text to this thread and see where the discussion leads.
>
> ----------------------------------------------- cut here 
> ----------------------------------------------------
>
> Abstract
>
>
> This document describes the Domain-based Message Authentication,
>
> Reporting, and Conformance (DMARC) protocol.
>
>
> DMARC is a scalable mechanism by which a mail-originating
>
> organization can express domain-level policies and preferences for
>
> message validation, disposition, and reporting.Mail-receiving
>
> organizations can in turn use these expressions of policies and
>
> preferences to inform their mail handling decisions should they
>
> choose to do so.
>
Alternative second par, to improve focus and provide  more complete, 
initial description:

    DMARC permits the owner of an author's domain name to enable
    validation of the domain's use, to indicate the implication of
    failed validation, and to request reports about use of the domain
    name. Mail receiving organizations can use this information when
    evaluating disposition choices for incoming mail.

I suggest this introductory text focus less on low-level technical 
details or references, and more on setting the stage, by characterizing 
functional benefits and, perhaps, very general statements about the 
approach.  This is the place to build market demand, by focusing on the 
why and what, not the how.


> This document obsoletes RFC 7489.
>
>
> [...]
>
>
>
> 1.Introduction
>
>
> RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING:
>
> The source for this draft is maintained in GitHub at:
>
> https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis 
> <https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis>
>
> (https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis 
> <https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis>)
>
>
> The Sender Policy Framework ([RFC7208]) and DomainKeys Identified
>
> Mail ([RFC6376]) protocols provide domain-level authentication, and
>
...authentication, which is not directly associated to the rfc5322.From 
field domain name, and DMARC...


> DMARC builds on these protocols.DMARC is designed to give
>
> ADminstrative Management Domains (ADMDs) that originate email 
> theability to publish in a DNS TXT record their email authentication
>
> policies, specify preferred handling for mail that fails
>
> authentication checks, and request reports about mail purportedly
>
> originated by the ADMD, as determined by the RFC5322.From header in
>
> the message.
>

Repeating from the Abstract:

    DMARC Builds on these protocols. DMARC permits the owner of an
    author's domain name to enable validation of the domain's use, to
    indicate the implication of failed validation, and to request
    reports about use of the domain name. Mail receiving organizations
    can use this information when evaluating disposition choices for
    incoming mail.

The 'domain' in ADMD is not the same as in 'domain name' and, arguably, 
DMARC has nothing to do with ADMDs, but only with domain names.  This is 
an important distinction.  The linkage between the two comes from 
operational arrangement, not anything inherent in DMARC.  I'm not sure 
how to reflect this fact in the text. /d

btw, use of vocabulary like ADMD changes the requirement for the 
reference to RFC 5598, in the Terminology section.  The current text is 
a casual suggestion.  It needs to be something like:

    References and terminology that are not defined in this
    specification are drawn from RFC 5598.


>
> As with SPF and DKIM, DMARC authentication checks result in verdicts
>
> of "pass" or "fail".A DMARC pass verdict requires not only that SPF
>
> or DKIM pass for the message in question, but also that the domain
>
> validated by the SPF or DKIM check is aligned with the domain in the
>
> RFC5322.From header.In the DMARC protocol, two domains are said to
>
perhaps add reference to Section 3.1, for definition of alignment, 
rather than do a definition here.  Having something defined more than 
once in a specification can get problematic.


> be "in alignment" if they have the same Organizational Domain
>
> (a.k.a., relaxed alignment) or they are identical (a.k.a., strict
>
> alignment).
>
>
> A DMARC pass verdict asserts only that the RFC5322.From domain has
>
verdict -> resut

asserts -> indicates


> been authenticated in that message; there is no explicit or implied
>
> value assertion attributed to a message that receives such a verdict.
>
> A mail-receiving organization that performs DMARC validation checks
>
> on inbound mail can choose to use the results and the preferences
>
> expressed by the originating domain for message disposition to inform
>
> its mail handling decision for that message.For messages that pass
>
    A mail-receiving organization that performs a DMARC validation check

    on inbound mail can choose to use the result and the published
    assessment

    by the originating domain for message disposition to inform

    its mail handling decision for that message.

trying to move away from policy or directive

(also changed to singular; it seems to make specification language 
easier to write...)


> DMARC validation checks, the mail-receiving organization can be
>
> confident in applying handling based on its known history for
>
> similarly authenticated messages, whereas messages that fail such
>
> checks cannot be reliably associated with a domain with a history of
>
> sending DMARC-validated messages.
>
    For mail-receiving organization supporting DMARC, a message that
    pass validation is part of a message stream that is reliably
    associated with the domain owner.  Therefore reputation assessment
    of that stream, by the mail-receiving organization, does not need to
    be encumbered by  accounting for unauthorized use of the domain. A
    message that fails this validation cannot reliably be associated
    with the aligned domain and its reputation.

>
> DMARC also describes a reporting framework in which mail-receiving
>
> domains can generate regular reports containing data about messages
>
> seen that claim to be from domains that publish DMARC policies, and
>
> send those reports to the ADMD as requested by its DMARC policy
>
> record.
>
    ADMD -> address

While another use of ADMD is appealing, the construct in this part of 
DMARC is really just an address.  Any address.


>
> Experience with DMARC has revealed some issues of interoperability
>
> with email in general that require due consideration before
>
> deployment, particularly with configurations that can cause mail to
>
> be rejected.These are discussed in Section 9.
>
>
>


d/


-- 
Dave Crocker
dcrocker@gmail.com
408.329.0791

Volunteer, Silicon Valley Chapter
American Red Cross
dave.crocker2@redcross.org

v2.23.0 | Report a Bug | By Email