IETF Logo Mail Archive

Re: [dmarc-ietf] auth-res vs. dmarc

Dotzero <dotzero@gmail.com> Wed, 30 December 2020 15:06 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B146D3A00C4 for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 07:06:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uf1HHL0DLhap for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 07:06:02 -0800 (PST)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EC183A0045 for <dmarc@ietf.org>; Wed, 30 Dec 2020 07:06:02 -0800 (PST)
Received: by mail-qv1-xf31.google.com with SMTP id h16so7782481qvu.8 for <dmarc@ietf.org>; Wed, 30 Dec 2020 07:06:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=QqH0s4YGqqYtnsEOTXjNE1YfOKDjM8YleT417+Li6Jc=; b=cfQ/9Qc9pTIVUoQTythYQrNwu5ipw64J3VXHWRAni+bdMaOoWiIlnHwvINRyv0p9OI /JxDlcT+ewm1JlNN63GS2OS+D9rsEzMjaMUfB5UlU7Wa8VmOAfHbFV/Mg4J2W9HefdSU +rDHxNWqYNgNKut8XZdG5XAWEyk84ZutB0QmJSzjPNS9dUtfQeFO4kJV0psTGL2U/Xnk 8Cj4PgWUEEUjDk3CwdjaFZsNJBf6cwBxMRp03xoCUE6hmHIk+2JgUl9R0cRE9nDVrtIw NagWDWJT+e8DhJPlUkuC0eyxou1MA73P67QAu4pCLjk1v9xQdc+tPnRbGZBIVb0MxZBT E86Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=QqH0s4YGqqYtnsEOTXjNE1YfOKDjM8YleT417+Li6Jc=; b=Ged9zIjsFsJy6aNIrPa0cPA9pi+65Bb5JnJB1gBI1t/Ve2nDEr7WGVYmYlAENdneZn lHsUHsUqTJIrsP9U1KlszbJVzxw2F94TS9BDKAHeU6Msk6x6Mw1MrFytd4qRHLYvZxRi P2fu15lHtewN1GcOurD5CfD5Pvrib3biiJPJXdiskS4LC8atp6ap9ivGvK+tQcN8lgZ/ W4tLrTKLpGdKhufGomeQdhz2TTqWhrCrJR0p1SD9ZWlas8IfYjrBmLsGC9gWHGOC+c+6 52lI5jsmQAZ9JX8tRosYjQ5zpdlDyaUaSoplOv9UsuttH8QMjnTZ7P0lXrN0LFIvz+6q ZEEw==
X-Gm-Message-State: AOAM530uAI7wbJn2R5TIYX2xbYE8PUbeYExjE6SKxvWGEURQyjMg0+Qd RYTXMPm5m+aSZX7mwUaNszzR8LyCxMSOh5cgkgoo3sOz
X-Google-Smtp-Source: ABdhPJy0m4oaT67qhmX76NQz7JU1irDX9GhWOCqO3C+GAAbiNrtKUD+t/3lNlE+ibkY4ad3r5u05SmOvT0hmPbGRzD8=
X-Received: by 2002:ad4:5762:: with SMTP id r2mr57482343qvx.45.1609340761497; Wed, 30 Dec 2020 07:06:01 -0800 (PST)
MIME-Version: 1.0
References: <9f6782b1-e85b-1a9c-9151-98feff7e18ea@mtcc.com> <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com> <140485eb-020f-4406-3f2f-e2c475ea51e5@mtcc.com> <CAHej_8mApfoF2ORgL+DoYTanrdhMjvT9H27kORwLKCQc1C9sRw@mail.gmail.com> <5588dbbe-b876-ed80-c80f-792380e3718f@mtcc.com> <CAHej_8=kW_t_JkOxUud1Uz8+PrbMh5CfwfxZK=mhe0wjW8wQpw@mail.gmail.com> <54dd9978-bcd1-6757-ad27-dcef6db6e5f7@mtcc.com> <CAHej_8kCi=7oqojDH_rbjn7kRg-PTDJWLgcKTGK9z-baUnKeMw@mail.gmail.com> <ef32de1e-d47e-1d0f-3cec-5994c7fdb7ae@mtcc.com> <CAHej_8kjSsQK_XEbdjWzV5npa29YjGadzD06Fmx3QLB4p+n_Cg@mail.gmail.com> <937f1019-a028-308d-2a0f-1e720fd49dcd@mtcc.com> <d8014c2a-c1c9-9eac-e64a-5f285bab7fd3@tana.it> <CAHej_8mgYr9ERAxmup+keZT5u8L+qgCxcSLH7Z=BEuZLouttpg@mail.gmail.com>
In-Reply-To: <CAHej_8mgYr9ERAxmup+keZT5u8L+qgCxcSLH7Z=BEuZLouttpg@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Wed, 30 Dec 2020 10:05:50 -0500
Message-ID: <CAJ4XoYfP+kNbe9pOxR31TyTGLV2jxsFJKmUqsHkBD+XEdS9JBw@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000069655705b7afd8dc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hSh5V7ERXVfBsU_9Q22QLdAHyik>
Subject: Re: [dmarc-ietf] auth-res vs. dmarc
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 15:06:05 -0000

