IETF Logo Mail Archive

Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy for the Author Domain - dmarcbis-06

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 04 April 2022 11:01 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51A963A2069 for <dmarc@ietfa.amsl.com>; Mon, 4 Apr 2022 04:01:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QigTNovXRfe1 for <dmarc@ietfa.amsl.com>; Mon, 4 Apr 2022 04:01:53 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 769413A203A for <dmarc@ietf.org>; Mon, 4 Apr 2022 04:01:53 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id z8so9699802oix.3 for <dmarc@ietf.org>; Mon, 04 Apr 2022 04:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2mLKTiM6TFMUptb3AOpk2CSm9couubWbeaxrzZkWb8k=; b=PAJSHMMtoCfzkGch1PDcMmBzOkzhtwD02KgNicxrEB1ai+D0HoTxqrYvYKTnv7Eu95 5aEK9CaIvY95heAzrMNKjYTJKMFyICD8fjHOPYvEKmrod+INi4XUGWybSfzN7RiRzQxz +12pAYb0wacmXMHYQwe7uVxog7ehNTMYiLbvYr6BEl9qFosUNLPpmOjeM4kDp4X2BtbN w4PJyraJoSM0lQj+/awRhpfbFBLNhu6M5QoXdyJA8/irDTeyCrh/e/BP7KC7OeNESLAr nKuRJo3SftNNIQYPMn62JHPfngFntexYMyuhN3X6EkejCCrq0QZcNH5Z30Pd1+Hk+C+c +rmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2mLKTiM6TFMUptb3AOpk2CSm9couubWbeaxrzZkWb8k=; b=4UP6A5ASc/KFLvgjl8gvN5LBNZiU4vQXQrHO+uetV0r+oUiAeYh1pi5g5FX92zvunR RJR9/vTQJl8LKtokvG7myh4uWvPCh6QjZBCsIsjzr1g2fC/eRwU79XyiLCcX32I4/ypQ QaAyHlNYY/lTNkT0Fo7TjQzeWkqv0jxXLJOo7SHrsOD3ZW+zLMQkdM125PkVnKIy6LKE 1vSVcFl1Sh75baLu8Wo+MmMmYVK3xoh4I0iRcBwRx2DYARVdhMqWDsAYTRdADkJbs4tk s5ZudQrXyNn1JHqPKsQVlz0LHRNX+PJGwn+wn9Ld5cQF91dik1I6lbBBjZ8uXmfEpjm0 q6UA==
X-Gm-Message-State: AOAM531H+YvaDC4S2FJYrXVoqresB4O72eiYoRUQqFR+awCUOHY/Vgqf jOnsHyKfNzwUU4rvXPWRG2lOCO9IxmPkgytwUede0IhXTMY=
X-Google-Smtp-Source: ABdhPJx6Glap4pdtG7nDMZdSKNO/If0AesTVjId4Z8q/wLFHgBAKKp0Ur3GT84rfduFzQjuQLGM8YYzAP7h0h6hCXtQ=
X-Received: by 2002:a05:6808:2183:b0:2da:6d62:6ec6 with SMTP id be3-20020a056808218300b002da6d626ec6mr9801120oib.51.1649070112116; Mon, 04 Apr 2022 04:01:52 -0700 (PDT)
MIME-Version: 1.0
References: <20220403024904.479EA3A462E4@ary.qy> <45a019b3-3f97-6c56-409b-5a3f9f2d06ba@tana.it> <83bed554-8def-0952-28e8-47cf6abe67df@taugh.com> <f1ae6447-0f91-39e5-fdbe-e6f9edba31c4@tana.it>
In-Reply-To: <f1ae6447-0f91-39e5-fdbe-e6f9edba31c4@tana.it>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 4 Apr 2022 07:01:42 -0400
Message-ID: <CAH48ZfwnDP2smDrUbb7yqgrBwdsXFa=CFpjT3fJDpse-yk8uEw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003e123705dbd20ed4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hj83lR4Th4XVtwdTPu-0ENCCvN8>
Subject: Re: [dmarc-ietf] 5.5.4. Publish a DMARC Policy for the Author Domain - dmarcbis-06
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2022 11:01:59 -0000

Ale is correct on these points:

1. The exact-match test should be applied before any tree walk, not at the
end.

2. The design MUST distinguish between a public suffix operator and a
private registrar.   When the exact-match domain is a public registrar, the
result is FAIL-FromInvalid, triggering a hard reject.   When the
exact-match domain is a private registrar, we SHOULD have an indicator to
know whether or not the domain is used for mail, but with that omitted, we
have to assume that the private registrar domain sends mail and may be
either an organizational domain or a subdomain of an organization.


