IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Hector Santos <hsantos@isdg.net> Tue, 27 June 2023 19:22 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CBEEC1516FF for <dmarc@ietfa.amsl.com>; Tue, 27 Jun 2023 12:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="BqjSYOLX"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="HoUp1s9F"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fsja5Xafbe5D for <dmarc@ietfa.amsl.com>; Tue, 27 Jun 2023 12:22:15 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44596C1516F3 for <dmarc@ietf.org>; Tue, 27 Jun 2023 12:22:15 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=16926; t=1687893728; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Subject:Date: Message-Id:To:Organization:List-ID; bh=ZeypGooPC456yna3T66uu1/mE LxtK5FwMZOSmX7a0As=; b=BqjSYOLXRm3Dv6RvgBpF1HEXdlNUfhn0/Dx2lN2Cn KwjMYDHqHGeZ977nmpL7/83EdXIiAZ5phNxkKJQHduOD8zGGHn3ozCHNs52qAlE8 XsgKXLHNCGPGgDhvvYEKVf816AMX6NDa02Mp9k+gdeqaCfbnx150nQGwH6n5Q+Gm Ys=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Tue, 27 Jun 2023 15:22:08 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3991440130.1.6260; Tue, 27 Jun 2023 15:22:08 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=16926; t=1687893727; h=Received:Received: From:Subject:Date:Message-Id:To:Organization:List-ID; bh=ZeypGoo PC456yna3T66uu1/mELxtK5FwMZOSmX7a0As=; b=HoUp1s9FLU3z1FdsgZIkW6r VnjbgKA+LqKz6gml6chDQu8JNt3RQAtJlEgJbs9l7bmcD5iy844yYUA0dWiv8Izf jYA+8YXoN7N9TPjWKQbzKk9Wo/ufqi1VHpKd95bNq12aL9EYkUDPCtjrYzbBnh43 w1eYAMr/Av4tA3DD+KIQ=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Tue, 27 Jun 2023 15:22:07 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 142528974.1.18124; Tue, 27 Jun 2023 15:22:06 -0400
From: Hector Santos <hsantos@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C4E074D7-69B5-470F-93D3-454347687F50"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Tue, 27 Jun 2023 15:21:55 -0400
In-Reply-To: <CAH48ZfwB-U_c=8KFcvSpSp-oXo4esy=x=cSgrWE6k4aF2hfFog@mail.gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CAH48ZfwB-U_c=8KFcvSpSp-oXo4esy=x=cSgrWE6k4aF2hfFog@mail.gmail.com>
Message-Id: <DAB1D8D3-15DB-4362-B64A-99F0883C331A@isdg.net>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
X-Comment: Missing recipient address appended by wcSMTP router.
To: dmarc@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/h9D4uYk3fCwnlfrybqc1wnco3eE>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2023 19:22:20 -0000

Doug,  this is Wildcat! SMTP - one of the oldest SMPT packages around. Summary here:

Without some signal at wcSMTP about DMARC,  SPF will most likely remain a hard rejection at WCSAP/SMTP (at RCPT state) before DMARC at DATA

Background:

Since 2003, out of the box, Wildcat! SMTP with add-on tools, wcSAP and wcDKIM, the mail flow is:

(Note: for the record, email is a small part of winserver.com, but a supportive part for many customer operations)

At SMTP, starting with remote client connection:

1) If Enabled, Check for DNS-RBL IP check, respond at step 8 in order to collect envelope data.
2.0) Check for smtpfilter-connect.wcx script, run it if found
2.1) Check for Geo-Location IP Blocks, very unethical practice.
3) HELO/EHLO: Check EHLO/HELO on technical merit like IP Literal matching Connect IP (CIP)
4) MAIL FROM: Check for Local domain MAIL FROM spoof
5) MAIL FROM: Accept 250 pending RCPT validation
6) RCPT TO: not valid 550 
7) RCPT TO: Valid starts WCSAP.WCX (p-code) Wait for Response.

At WCSAP (Wildcat! Sender Authorization Protocol):

8)  WCSAP: Record if DNS-RBL IP blocked at 1, exit response 55z
9) WCSAP: Run sysop-defined text-based simple White/Block Accept/Reject If rules
10) WCSAP: Run SPF.  Failure return 55z or 45z
11) WCSAP: Run CBV,  Failure return 55z or 45z
12) WCSAP: return 250

Back to WCSMTP RCPT state

8) RCPT response provided, reject 55z/45z or 250 continue, Receiver-SPF header prepended.
9) DATA is transferred, Received: trace line prepended.
10 Before DATA response, run stack of SMTP mail filters written in-house or 3rd party:

At  SMTPFILTER-xxxxxxx.wcx, specifically SMTPFILTER-DKIM-VERIFY.WCX

11) Check for ADSP + ATPS
12) Check For DMARC + ATPS
13) Record Authentication-Results
14) DMARC Rejection Failures are DISABLED. Auth-Res Prepended.
15) Return any 55z, 45z or 250 based on SMTPFILTER-xxxx,wcx filters.

