IETF Logo Mail Archive

Re: [dmarc-ietf] Example of Indirect Mail Flow Breakage with p=reject?

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 06 April 2023 16:43 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F38A1C152A20 for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2023 09:43:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o78RMGhnGMMY for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2023 09:43:37 -0700 (PDT)
Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3764DC152A1E for <dmarc@ietf.org>; Thu, 6 Apr 2023 09:43:37 -0700 (PDT)
Received: by mail-ej1-x62f.google.com with SMTP id l15so2864309ejq.10 for <dmarc@ietf.org>; Thu, 06 Apr 2023 09:43:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1680799415; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZgGdeCOOdL5Ohbi2rKFJnht1PxHHTiDfHdigF59ZRGU=; b=q7m+0vEq/+sna/SbRIiBuJlrqNpEfGRFwSxQ42nXBa6RiuBICsWwTERE511cl40VKL zJSso4kS7diUHte97BHYGEpozlc4A1chZ/S3mWLlzZrn7ykcAFObCsAIGylcOB10rOLH sLlmRapmxgLOy1ES2rFdnEdC7Hq3aFYiVV1bUZLrYPtOwP3VuH8YUaNWUVh7uqZuOuv9 dGKUn9wRppLqAlemGZe47F4nNy7UE13HP3JAcbK/xR6xZlcej9drqF0uqooTn9N/VZKL ju4Y6HhlV6XP6RCdaUCmEli6iSK2uGXPlZX7k7F/ljZ0hbYZfJ/ETi9qVG3bYn6mi3+J 1ikA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680799415; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZgGdeCOOdL5Ohbi2rKFJnht1PxHHTiDfHdigF59ZRGU=; b=FXHkzRBcjXjxBL+jJ6/h7OqWFUeBYRoeggxEEHzWfIm/IkfUcF0JviCoKemmF6kpGK r4DggWbbdVgS+ixqK6Jkya1Qnunknd9XxY6M+kuEPPO5LVPsSlOT2D3868SDRezMy4/2 xjolnhivWJFcraVAnzV4f8CN60HWKCd7rp9nMgFUUcHaOMxV8/+hq6hzb1MU/BE+5gKg jp2e0hQEYmPGg9BiZo0Q+cspcxR2DLL1UDqVcV2BVKggjjMvPWpUhA/Dd+mdF1koXmkC +c559um7+QfXfBk9CvMTNkP3MSbwAELt+0yL5WTgi8eFHjYvdStxFbPW/l39A6WeX68Q WMDQ==
X-Gm-Message-State: AAQBX9eQEJFHTVY/4AVkljFG+jexiY6tqGNWcaM0wv7bbf9shBeJZ6zE Sts85kz7sFoem90Lp+8AHSVAAYT+Ns8T2hy4y6g=
X-Google-Smtp-Source: AKy350bQJ5dq4CGm0VysSCJ8pEQhhBuNw55nvhj6+1N1bt/pKi6oJTW4mqUv4854n0w/eHXnspiZ0SCkdO1rehHdhsM=
X-Received: by 2002:a17:907:8b8a:b0:947:46e0:9e51 with SMTP id tb10-20020a1709078b8a00b0094746e09e51mr3493932ejc.11.1680799415509; Thu, 06 Apr 2023 09:43:35 -0700 (PDT)
MIME-Version: 1.0
References: <20230330011606.90C41B6CA4A5@dhcp-8e64.meeting.ietf.org> <64270119.2030207@isdg.net> <f10d8d59-8420-4d5b-9091-b1bc42d858c9@app.fastmail.com>
In-Reply-To: <f10d8d59-8420-4d5b-9091-b1bc42d858c9@app.fastmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 06 Apr 2023 09:43:22 -0700
Message-ID: <CAL0qLwZUnPzyEwBp6yXrGJyyj8voKM7B3ENFgC+FiW_p39GCAQ@mail.gmail.com>
To: Jesse Thompson <zjt@fastmail.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="00000000000019a83505f8ad9c85"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jOhrDrkyMCnFLsVMkdBJMTsbFHg>
Subject: Re: [dmarc-ietf] Example of Indirect Mail Flow Breakage with p=reject?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2023 16:43:41 -0000

On Sat, Apr 1, 2023 at 3:13 PM Jesse Thompson <zjt@fastmail.com> wrote:

> I just read https://datatracker.ietf.org/doc/rfc6541/ (or, re-read, I
> can't remember)
>
> I'm struggling to understand how ATPS is significantly better than
> delegation via DKIM CNAME records. I can see that it's simpler for a domain
> owner because they need only set 1 ATPS record vs. sometimes 3 CNAME
> records (for key rotation). But that's not enough to justify adoption.
>

ATPS is Experimental.  I don't think it's a serious candidate for solving
the DMARC problem.  There's also a "conditional signatures" draft floating
around someplace.

To answer your question, ATPS was among other things a substitute for
delegation via CNAME when the author domain doesn't want to give some other
party the ability to generate its own signatures as the author domain.
There was never, at the time it was written, a demand for doing this at a
user level.  Also, DKIM has never been tied to specific individual email
addresses because there's no reliable way for an external entity to verify
that the email address is even real, much less meaningful within the
domain.  This was ultimately why use of "i=" in the DKIM signature never
really took off.

-MSK, participating

v2.23.0 | Report a Bug | By Email