Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

Jesse Thompson <jesse.thompson@wisc.edu> Mon, 23 November 2020 17:41 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D95A93A0AAD for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 09:41:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ucEdHKCjWrje for <dmarc@ietfa.amsl.com>; Mon, 23 Nov 2020 09:41:27 -0800 (PST)
Received: from wmauth4.doit.wisc.edu (wmauth4.doit.wisc.edu [144.92.197.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D380E3A0AA3 for <dmarc@ietf.org>; Mon, 23 Nov 2020 09:41:26 -0800 (PST)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2107.outbound.protection.outlook.com [104.47.55.107]) by smtpauth4.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QK901UJZFS4QE70@smtpauth4.wiscmail.wisc.edu> for dmarc@ietf.org; Mon, 23 Nov 2020 11:40:53 -0600 (CST)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-4, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.11.23.173317, AntiVirus-Engine: 5.79.0, AntiVirus-Data: 2020.11.19.5790001, SenderIP=[104.47.55.107]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F1fD05v95Y78PF0wCSm55tmksnlgVXRsInurX0slDkLew11e7lCBaoKG+M4V/aCEEpB0/wCZeVy4C1gs+ErZm9Usu3aoRdwlkoaWYhuSNZLD6GhG5gBvyp610RthCjPNRDuu2dMEdQag05Q+J+Z7G7D2dZFL0302U/ZBwu8TcBO9CX/FdeeLW4GpaZEDJ31z9XAKzrUrAyZiygwnn8R+/NpKs2G2gUc5UJABFl+t0rcQgt3o/hGw8ZxOrA5+/I3JLpJzRy7V1VMI7+2NfPG4DQhPM9mZ9ioFPccYC9Fs7SQp6aUSIp7jvxke0n0Di7+JiAjtSwCpbiinwxR3hCATew==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GTdaSLMalYQimCYqfv9dPSLMOR5vNt9fyvcbj3j9n2Q=; b=M2YxSgR6mOEQ5IkavciYA8oyTBqX4W7ViGKXIeQlvnpnrWfcxzltPW6UuZF2wqrNtyzZ6jczphHsKV/8p3c8m9M9g1Wqz3/mvgVGMCqyhie3y9M729/mcFC+r/lpEQ7oCIf1hZkwwtwfL1vsPKzKijBTYhDMf9SiW07NTWdBwqVsRqhsKjraQEjjEFDUjWOTK277HvLoBS8GliVtGge82frZuk5vKWAausc2u1LkidDZdcqJvBJiegIE5rNrFcUKIXQNiTxnBiOuxH3ElltA3cu71Ruvlf38WRYOlhQdLbKpcu/2DdG4Q4ZPo7X7dirTS3ZCZQus0+KM35vupldqXA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GTdaSLMalYQimCYqfv9dPSLMOR5vNt9fyvcbj3j9n2Q=; b=irNsZoNyMPIEwXo3aigGWCEUlj+xlr8Fp1YTNITOCLjT/BGO8ZxN8gVMYQQbQp0BrafGwxlomlfJ16kDXzscSMsVPQY27mbrSpgGgFzU6AJ12Sa8o7ORlGLrAllE1JTeZCb0OtnH2ebUoTxp9GhkAd9yJYLCdlaxyx33Yw1d7hU=
Received: from CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18) by CO6PR06MB7105.namprd06.prod.outlook.com (2603:10b6:5:34d::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.25; Mon, 23 Nov 2020 17:40:51 +0000
Received: from CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5]) by CO6PR06MB7059.namprd06.prod.outlook.com ([fe80::39b8:8441:c452:a4b5%7]) with mapi id 15.20.3589.022; Mon, 23 Nov 2020 17:40:51 +0000
To: dmarc@ietf.org
References: <CAL0qLwYgTiHW5XXt3PTUMOiSHV0wUt_fRLyZS7D5v1ZH_WUCNg@mail.gmail.com> <20201122022346.C039627B3EF9@ary.qy> <CAL0qLwaW5kFgwZ3YH9jkkUsmSLtYdqZiULN+CDfAWdRa93JHDw@mail.gmail.com> <9B843155-8A96-4F0B-8DF3-8F5C580AA023@wordtothewise.com> <553D43C8D961C14BB27C614AC48FC0312811FC37@UMECHPA7D.easf.csd.disa.mil>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <023d37eb-e8ef-275f-21a4-5d0d76974a53@wisc.edu>
Date: Mon, 23 Nov 2020 11:40:48 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.3
In-reply-to: <553D43C8D961C14BB27C614AC48FC0312811FC37@UMECHPA7D.easf.csd.disa.mil>
Content-type: text/plain; charset=windows-1252
Content-language: en-US
Content-transfer-encoding: base64
X-Originating-IP: [146.151.213.183]
