IETF Logo Mail Archive

Re: [dmarc-ietf] auth-res vs. dmarc

Alessandro Vesely <vesely@tana.it> Wed, 30 December 2020 09:42 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 486DE3A0813 for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 01:42:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id myhAXwh48sE1 for <dmarc@ietfa.amsl.com>; Wed, 30 Dec 2020 01:42:41 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 717E93A0809 for <dmarc@ietf.org>; Wed, 30 Dec 2020 01:42:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1609321357; bh=2JWhCk+UCrEA3k7tELRe7waMj+Jd7l4Osrc5Pcaw6Yc=; l=2402; h=To:References:From:Date:In-Reply-To; b=BcDEaLfS3aZiWahEdNhOmn73RTKBacxlt/sLL5Ngmieizdyaj3TfBPHeBx91IFUsw 23+AD4nOAwVGmohDA+iqHmDbUeS0S6dEdFM6oeUl9bnU2MVnOdDaQt4L3QBmtQBE3J F2YHSaicMrpTA6ePdjYrm0m3bUnIWR2aaRSXpmnENr3gSd+bNfkvQh0XxOQmo
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0CE.000000005FEC4B8D.0000283E; Wed, 30 Dec 2020 10:42:37 +0100
To: dmarc@ietf.org
References: <9f6782b1-e85b-1a9c-9151-98feff7e18ea@mtcc.com> <CAHej_8m0OWsTt+tcSgUh+Fxu=HH_57nsb2O1Q_fgA2453ceh4g@mail.gmail.com> <140485eb-020f-4406-3f2f-e2c475ea51e5@mtcc.com> <CAHej_8mApfoF2ORgL+DoYTanrdhMjvT9H27kORwLKCQc1C9sRw@mail.gmail.com> <5588dbbe-b876-ed80-c80f-792380e3718f@mtcc.com> <CAHej_8=kW_t_JkOxUud1Uz8+PrbMh5CfwfxZK=mhe0wjW8wQpw@mail.gmail.com> <54dd9978-bcd1-6757-ad27-dcef6db6e5f7@mtcc.com> <CAHej_8kCi=7oqojDH_rbjn7kRg-PTDJWLgcKTGK9z-baUnKeMw@mail.gmail.com> <ef32de1e-d47e-1d0f-3cec-5994c7fdb7ae@mtcc.com> <CAHej_8kjSsQK_XEbdjWzV5npa29YjGadzD06Fmx3QLB4p+n_Cg@mail.gmail.com> <937f1019-a028-308d-2a0f-1e720fd49dcd@mtcc.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <d8014c2a-c1c9-9eac-e64a-5f285bab7fd3@tana.it>
Date: Wed, 30 Dec 2020 10:42:36 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <937f1019-a028-308d-2a0f-1e720fd49dcd@mtcc.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/iWveRQ53XlFSl_CZwLfoqbbaKDs>
Subject: Re: [dmarc-ietf] auth-res vs. dmarc
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Dec 2020 09:42:43 -0000

On Tue 29/Dec/2020 22:02:20 +0100 Michael Thomas wrote:
> On 12/29/20 12:47 PM, Todd Herr wrote:
>>> Unless those values in parens are a MUST requirement, the dmarc=fail is 
>>> highly misleading.


I agree with Michael here.  When a (trusted) dmarc=fail is seen downstream, its consumers neither know what policy was specified nor whether it was honored.


>> We're going to have to agree to disagree here. I had no hand in writing RFC
>> 7601 or its predecessors, but I believe DMARC is covered under "Extension
>> Methods" in section 2.7.6 (https://tools.ietf.org/html/rfc7601#section-2.7.6)
>> and "Email Authentication Results Names" in section 6.6 


By convention, each method specifies the same meanings for the same result names.  Yet, methods can have unique codes, for example softfail.  If you look at IANA table[*], the meaning of dmarc method is referred to [RFC7489] section 11.2.  That section does indeed give the definition of "fail" that Todd has extensively described.  However, we are going to obsolete that document, so redefining result names is not out of our reach.


[*] https://www.iana.org/assignments/email-auth/email-auth.xhtml#email-auth-result-names


>> As for the parenthetical bits, I believe they too are covered in RFC 7601 
>> section 2.7.6:


For parenthetical info to be machine readable, A-R consumer software has to be dedicated to A-R producer.  An blatant standardization shortcoming.


> [...] So that's useless for the MUA trying to use auth-res. You would
> never display a DMARC FAIL or fail of any kind for p=none. It doesn't
>  make sense to the user. Likewise, even if we're talking about a
> downstream MTA parsing the auth-res, it will be useless to it as well
> because it has the same problem not knowing the context of the
> "failure".

That is especially true for quarantine.  As DMARC is often verified by a filter during the SMTP exchange, the filter has to commission the MDA to possibly honor a quarantine request.  In order to do that, the filter needs to communicate the results of authentication to the delivery agent.  Not using A-R for this task, or resorting to parenthetical info, is preposterous.

I propose to add two new result name codes, named after the policy requests:

    dmarc=quarantine, and

    dmarc=reject (of course, you only see this if the filter didn't honor the request).


Best
Ale
--

v2.23.0 | Report a Bug | By Email