[dmarc-ietf] Priming the Pump for Discussion - Ratchets
Todd Herr <todd.herr@valimail.com> Tue, 06 July 2021 12:45 UTC
Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A3873A2689 for <dmarc@ietfa.amsl.com>; Tue, 6 Jul 2021 05:45:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YYQ5d6kzU06i for <dmarc@ietfa.amsl.com>; Tue, 6 Jul 2021 05:45:53 -0700 (PDT)
Received: from mail-qv1-xf2c.google.com (mail-qv1-xf2c.google.com [IPv6:2607:f8b0:4864:20::f2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52C493A2683 for <dmarc@ietf.org>; Tue, 6 Jul 2021 05:45:53 -0700 (PDT)
Received: by mail-qv1-xf2c.google.com with SMTP id f5so9637563qvu.8 for <dmarc@ietf.org>; Tue, 06 Jul 2021 05:45:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=aU/BjlatMAU3/ziYVvy34Rot4WB919eNLR56permkDA=; b=OjuSxrcKhvLOjjRw+oa0ujYzdFW65V0QWKVn/c9OQ6jQBtfhRhS/SbXA7OQBldXaFw G847gCuF7iA6UK0N5BNIzmzSnbno/jz+p+AzOgtIUpLzNaJQFDs9sF2+55EnnR4ylR91 257uN7RYHt0jI0cJeIG8ZOeTlS+6865VvTCLE0bFlBX5SPrN/4QaDwXsNO0P73Z2/w1M YXjjMmys/uBxI4n3CHfL2DNRLXQDYfroMnnpYfDlxDjhF6NkHmk2kQ8f+j5EYfG7HA5q ub45ufT347Ak/pbw6QAJF5rpB20o55vA31tJv8KOtxUcuFL+86WB0JSALxFSCzPIh+Nb E09g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=aU/BjlatMAU3/ziYVvy34Rot4WB919eNLR56permkDA=; b=j9a+zT1Q3HRp3Pu0uFj91kgncE2pZQAYcjGG9rCqdY67EWDdMED4u38ILJZVHOUfJQ Mbck6TSsPKbCgMuuO1vcAMCKGzQh8w8lL8YoPHZ4fW3/9DU8ka8CQMetiz8SNmiVn3mQ U7N32+Cr1AYBTk0Mph9CNTT1neq4sG8CmRzGgF1m5UPyi8NUYdBgF6l2bmQXiLmWqer9 jI7pYYdYh+o4gcsZ4Gx3DLL32nitqR061b+DKk1lmPnfCxM3fMq5PcfiKSm7OIUMcOkG 6af/NCtwnw5ZdHpHfnGYqwoysOdiFeD4AaqmL+gxmhIGg9D43BfHFhs4QOHmZa1LP8kK s9XA==
X-Gm-Message-State: AOAM5318tIOF4lgMwp3woR+7QpNRuV8u3UG2KzlZo5sDWTJIxxF1l6yE /ZHZKYIn+T8bZXfDMtRQUfC6Mm/poygVTFVpUjT6D/8O+JajzA==
X-Google-Smtp-Source: ABdhPJyBy4gWpGr5Wz3YhWHhz4ECUShhVR7FtGT0LtXhT4x6okxKtfg0IlIPcb/xOtwdknJX9T9fnff3aVIKXCi0iXQ=
X-Received: by 2002:a05:6214:364:: with SMTP id t4mr17861161qvu.54.1625575550921; Tue, 06 Jul 2021 05:45:50 -0700 (PDT)
MIME-Version: 1.0
From: Todd Herr <todd.herr@valimail.com>
Date: Tue, 06 Jul 2021 08:45:35 -0400
Message-ID: <CAHej_8=yvgXP2WgHayhGU2Hg2E0RcNgZBFjfw1cM-qKWkTG-+w@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044bef005c673cd97"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/j1NKQzhPWhgn77saJydZ7QESxbI>
Subject: [dmarc-ietf] Priming the Pump for Discussion - Ratchets
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2021 12:45:58 -0000
Greetings. The theoretical goal of any domain owner that publishes a DMARC record is to transition from an initial policy of p=none to a final one of p=reject, because it is only at p=reject that DMARC's intended purpose of preventing same-domain spoofing can be fully realized. Many domain owners see the transition from p=none to p=reject as a black box, in that they believe they have no way of knowing what the full impact of such a change might have on their mail, and they fear irreparable harm to their mail if they make a mistake. The designers of DMARC anticipated this fear, and built several different transitional states, or ratchets, into the protocol, including: - The "pct" tag (https://trac.ietf.org/trac/dmarc/ticket/47) - The "sp" tag (https://trac.ietf.org/trac/dmarc/ticket/48) - "quarantine" as a value for "p=" ( https://trac.ietf.org/trac/dmarc/ticket/39) All of these are designed to allow the domain owner to request that some, but not all, of its mail be held to stricter authentication standards so that the domain owner can dip a toe in the water before jumping in. The ratchets have introduced some problems, though: - The 'pct' tag doesn't exactly work like it's intended to, and really can't because of the nature of mail flow, unless there is a high volume of failed authentication for the domain in question. (There is a much longer discussion of this in section 6.7.4, Message Sampling, of draft-ietf-dmarc-dmarcbis-02.) - Some domain owners have taken a "more is more" approach to ratchets, figuring if one is good, all are better, resulting