X-ClientProxiedBy: CH2PR10CA0012.namprd10.prod.outlook.com (2603:10b6:610:4c::22) To CO6PR06MB7059.namprd06.prod.outlook.com (2603:10b6:5:342::18)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [146.151.213.183] (146.151.213.183) by CH2PR10CA0012.namprd10.prod.outlook.com (2603:10b6:610:4c::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3589.20 via Frontend Transport; Mon, 23 Nov 2020 17:40:51 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 6281de0b-27aa-44a6-c085-08d88fd6ebe2
X-MS-TrafficTypeDiagnostic: CO6PR06MB7105:
X-Microsoft-Antispam-PRVS: <CO6PR06MB71050F4D1C9DF27C3606C786F6FC0@CO6PR06MB7105.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 2ecTdn0BhCSLJ+vhaBw8h6Bf1Mz6+z2bIOmXxeRrieg4oI8q6M7HmQeqi8CEI8dTgvT3hLWlzCqHn4IqkoTr5PkD4uWePbDT3Nu2R+MOEjNIcwGTWX8kRCTZpugF4r0IQK6aDoUvp5nLqH2I5b3+llFDR+1v8+flrrJ8iAYbHspGI0TyL5cmTJBoVySnMDywTuZ5tbS7de99KG18PSQilDuuWINs4Mb4fG+GjHucWrRbB7p+Lnewy/VFYEw3ZuEbmEtcE4L3JLLJaXXALu4wB+Lo1qpHRe6xdXMQ3GeBRf/mR1bBcl19wLN3S6MYtOY5lox/R2ls6KIxZGucYB3r5RUhtBjBuoPQb1emUYiBcxSFcj2WxYRX9lnWT1CAdlkmjs8O2NeyfeLyrU5abYrCo+pVomEhsjhP2KupU4NMh2O0IHiJPPBms9VOCthrqCOQ6iy0Dd40h8OmJrgxOjEjXYyqL8Ru3AVBtAoP9eYeNU4=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO6PR06MB7059.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(39860400002)(366004)(346002)(396003)(186003)(16526019)(36756003)(316002)(16576012)(2906002)(6916009)(6706004)(786003)(6666004)(83380400001)(66556008)(66476007)(66946007)(478600001)(75432002)(31696002)(2616005)(44832011)(956004)(966005)(5660300002)(31686004)(26005)(8936002)(6486002)(8676002)(53546011)(86362001)(3940600001)(43740500002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?Windows-1252?Q?an0pFz3Vwt0bAlvwS2ZzDqsh7uRDrL8Q2JYlUK2aYqBivUW7wyfClF2/?= =?Windows-1252?Q?QqWDVNMHnyUlrgz0d3gWKThgwF8cpjvt5q67Fo0rWwWw0BZOSyVerb0I?= =?Windows-1252?Q?BbS31YMv8nST7+ZnTfR39BhuclB71q1hKATdB8C1A1eukfoocqx8jNeO?= =?Windows-1252?Q?DjiAM9i0UlKoClrdo87CBy7n2ZMCg+Sg/3xK+hZLKSpMCHidEuOs2V81?= =?Windows-1252?Q?i0YIqfIJNjLIOpIIxDXPitCdIlwgdXeffNfyYar4FT7U0R/uvEcs2q4O?= =?Windows-1252?Q?sU6lLHxhcGUMBtLvGmlgO3ruJ7S0vxGwBbZGQzO+XkFc2mU8Do7mY34B?= =?Windows-1252?Q?rbN3ZCl2K43ivbA5ZnRW1BCmZZoFOLNmf6JPaa/nh2HIkUjIOaEovRhH?= =?Windows-1252?Q?js2ohQPdFEsGbbPgD+PrtiFQWcfWq53cwNLk9JlquW31HOE9urqHNuKK?= =?Windows-1252?Q?aUedFO3+8ivWRCuJyw8MvymKcqM/tT+Jg2EO4vbo8cu7DC4rH347HNUS?= =?Windows-1252?Q?67wmSouBWOWOUGzgAeg5iPb9g9+zujBt/dcc/xCQHS3lQeXAK5976W1T?= =?Windows-1252?Q?Ipo1QOSSdTZabD0mNJ3xyORYojER0V/0B0m5DXx8q5EIM4pgkQHHCata?= =?Windows-1252?Q?MU/0umL1I9sD4LqL+FXYu19oOSDNjx8/CaPD0hXMf7lSFtCkkBPh8yP/?= =?Windows-1252?Q?OUkCU1FtU2PvoFwIGCUyZH9fgxX8/XKb1YlP4vx3GM3rwqMCZ0bacWqg?= =?Windows-1252?Q?qmrLTylWHt+73/j7VsptLHXj3n99CjScCDj0OvKMyU8tj9vHxXIkejvl?= =?Windows-1252?Q?TtkLUttLvhZ2+Rhmb2dULL1963tDoan6OV6ftLOZkSk9bi2Hm00DoXpf?= =?Windows-1252?Q?bO8VQtMP21j3sp93OzqqtU2t2pY7IxpTAT1MghS3XNkRp++2VEBZ3ImA?= =?Windows-1252?Q?tehXIfFmPA9ECws5LTot4vfPpHWuvVio0lxXgzGTdcxTAMjYUI7TJRq6?= =?Windows-1252?Q?riQ7E739SW8aZkq+5QClqzf9M6nhFp6weDOLawlWaOUZwWE2o51MGrAn?= =?Windows-1252?Q?Y09EfNO3rwGJepGz?=
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 6281de0b-27aa-44a6-c085-08d88fd6ebe2
X-MS-Exchange-CrossTenant-AuthSource: CO6PR06MB7059.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Nov 2020 17:40:51.8385 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 5rsHTbGaCu6FnSOK7N+hvYz8nMc5VaZGsrNl7SWT0t0o1T2JLW25mUF8cHKL2BN5PzaNs0Rb8+vllCs3zr+iSw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO6PR06MB7105
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/gXi_fDZy8f30skUIUYsP5Y3_Nxk>
Subject: Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 17:41:29 -0000