Absolutely agree with Todd's analysis and comments. +1

Michael Hammer

On Wed, Dec 30, 2020 at 8:48 AM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> On Wed, Dec 30, 2020 at 4:42 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> On Tue 29/Dec/2020 22:02:20 +0100 Michael Thomas wrote:
>> > On 12/29/20 12:47 PM, Todd Herr wrote:
>> >>> Unless those values in parens are a MUST requirement, the dmarc=fail
>> is
>> >>> highly misleading.
>>
>>
>> I agree with Michael here.  When a (trusted) dmarc=fail is seen
>> downstream, its consumers neither know what policy was specified nor
>> whether it was honored.
>>
>
> That depends on your definition of "downstream", I guess.
>
> MDAs and local clients (web and mobile) at the mailbox provider will have
> the information they need.
>
> Third-party MUAs perhaps won't, but MUAs aren't really responsible for
> message disposition in a way that is relevant to DMARC's primitive
> disposition choices, except in those cases where they're POP clients that
> download everything to a local message store, I guess; maybe in that case
> DMARC policy request and DMARC validation results could be used to make the
> Inbox v. Spam decision.
>
> If the host recording the Auth-Res header is a true intermediary like a
> mailing list server, there's no disposition information to record that will
> matter to the downstream; in that case, if the intermediary rejects it, the
> downstream will never see it, and if it doesn't reject it, then it's not
> making any disposition decisions.
>
>
>>
>> >> As for the parenthetical bits, I believe they too are covered in RFC
>> 7601
>> >> section 2.7.6:
>>
>>
>> For parenthetical info to be machine readable, A-R consumer software has
>> to be dedicated to A-R producer.  An blatant standardization shortcoming.
>>
>
> The text of 2.7.6 (RFC 8601) I believe indicates that the parenthetical is
> just a comment:
>
>    Authentication method implementers are encouraged to provide adequate
>    information, via message header field comments if necessary, to allow
>    an MUA developer to understand or relay ancillary details of
>    authentication results.  For example, if it might be of interest to
>    relay what data were used to perform an evaluation, such information
>    could be relayed as a comment in the header field, such as:
>
>         Authentication-Results: example.com;
>                   foo=pass bar.baz=blob (2 of 3 tests OK)
>
>
>
> My position is that both the message handling request conveyed by the
> domain owner in the p= value of their policy record and the message
> disposition are "ancillary details of authentication results", because
> while the disposition may be driven by those results, neither impacts the
> results nor how those results are determined.
>
>
>>
>>
>> > [...] So that's useless for the MUA trying to use auth-res. You would
>> > never display a DMARC FAIL or fail of any kind for p=none. It doesn't
>> >  make sense to the user. Likewise, even if we're talking about a
>> > downstream MTA parsing the auth-res, it will be useless to it as well
>> > because it has the same problem not knowing the context of the
>> > "failure".
>>
>> That is especially true for quarantine.  As DMARC is often verified by a
>> filter during the SMTP exchange, the filter has to commission the MDA to
>> possibly honor a quarantine request.  In order to do that, the filter needs
>> to communicate the results of authentication to the delivery agent.  Not
>> using A-R for this task, or resorting to parenthetical info, is
>> preposterous.
>>
>
> MDAs have been routing messages to spam folders on the instruction of MTAs
> long before the Authentication-Results header existed. Many years ago when
> I worked in email operations, our third-party software supported the
> concept of the spam-filtering layer inserting an X- header to be read by
> the MDA to use in inbox/spam folder placement. We're making assumptions in
> this thread that the A-R header is driving things, but we really have no
> idea how each mailbox provider does things unless we work there.
>
>
>>
>> I propose to add two new result name codes, named after the policy
>> requests:
>>
>>     dmarc=quarantine, and
>>
>>     dmarc=reject (of course, you only see this if the filter didn't honor
>> the request).
>>
>>
> I do not support this, because quarantine, reject, and none are not
> Authentication Results, but are instead both policy requests and
> disposition decisions.
>
> --
>
> *Todd Herr* | Sr. Technical Program Manager
> *e:* todd.herr@valimail.com
> *p:* 703.220.4153
>
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email