in needlessly complicated policy records The purpose of this email is to get folks thinking about possibly simplifying the ratchet mechanisms, perhaps boiling them down into one. This thinking and on-list discussion on this topic would serve as a precursor to further face-to-face discussion at the next interim working group meeting. I'll start the discussion by taking an extreme position... Ratchet mechanisms don't help in any way that a short TTL on your DMARC record won't help, and in fact you need the short TTL on your record anyway, because if you're trying a ratchet mechanism and find it's too much, you still gotta update DNS to roll it back. Getting to p=reject isn't a difficult undertaking, at least from a technical standpoint. Enumerate all your mail streams, ensure that they're authenticating properly, and boom, you're done. The proper tools for doing that are p=none, a rua tag pointed at a mailbox that is parsed by automated means, active daily monitoring of the data consumed in those aggregate reports (so that mail streams can be enumerated and authentication problems addressed), and time. Time is the big one here, because sufficient time must elapse to ensure that all of your legitimate mail streams are exercised and reported upon, and that can take many months in large organizations or at companies that are in the business of seasonal email sending. The big challenge to fixing authentication issues, especially in large organizations, is usually in just finding who owns the host/process that's generating that unauthenticated mail. That can add time to the process, but once you've enumerated them all, updated your SPF record and/or made sure they're all properly DKIM signing, you can skip right from p=none to p=reject. I look forward to lively conversation... -- *Todd Herr* | Technical Director, Standards and Ecosystem *e:* todd.herr@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] Priming the Pump for Discussion - Ra… Todd Herr
- Re: [dmarc-ietf] Priming the Pump for Discussion … Dilyan Palauzov
- Re: [dmarc-ietf] Priming the Pump for Discussion … Alessandro Vesely
- Re: [dmarc-ietf] Priming the Pump for Discussion … John Levine
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Todd Herr
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Priming the Pump for Discussion … Steven M Jones
- Re: [dmarc-ietf] Priming the Pump for Discussion … John Levine
- Re: [dmarc-ietf] Priming the Pump for Discussion … Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Todd Herr
- Re: [dmarc-ietf] Priming the Pump for Discussion … Jim Fenton
- Re: [dmarc-ietf] Priming the Pump for Discussion … Jim Fenton
- [dmarc-ietf] Fwd: Priming the Pump for Discussion… Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Douglas Foster
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dotzero
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Benny Pedersen
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dotzero
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 tjw ietf
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Douglas Foster
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Steve Siirila
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Dave Crocker
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Laura Atkins
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Matthäus Wander
- Re: [dmarc-ietf] Fwd: Priming the Pump for Discus… Barry Leiba
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Alessandro Vesely
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 John Levine
- Re: [dmarc-ietf] Ratchets - Disallow PCT 1-99 Дилян Палаузов
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… John R Levine
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Benny Pedersen
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Douglas Foster
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… Alessandro Vesely
- Re: [dmarc-ietf] From: munging, was Ratchets - Di… John Levine