[dmarc-ietf] WGLC contentious topics (I'm in the rough and I know it) in draft-ietf-dmarc-dmarcbis-30
Tero Kivinen <kivinen@iki.fi> Mon, 01 April 2024 10:12 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1E85C14F68F for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2024 03:12:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.799
X-Spam-Level:
X-Spam-Status: No, score=-2.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JcEprhQjdlCA for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2024 03:12:05 -0700 (PDT)
Received: from lahtoruutu.iki.fi (lahtoruutu.iki.fi [185.185.170.37]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14DB4C14F5E7 for <dmarc@ietf.org>; Mon, 1 Apr 2024 03:12:03 -0700 (PDT)
Received: from fireball.acr.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: kivinen@iki.fi) by lahtoruutu.iki.fi (Postfix) with ESMTPSA id 4V7RdD5PX0z49Ptk; Mon, 1 Apr 2024 13:12:00 +0300 (EEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1711966320; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eSIgNcSPNATWiZH7Jwwwp61iE/QBhXludJRMkri6K2o=; b=oQtdtQt0ItjzLi8EsUsKhK/aY7+vqdEyFjKk4Sevz3f1Kqa8d/+AEohFA0ZlZIT0q7QUfA iatSYfkr/bSZ58EhLUE8NAUE5w8OS9dgad2Z4ZZ7idEBCmswYJDxd1dcJP2kSyAj+ulbEW jPbL+b/1mZFR/nyscDVzZtVhdEZyMKyK/8Z1T4AzVxtlc0xrvYOn+yclXgcsCXAcamVmzC WudhxbFPhjmSJFRGTMXPZT3nGpnzl3VNij1e+Rxo4XhhmMGcGd0a5HgjA7ol/Z7qD9rrPb FvRitVqTsx5T/XhLiC3T0oeLO8nTiYe/OQKmj+7uEuFClSpV11UTWQkKcFZKiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=lahtoruutu; t=1711966320; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=eSIgNcSPNATWiZH7Jwwwp61iE/QBhXludJRMkri6K2o=; b=NiBd6Xd/E1DEpWTlpSCk6gqy0sRCs4+CV09WtdnGnFQ8vRdGrin1bWw5W2Ean47WOe6Thw vvayIdd+wCLJfSLWdUUZaX/omroWZO5z3TyD7vX2ELT7frb75y4VGDdPw61zdoO4rEOd/R yOYpzISw86xcgdrAxrHnl7lsMHdS8h/ddu4AkvvYiim2IdTHTTuSEuKJh42TeiNP1yvWb6 rMSbwB62RH84Mi00lzTq336NVW19diAusJ8vX5UZSAjXC0KsAeg0kcPy5qHpOpuOBNKtl+ WESYUhmRAhOqAp5GO/nGZiXvhXnWQYRqPWGirtJWgqTPahc2sdUdZun/bEc+Ng==
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=kivinen@iki.fi smtp.mailfrom=kivinen@iki.fi
ARC-Seal: i=1; s=lahtoruutu; d=iki.fi; t=1711966320; a=rsa-sha256; cv=none; b=eTkKirdTFkxwi9sE/bBGh/J44sNBUYyDSniY2/qaHElADB2pGg3BXZm5uB1JeQcrd6JWFE y3CJRiBktN8Kfb9LMrrWuxJwX/6iGYCzqbrq7KdgxoPjfiStPq0SEP7FpkLYYvkCmrYZe/ X24GXEmj4u9KJgwRsdEsUqbzUudKjuVYyqYz83OasxF3jlnwK8/CxTpyRmBDE+OT3RLHs1 9ZScihl1SpKzrZ0G+9xVQ2JXPkS4lQ+LcOAhu8FfNPFxRhVzkfMr+DpV31rGUJ5idlrsDX pZrnpfdNeB0/qCGa4sFyMU/kcIqCLu57CC4AHQ0xCWpngWFab5GooevwN0dLwQ==
Received: by fireball.acr.fi (Postfix, from userid 15204) id 3E7DC25C130F; Mon, 1 Apr 2024 13:12:00 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <26122.34927.784667.704724@fireball.acr.fi>
Date: Mon, 01 Apr 2024 13:11:59 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Seth Blank <seth=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
In-Reply-To: <CAOZAAfPmjD--xBzLbwtD5uzr_gubKDYz7sHiPufML1JbYU8=4Q@mail.gmail.com>
References: <CAOZAAfPmjD--xBzLbwtD5uzr_gubKDYz7sHiPufML1JbYU8=4Q@mail.gmail.com>
X-Mailer: VM 8.2.0b under 26.3 (x86_64--netbsd)
X-Edit-Time: 11 min
X-Total-Time: 11 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/iX9wvxstdyL01kIazDJmM2aYDrQ>
Subject: [dmarc-ietf] WGLC contentious topics (I'm in the rough and I know it) in draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 10:12:09 -0000
