Re: [dmarc-ietf] Proposed Introduction and Abstract (was I-D Action: draft-ietf-dmarc-dmarcbis-00.txt)
Dave Crocker <dcrocker@gmail.com> Sat, 12 December 2020 14:45 UTC
Return-Path: <dcrocker@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD6643A1155 for <dmarc@ietfa.amsl.com>; Sat, 12 Dec 2020 06:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WVNQmGAyFTo5 for <dmarc@ietfa.amsl.com>; Sat, 12 Dec 2020 06:45:36 -0800 (PST)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 724E13A114C for <dmarc@ietf.org>; Sat, 12 Dec 2020 06:45:36 -0800 (PST)
Received: by mail-pg1-x530.google.com with SMTP id w16so9322243pga.9 for <dmarc@ietf.org>; Sat, 12 Dec 2020 06:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=h0uLmyN8/axom3+1FrMD2o/3ocugb5RUS8kgAf4hsxU=; b=OwBBKkia/mysoqqHVtF+Gc4EzPbjc66NAcw9I2wxst8jCgyXzg0X0mqets4CT4CuvT t++d/P8FDAVOowmqTUx1H8IKGmcD+nTfGo4jOQj4bn2Y5Ct5x40U6FxSFI2Hxt9/YWaz cPtZdNkKcu5BCahgAXoZA12XTbAnDfYGIeUcfjR5XcQBeWqqF/vZTmyt4WdFHcFie1lr ZL60RST/wLkoZ/CxR37qHKoS9tX9sxxSfeUZlLJ/D1j6gauLsgFN4fZYoJ8dNN45Za1U acpA0Rp1C0dUVP3dDaWCZ4eTO6mR/fWyhTucUIcf4WNNqwAKU3Sqj0LMbeaNXw4oPfFv AWhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=h0uLmyN8/axom3+1FrMD2o/3ocugb5RUS8kgAf4hsxU=; b=YZ6Z1Ql2KODFp3vVykTJ8zt++LLcChcSi3x3uwc9FczsVPsT+Sg/UuVeP3yFV4umg0 IemE/roSEsnmZh8q18BAXrBj3jM7MvEVkHZhtb3aO+XctCMcq5bpvxk78pNGJEHe5hrk s51PFS9oPd6gHqVd92upX2pjbgpFZJmMrmqOe9hKQ1xYQEqCO9mXIvj6TP8BtYi9gCkT c6yOvoa0dfXI/hQRf6I1eVaUv0PM4inBodx4B+JBIi95oH+chRIApF5kmGyB4TPdsE5D 7vc6MiUmBWcGm7Ft4q3JldccA3w6vQiwKrumKJu829gNS0Fh3+BZxlvoN8MHjg0ncNgA YRyQ==
X-Gm-Message-State: AOAM532wVBgvmt963khNbk7cWsydzopQdDrF3ucoBymebVDEaflArpdW SWOdZWRwelFPVgECMwx5wTIEV56tu6w=
X-Google-Smtp-Source: ABdhPJwTrnIDmNN3AZ5CXQn2JJTjuzbPpoUVQYsCeYG6x0OYzCL1fw66M2Lb5yc4AWfmEBzjEgxIqw==
X-Received: by 2002:aa7:8b15:0:b029:196:59ad:ab93 with SMTP id f21-20020aa78b150000b029019659adab93mr16050668pfd.16.1607784335497; Sat, 12 Dec 2020 06:45:35 -0800 (PST)
Received: from [192.168.0.109] (c-24-130-62-181.hsd1.ca.comcast.net. [24.130.62.181]) by smtp.gmail.com with ESMTPSA id h17sm13581464pfo.220.2020.12.12.06.45.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 12 Dec 2020 06:45:34 -0800 (PST)
From: Dave Crocker <dcrocker@gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>, IETF DMARC WG <dmarc@ietf.org>
References: <160513169495.16356.6565556939968267867@ietfa.amsl.com> <CAHej_8=hvo2f6f_d3tYs2xVV1JnGvQsuqxFqJXJKmgfpTiSO3w@mail.gmail.com> <CAHej_8mzRo4cxxLrpeVZTcKC032OexK21=UgNhNDiTcRy713xA@mail.gmail.com>
Message-ID: <3a5548b7-cb41-1533-93c3-dbecc800be19@gmail.com>
Date: Sat, 12 Dec 2020 06:45:31 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <CAHej_8mzRo4cxxLrpeVZTcKC032OexK21=UgNhNDiTcRy713xA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------FBC624D15EE5ED74A86A8B1A"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/fcYTbe13wTgTfLgmtP4MXFKctTk>
Subject: Re: [dmarc-ietf] Proposed Introduction and Abstract (was I-D Action: draft-ietf-dmarc-dmarcbis-00.txt)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2020 14:45:39 -0000
Some comments and suggestions... On 11/19/2020 2:55 PM, Todd Herr wrote: > This thread hasn't generated any discussion or momentum yet, and I > know that's not because y'all have found the proposed text for the > Abstract and Introduction to be acceptable, so I'm going to add the > text to this thread and see where the discussion leads. > > ----------------------------------------------- cut here > ---------------------------------------------------- > > Abstract > > > This document describes the Domain-based Message Authentication, > > Reporting, and Conformance (DMARC) protocol. > > > DMARC is a scalable mechanism by which a mail-originating > > organization can express domain-level policies and preferences for > > message validation, disposition, and reporting.Mail-receiving > > organizations can in turn use these expressions of policies and > > preferences to inform their mail handling decisions should they > > choose to do so. > Alternative second par, to improve focus and provide more complete, initial description: DMARC permits the owner of an author's domain name to enable validation of the domain's use, to indicate the implication of failed validation, and to request reports about use of the domain name. Mail receiving organizations can use this information when evaluating disposition choices for incoming mail. I suggest this introductory text focus less on low-level technical details or references, and more on setting the stage, by characterizing functional benefits and, perhaps, very general statements about the approach. This is the place to build market demand, by focusing on the why and what, not the how. > This document obsoletes RFC 7489. > > > [...] > > > > 1.Introduction > > > RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH BEFORE PUBLISHING: > > The source for this draft is maintained in GitHub at: > > https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis > <https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis> > > (https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis > <https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis>) > > > The Sender Policy Framework ([RFC7208]) and DomainKeys Identified > > Mail ([RFC6376]) protocols provide domain-level authentication, and > ...authentication, which is not directly associated to the rfc5322.From field domain name, and DMARC... > DMARC builds on these protocols.DMARC is designed to give > > ADminstrative Management Domains (ADMDs) that originate email > theability to publish in a DNS TXT record their email authentication > > policies, specify preferred handling for mail that fails > > authentication checks, and request reports about mail purportedly > > originated by the ADMD, as determined by the RFC5322.From header in > > the message. > Repeating from the Abstract: DMARC Builds on these protocols. DMARC permits the owner of an author's domain name to enable validation of the domain's use, to indicate the implication of failed validation, and to request reports about use of the domain name. Mail receiving organizations can use this information when evaluating disposition choices for incoming mail. The 'domain' in ADMD is not the same as in 'domain name' and, arguably, DMARC has nothing to do with ADMDs, but only with domain names. This is an important distinction. The linkage between the two comes from operational arrangement, not anything inherent in DMARC. I'm not sure how to reflect this fact in the text. /d btw, use of vocabulary like ADMD changes the requirement for the reference to RFC 5598, in the Terminology section. The current text is a casual suggestion. It needs to be something like: References and terminology that are not defined in this specification are drawn from RFC 5598. > > As with SPF and DKIM, DMARC authentication checks result in verdicts > > of "pass" or "fail".A DMARC pass verdict requires not only that SPF > > or DKIM pass for the message in question, but also that the domain > > validated by the SPF or DKIM check is aligned with the domain in the > > RFC5322.From header.In the DMARC protocol, two domains are said to > perhaps add reference to Section 3.1, for definition of alignment, rather than do a definition here. Having something defined more than once in a specification can get problematic. > be "in alignment" if they have the same Organizational Domain > > (a.k.a., relaxed alignment) or they are identical (a.k.a., strict > > alignment). > > > A DMARC pass verdict asserts only that the RFC5322.From domain has > verdict -> resut asserts -> indicates > been authenticated in that message; there is no explicit or implied > > value assertion attributed to a message that receives such a verdict. > > A mail-receiving organization that performs DMARC validation checks > > on inbound mail can choose to use the results and the preferences > > expressed by the originating domain for message disposition to inform > > its mail handling decision for that message.For messages that pass > A mail-receiving organization that performs a DMARC validation check on inbound mail can choose to use the result and the published assessment by the originating domain for message disposition to inform its mail handling decision for that message. trying to move away from policy or directive (also changed to singular; it seems to make specification language easier to write...) > DMARC validation checks, the mail-receiving organization can be > > confident in applying handling based on its known history for > > similarly authenticated messages, whereas messages that fail such > > checks cannot be reliably associated with a domain with a history of > > sending DMARC-validated messages. > For mail-receiving organization supporting DMARC, a message that pass validation is part of a message stream that is reliably associated with the domain owner. Therefore reputation assessment of that stream, by the mail-receiving organization, does not need to be encumbered by accounting for unauthorized use of the domain. A message that fails this validation cannot reliably be associated with the aligned domain and its reputation. > > DMARC also describes a reporting framework in which mail-receiving > > domains can generate regular reports containing data about messages > > seen that claim to be from domains that publish DMARC policies, and > > send those reports to the ADMD as requested by its DMARC policy > > record. > ADMD -> address While another use of ADMD is appealing, the construct in this part of DMARC is really just an address. Any address. > > Experience with DMARC has revealed some issues of interoperability > > with email in general that require due consideration before > > deployment, particularly with configurations that can cause mail to > > be rejected.These are discussed in Section 9. > > > d/ -- Dave Crocker dcrocker@gmail.com 408.329.0791 Volunteer, Silicon Valley Chapter American Red Cross dave.crocker2@redcross.org
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbi… internet-drafts
- [dmarc-ietf] Proposed Introduction and Abstract (… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Gene Hightower
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Murray S. Kucherawy
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dma… Todd Herr
- Re: [dmarc-ietf] Proposed Introduction and Abstra… Todd Herr
- Re: [dmarc-ietf] Proposed Introduction and Abstra… Dave Crocker
- Re: [dmarc-ietf] Proposed Introduction and Abstra… Alessandro Vesely