Re: [dmarc-ietf] Ticket #1 - SPF alignment
Todd Herr <todd.herr@valimail.com> Mon, 08 February 2021 14:50 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB7FD3A1645 for <dmarc@ietfa.amsl.com>; Mon, 8 Feb 2021 06:50:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12YP0QlQU-8o for <dmarc@ietfa.amsl.com>; Mon, 8 Feb 2021 06:50:27 -0800 (PST)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 962B33A1744 for <dmarc@ietf.org>; Mon, 8 Feb 2021 06:50:27 -0800 (PST)
Received: by mail-qk1-x729.google.com with SMTP id v206so2914690qkb.3 for <dmarc@ietf.org>; Mon, 08 Feb 2021 06:50:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=81I2zVEyN5rzk+TTesFdUiCHpB5HBD9K0WOYNFqUbFQ=; b=gV/5IRQ+T4Zx2BX/sPXLtIOFJIsigagqSGK59pFQVb6oe1/rVc1tPP4PaB+GIlm8cZ lciu1rOhHp4IUQxFbZ6T3vDFGXaGnppA0BwsEASJyvJhSzBuCkmfOQTMREQ71BHhaktp xRrVKoJb3+mWSonh4bCnegFYHh8x4JNUQM++eNPOkynA7U3+OjE3rQL3zRAV1tl7EIz0 Me1dzPqn93J42A/G+QRWZPSkCjAHJwiXvplSyC6R344VokfLSvSOFbadPM2rF5bUixkL VvAnYanVu6kS0VeHmg/8QVqVBz17zEX5RMh4rrBGutJK5X2VUzOR/NmRDn/iiA2IkUT8 sUtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=81I2zVEyN5rzk+TTesFdUiCHpB5HBD9K0WOYNFqUbFQ=; b=nIWZC2N2Dh3pnXfcZNOWqrp+XiyQx7GBWwubIAs3xT8JKmowL41W6otE4I9miBiAje QcBv45ri802GCiPF+fL2CPJtbykzc3sJQfYANMfflSmtNEljtpH9it0z8+YaEow+n7wP /OrS/dvy4iz7dmTbhNmi6d1giAThxQpqpSqX1J5FKCs3+e+Mq9y6WFojMpHW0Vn8Q40w EoPrKivCFLC8yaJ3Lkv1HEPaKE5L1KPutQaZFt2waBTJ9w9u+AzEQCxKoeSWuDtfskx0 NhVSJTNyTiqBNE15JI18dzNHjShgn7zYZTtMtEVb0J7WKagRKsyTtAy4AK11vMXdUZF+ Gwow==
X-Gm-Message-State: AOAM530i1EfrpCeXVLtnc/d4jjthWjBV8qrzDr9O4wcYWXhw5hFwPpwO eR/VozbfNdRvhQIvAVn3JpNdCdvGQyZCvZ9blrcI6eqEnMnCvw==
X-Google-Smtp-Source: ABdhPJz3FfhPZmoiVOE96Yc5P++tezGQCrfBp67vo2Vkyn6EOM5gruTHcluC9M9zo+4NY6B2H5yp+pvCH1WEr/87YY0=
X-Received: by 2002:a05:620a:210e:: with SMTP id l14mr17918653qkl.387.1612795825837; Mon, 08 Feb 2021 06:50:25 -0800 (PST)
MIME-Version: 1.0
References: <20210203181226.9AB746D51182@ary.qy> <e169f069-376d-7072-2538-c77bbe7b7540@tana.it> <b9c3487-44ed-a132-d42-47364fd819b4@taugh.com> <CAJ4XoYfUZXuPy6a+U=GnZ43um0Ruv5FMBQYHZqoK4tmmH+zUhw@mail.gmail.com> <CABuGu1pkSqJtf+rz-pzRSEJ=C4C77c+qyLjgobMqR_Z2fmYRqw@mail.gmail.com> <b730ab9c-aa5e-e80d-5cee-69cd6aee3a7b@gmail.com> <CAH48ZfxPG29hdqj4CN-HHdEk6uzOv_fG3nSB1KdmXWLSP7bHRA@mail.gmail.com>
In-Reply-To: <CAH48ZfxPG29hdqj4CN-HHdEk6uzOv_fG3nSB1KdmXWLSP7bHRA@mail.gmail.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Mon, 08 Feb 2021 09:50:09 -0500
Message-ID: <CAHej_8k6DA8140QB2buaRCaJfc0U9fVSC=nSAu-dWsZshCRX_Q@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004b723f05bad44ac3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hoV-e1QSG-UH27QOrOjd6zU3p_Y>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 14:50:30 -0000
On Sun, Feb 7, 2021 at 7:35 AM Douglas Foster < dougfoster.emailstandards@gmail.com> wrote: > "We have a lot of other topics" is the wrong reason to call for > consensus. The important question is "Ale, have we addressed your > concerns?" > > I agree with many that for DMARC, our primary interest is whether SPF > validation of MAILFROM produces a PASS. > That's only partially correct. For DMARC, the SPF validation of MAILFROM must produce a PASS and the identifier must align with the RFC5322.From header domain. Absent both the PASS verdict and the alignment, the <policy_evaluated> section of the aggregate report will show "fail" for SPF, even if the <results> bit of the <auth_results> section shows "pass" in the <spf> sub-section. > However, I also see that a cautious recipient may choose to also require > SPF HELO = PASS and / or fcDNS HELO = PASS ( VERIFIED ). Getting a PASS > on these multiple criteria increases the confidence in the PASS result, but > also increases the likelihood of ambiguous results and false rejects. > Therefore: > - Recipients need to be cautious about enforcing