Seth Blank writes: > In order from most to least contentious: > > 1. 8.6. Interoperability Considerations > > "It is therefore critical that domains that host users who might > post messages to mailing lists SHOULD NOT publish p=reject." > > While this advice represents consensus, it does not represent > operational best practice, nor where the market is moving to stop > fraud and abuse. DMARC is becoming increasingly required at the > major mail receivers, and messages that cannot get a DMARC pass are > increasingly likely to get rejected outright. This language feels > like it is creating an even worse interoperability problem-- giving > guidance to people that will guarantee their mail gets rejected by > major mail systems. These DMARC mandates arose after consensus was > called, and have changed the playing field materially. > > More accurate language that alleviates the concern would be "It is > therefore critical that domains that host users who wish for their > messages to be modified and spoofed by downstream intermediaries, > such as alumni forwarders or mailing lists, SHOULD NOT publish > p=reject. Such spoofed messages may still be rejected, regardless of > a domain owner's published DMARC policy." I do not think the text above is more accurate, I think is mostly wrong. The current text in the draft is correct (or even better would be to say MUST NOT, but I think we lost that consensus call). The only reason intermediaries might be considered to be "spoofing" anything is because of the use of SPF. It is completely possible to implement mail forwarding which keeps DKIM valid, thus DMARC is still fine, but there is no way to keep SPF valid, and as not everybody implement DKIM this will cause mails to be rejected. But we lost that battle to remove SPF in the dmarcbis too... I think we should keep the current text. > 3. 4.4. Identifier Alignment Explained > > Since then, we've discussed two other removals -- relying on SPF at all, and > not worrying about mailing list traffic at all -- both of which affect more > mailflow and deployment than strict alignment. If we're willing to seriously > discuss things that affect more mail, should we not also review the need for > strict alignment? I myself would like to get both SPF and strict alignment to be removed from the draft. Some adminstrators are still going to use the SPF regardless what DMARC says, and some of them are already using it before DMARC which means they do not care about DMARC they only care about SPF, and there is nothing we can do for them (execpt we could say they are not compliant with DMARC). > I also don't think we really reviewed strict alignment after > incorporating the tree walk into the document. Most of the uses for > strict alignment were in the "I have a large organization, and want > to make sure one part of the organization cannot spoof another" > camp-- which now the tree walk should have provided a more scalable > solution for. My understanding is that with tree walk and psd=n for the "strict" domain will allow those who want to enforce strict alingment to do so, so there is no point of having two different ways in the draft to archieve same result. I.e., if you want strict alignment, for domain a.mail.example.com, simply publish DMARC record for _dmarc.a.mail.example.com which has psd=n and that will provide you strict alignment. -- kivinen@iki.fi
- [dmarc-ietf] WGLC contentious topics (I'm in the … Seth Blank
- [dmarc-ietf] WGLC contentious topics (I'm in the … Tero Kivinen
- Re: [dmarc-ietf] WGLC contentious topics (I'm in … Baptiste Carvello
- Re: [dmarc-ietf] WGLC contentious topics (I'm in … Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC contentious topics (I'm in … John Levine