Back to DATA, 

16) DATA response is provided.
17) 250 mail is accepted, router signaled for MDA import or MTA forwarding.
18) Wait 30 seconds for client new transaction command, QUIT and/or DROP

Pretty much it.  

We have too much invested in our integrated Wildcat! Internet Net Server mail platform — one of the oldest platforms since the 80s. 

My long time customers, sysops, sysadms, love the flexibility and  p-code and low code programmability for operators and 3rd party developers!  

I have provided the DMARC option to the SMTPFILTER-DKIM-VERIFY.WCX to return 55z response for DMARC p=reject but it is compiler disabled.  However, anyone can write a new mail filter script to run at DATA for DMARC, but it has yet to happen.  Not surprise there.   If we don’t provide it, I don’t expect them to do it.

In WCSAP, the SPF handling of the result can be set to not reply with 55z for a SPF hard failure.  

This will allow SMTPFILTER-DKIM-VERIFY.WCX to see a SPF=fail Received-SPF header. But at the moment, out of the box, DMARC will never see a SPF reject.

From an innocent IETF implementor, my integration enhancement for DMARC might be:

With SUBMITTER enabled, you will MOST DEFINITELY see this from supportive clients:

	C: MAIL FROM:<return-path> SUBMITTER=pra 

where pra is Purported Responsible Address, normally 5322.From,  Low volume or not, you will see it.

I plan to use the PRA to get DMARC information. 

First I will assume the signer is aligned so the next check is for return-path alignment.  

Second, if auth=dkim tag exist,  I could offer an option to relax SPF in both WCSAP.WCX and SMTPFILTER-DKIM-VERIFY.WCX.

Without some signal at wcSMTP about DMARC,  SPF will most likely remain a hard rejection at WCSAP/SMTP (at RCPT state) before DMARC at DATA.

—
HLS

> On Jun 27, 2023, at 7:58 AM, Douglas Foster <dougfoster.emailstandards@gmail.com <mailto:dougfoster.emailstandards@gmail.com>> wrote:
> 
> Ale, here is an attempt at a formal model.   Application to the current question is at the very end.
> 
> Any test (DKIM, SPF, ARC) has these result possibilities:
> Pass
> No data or uncertain result
> Fail
> 
> The test results are imperfect, so we have to consider these probabilities
> 
> Probability that PASS is a correct result
>        Probability that a false PASS will be whitelisted or not blocked in content filtering
>              Net result that a false PASS is delivered to the user
> 
> Probability that a NoData / Uncertain result is correct (presumed 100%).
>       Probability that an Uncertain message is wanted or unwanted.
>           Probability that an unwanted message is or is not blocked by content filtering
>                Net probability that an unauthenticated and unwanted message is delivered to the user
> 
> Probability that FAIL is a correct result
>       Probability that a FAIL result is blocked by local policy (presumed 100%)
>            Probability that a false FAIL is actually wanted
>                   Net probability that false FAIL blocks a wanted message
> 
> My strategy is documented in my "Best Practices" draft submission.   To summarize my experience:
> - The frequency of a true PASS is high, so the probability of a false PASS is low
> - The probability of a false PASS being detected by content filtering is pretty good.
> - The frequency of a true FAIL is low, so the probability of a false FAIL is high.
> - Uncertain messages have a high percentage of unwanted messages, but also a non-trivial volume of wanted messages.
> 
> My conclusions:
> FAIL messages should be submitted to content filtering to collect more data
> Blocking on FAIL alone, despite content filtering PASS, has always caused me more harm than good.
> Treating UNCERTAIN as equivalent to PASS is harmful.  Uncertain messages can be as unwanted as FAIL.
> FAIL and UNCERTAIN messages need to be reviewed and confirmed.   When confirmed, the message is allowed or blocked based on local policies which are informed but not controlled by the sender's published policies.
> Quarantine on FAIL or UNCERTAIN is superior to Block, because it allows for ambiguity to be removed and policy rules to be updated
> When FAIL and UNCERTAIN volumes are too high, an arbitrary disposition can be applied immediately, but statistical sampling should be used to review the disposition decision after the fact, so that local policies can be updated.
> Application to the current AUTH proposal:
> I expect SPF AND DKIM will cause sender policies to be less believable, because a high rate of FAIL will occur on wanted messages, so I expect to treat SPF AND DKIM as SPF OR DKIM by local policy.
> I trust DKIM more than SPF so I see no reason to honor SPF ONLY. I will continue to apply SPF OR DKIM .
> I see the advantages of DKIM ONLY and will honor that policy when it is detected.
> Doug Foster
>

v2.23.0 | Report a Bug | By Email