Additionally, the specification would be much improved if it first defined
the interfaces to the two functions, and then explained the
implementations.  The actual processing logic has significant differences
between the two functions.

While the current text treats the organizational domain search and default
policy search as different tasks, they are easily handled as a single
function.   When either lookup is needed, we invoke:

Status = FindOrgData(  RFC5322.From IN,  OrganizationalDomainFQDN OUT,
DefaultPolicyRecord OUT)
Where Status =  ( SUCCESS | PERMERROR )


When the Relaxed Alignment test is needed, the interface definition is:

Status = CheckRelaxedAlignment( CandidateDomainFQDN IN,
OrganizationalDomainFQDN IN, RFC5322.From IN )
Where Status = ( ALIGNED | UNALIGNED )


Notes on FindOrgData
The exact-match policy is checked first.
1. If a policy is found and specifies Strict Alignment for both SPF and
DKIM, the organizational data is not needed, so the function is not called.
2. If a policy is found and it is tagged as an organizational domain
policy, then the organizational data is already known, so the function is
not called.
3. If a policy is found, and is not tagged as a PSD policy, and the
RFC5322.From domain is only two segments, then the organizational data is
already known, so the function is not called.

Notes on CheckRelaxedAlignment:
1. The CheckRelaxedAlignment is called for each verified SPF or DKIM
domain, until ALIGNED status is returned or the list of candidates has been
exhausted.
2. If the policy specifies strict alignment for the candidate domain type
(SPF or DKIM), then the function is not called for that candidate domain.
A string match is used instead
3. The CheckRelaxedAlignment function could be implemented without using
the RFC5322.From address as a parameter, but this data element permits a
number of optimizations, including an embedded exact-match test.

We have two proposed implementations of these functions, one based on the
PSD and one based on Tree Walk.  However, as an evaluator, the Tree Walk
does not yet earn my trust.

Doug


On Mon, Apr 4, 2022 at 4:19 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Sun 03/Apr/2022 18:07:29 +0200 John R Levine wrote:
> > On Sun, 3 Apr 2022, Alessandro Vesely wrote:
> >
> >>> (If the one beneath it has no DMARC record, is it still the org
> domain? I
> >>> think it is.)
> >>
> >> This seems to be inconsistent with the sentence that follows.  Would
> the
> >> landscape change if .com suddenly publishes psd=y?
> >
> > Currently with the PSL lookup, foo.com is an org domain whether or not
> it
> > publishes a DMARC record, and mail.foo.com and sales.foo.com are in
> relaxed
> > alignment.  While I think it would be reasonable to say that an org
> domain has
> > to publish a DMARC record if it's going to be used for relaxed
> alignment, that
> > would be a change from the current rule.
>
>
> The current definition, Section 3.2.7, replicates the original semantic:
>
> 3.2.7.  Organizational Domain
>
>     The Organizational Domain is typically a domain that was registered
>     with a domain name registrar.  More formally, it is any Public Suffix
>     Domain plus one label.  The Organizational Domain for the domain in
>     the RFC5322.From domain is determined by applying the algorithm found
>     in Section 4.8.
>
> The last sentence is particular in that Section 4.8 aims at determining
> the
> Organizational Domain for /any/ identifier, not just the From: domain.  We
> are
> assuming that an org domain can be determined for any domain, always.
>
> At the end of Section 4.8, in order to fulfill that assumption, in the
> absence
> of DMARC records, "the initial target domain" is promoted to the rank of
> Organizational Domain of itself.  That way, a PSD /is/ an org domain,
> which
> formally counters the second sentence in 3.2.7.
>
>
> > Since there is no chance that .com .net .org or other large TLDs will
> ever
> > publish a PSD record it makes little difference in practice, but if we
> agree
> > the org domain needs a DMARC record, we should make clear that this is a
> > deliberate change.  It's a good idea since if foo.com has no DMARC
> record and
> > .com has no PSD record, it won't work as an org domain anyway.
>
>
> To make the change clearer, I suggest to use different terms to indicate
> "working" org domains and registered domains with no DMARC record.
> Perhaps
> using the circumlocution DMARC Organizational Domain could suffice.
> However,
> along with the ubiquitous use of other longish terms (such as the above
> domain
> in the RFC5322.From domain), it makes for a rather wordy spec.  Better
> names?
>
>
> Best
> Ale
> --
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.8.7 | Report a Bug | By Email