On 11/23/20 8:28 AM, eric.b.chudow.civ=40mail.mil@dmarc.ietf.org wrote:
> Even for .mil, the vast majority of email domains are fairly short with four or fewer labels. Most of the other ones tend to be individual servers that send automatic performance emails, and I think should be considered more of an edge case and less of our concern. 

This is the case for us as well (e.g. our comp sci high throughput compute cluster servers send automatic emails to both internal and external research collaborators).  I suppose universities are different than the military since the military probably doesn't want their servers to be sending email externally, whereby with a research university cross-institutional collaboration is inherent.

I suppose I consider it an edge case too (a large edge case - I see over 200 of these 4th level domains in or DMARC aggregate reports for the example cluster I cite), but the long tail of servers also aren't likely to change the way they are sending email nor will sysadmins implement SPF/DKIM for every server hostname, etc, so these subdomains are a blocker for publishing sp=reject at the org domain (hence a concern within the context of tree walking).

While I understand that there are implementation challenges that may make this infeasible, what I would *like* to do is ask each of these departments/research teams to publish sp=none at their 3rd level domains (and take over DMARC responsibilities for their parts of the tree) so that we can publish sp=reject at the org domain to protect/manage the rest of the university.

Jesse

P.S. Here are some stats.  Unique domains used in the RFC5322.From resulting from mail sent externally to DMARC reporting organizations in the past 2 weeks:
23 2nd level (org domains)
464 3rd level (359 are subdomains of wisc.edu)
522 4th level (all are subdomains of wisc.edu)
13 5th level
2 6th level

> 
>  
> 
> Thanks,
> 
>  
> 
> Eric Chudow
> 
> DoD Cybersecurity Mitigations
> 
>  
> 
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Laura Atkins [laura@wordtothewise.com]
> *Sent:* Monday, November 23, 2020 8:19 AM
> *To:* Murray S. Kucherawy
> *Cc:* IETF DMARC WG
> *Subject:* Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd
> 
> 
> 
>> On 22 Nov 2020, at 06:06, Murray S. Kucherawy <superuser@gmail.com <mailto:superuser@gmail.com>> wrote:
>>
>> On Sat, Nov 21, 2020 at 6:23 PM John Levine <johnl@taugh.com <mailto:johnl@taugh.com>> wrote:
>>
>>     It is my impression that most real From: domains are pretty short. I
>>     don't think I've ever seen one more than four labels long that wasn't
>>     deliberately contrived. Anyone got data on that?
>>
>>
>> I'd bet there are some in .gov or .mil, especially the latter, but otherwise I think the longest one I've seen is five, and that was not a host that receives mail.
>>
>> I'm sure we can all scrape our own mail logs for evidence either way.
> 
> This might be a place where one (or more) of the big ESPs can help. They’re going to have billions of email addresses and know which ones have MXs. I’m happy to ask for that data if it would be of use. 
> 
> laura 
> 
> -- 
> Having an Email Crisis?  We can help! 800 823-9674 
> 
> Laura Atkins
> Word to the Wise
> laura@wordtothewise.com <mailto:laura@wordtothewise.com>
> (650) 437-0741
> 
> Email Delivery Blog: https://wordtothewise.com/blog <https://wordtothewise.com/blog>
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>