rules so strictly that > sender configuration errors produce unwanted disposition decisions. > - Senders need to be careful to ensure that they configure their policy > to produce both SPF MAILFROM = PASS and SPF HELO=PASS. > The likelihood of a HELO identifier both passing an SPF check and aligning with the RFC5322.From identifier is, I would venture, so small as to be immeasurable for shared services such as ESPs, mailing list servers, and the like. Perhaps they could eventually be convinced of a need to publish SPF records, but that wouldn't do much of anything to change the <policy_evaluated> results for DMARC. Getting an SPF pass verdict alone for these identifiers isn't enough to alter the DMARC validation results; the identifiers must align, too. From a practical standpoint, I don't believe SPF MAILFROM=pass/SPF EHLO=fail would be useful information to mailbox providers for the significant volume of mail routing to their customers from shared services; I get quite a lot of such mail to my Gmail mailbox each day, wanted mail that is correctly routed to my Inbox. Beyond all that, though, SPF can fail for both the MAILFROM and the EHLO identifier on any given message, but if the message is DKIM signed in a way that aligns with the RFC5322.From domain and the DKIM validation check passes, then the message will correctly be described as having gotten a DMARC pass verdict. We've spent quite a lot of time on this list discussing authentication checks that can, by themselves, result in a DMARC pass verdict, but that cannot, by themselves, result in a DMARC fail verdict. A message has to fail SPF validation/alignment checks and DKIM validation/alignment checks in order to fail DMARC. I am not suggesting that the DMARC spec be updated to require that both SPF and DKIM both pass and align in order for DMARC to pass, because while I believe it to be best practice for senders to align both SPF and DKIM identifiers, I believe it would cause too much breakage in existing running code and sender configurations to be worth it to mandate such things. > Altogether, I think some wordsmithing is needed to communicate those > points. I do not have such wording at this moment, but will begin > thinking about what I would propose. Perhaps those who are anxious to > move on will be able to produce text sooner. > > I have also raised a concern about the inadequacy of reporting these > results, since "Recevied-SPF: pass" is currently a compliant header. We > can defer this issue to a later ticket, but we need to be thinking about > the problem. If this requires no change, I would like some discussion of > why that might be the case. > > > What the message recipient does with all this authentication information is left as a local policy decision, a decision that is likely to be made using more data points than just the SPF, DKIM, and DMARC validation verdicts. The DMARC spec does not mandate that a message passing DMARC checks be accepted, nor does it mandate that a message failing DMARC checks be rejected, even in the relevant policy published by the domain owner is "p=reject", and I am absolutely not suggesting that the DMARC spec be written in such a way as to mandate such behaviors. In my opinion, the text that should appear in the DMARC spec to sum up these points is "A DMARC pass verdict means only that the message can be reliably associated by the recipient with the identity on which the DMARC validation check was performed, and a DMARC fail verdict means that it cannot be so associated." -- *Todd Herr* | Sr. Technical Program Manager *e:* todd.herr@valimail.com *p:* 703.220.4153 ` This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Michael Thomas
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Seth Blank
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine