IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Alessandro Vesely <vesely@tana.it> Wed, 29 July 2020 08:54 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 263063A0C3F for <dmarc@ietfa.amsl.com>; Wed, 29 Jul 2020 01:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.121
X-Spam-Level:
X-Spam-Status: No, score=-2.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V81GbuWRSWc9 for <dmarc@ietfa.amsl.com>; Wed, 29 Jul 2020 01:54:08 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A55F3A0836 for <dmarc@ietf.org>; Wed, 29 Jul 2020 01:54:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1596012846; bh=pxh0gPhdEigKzZizueSAIhX+v4LPqnggmmXsDyhlX+Y=; l=1518; h=To:References:From:Date:In-Reply-To; b=BSXo6cbb6WrYdfQBgUAnhd77RJxxolNZHXdZHXH2gWMKaowiWeXDmvpaEEcGeiDY0 VpBHUr0Mgj844ThoXfi0pVcUK3Vav38Ati1InqaAK6F11IloGzVzJVKh40twxsWdKY 8jgfYFgxxHxK+0YcKdzJrF6GCBbB2uqKgzHMcnWu/vL2xnrXTM+ucRH1LTGL8
Authentication-Results: tana.it; auth=pass (details omitted)
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC08B.000000005F21392E.00002C82; Wed, 29 Jul 2020 10:54:06 +0200
To: dmarc@ietf.org
References: <BY5PR13MB29998094418C8A6C25902569D7730@BY5PR13MB2999.namprd13.prod.outlook.com> <20200728173716.068CB1D9840C@ary.qy> <CAHej_8na3MLm1i4AZzgbL=7EZ7QBX8OvSB4BOqHg-1osBc4H_w@mail.gmail.com> <655df0e7-4fef-e441-9a57-df4a10aa1fa3@taugh.com> <CAHej_8mztD91jeSA3S=ypdJO7B+9AhM+2ox=mhWOfz--3b0Aog@mail.gmail.com> <BY5PR13MB29993AD874B3A34BA088D87BD7730@BY5PR13MB2999.namprd13.prod.outlook.com> <b5a41a23-db61-375d-1784-9f96ba53d765@taugh.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <ab6e3c1b-0613-8ffb-0644-26d806924c8f@tana.it>
Date: Wed, 29 Jul 2020 10:54:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
MIME-Version: 1.0
In-Reply-To: <b5a41a23-db61-375d-1784-9f96ba53d765@taugh.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jQlUhE-ijiWeb1CybKy6367eVn8>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Jul 2020 08:54:10 -0000

On Tue 28/Jul/2020 23:23:24 +0200 John R Levine wrote, quoting Autumn:
>> To Todd's point, I think the answer on which policy would be applied at least 
>> needs to be predictable. If one receiver chooses one policy and a different 
>> receiver chooses the other policy, that is going to make it significantly 
>> more complicated for complex organizations to implement a DMARC p=reject or 
>> even p=quarantine policy.
> 
> But it's not predictable now.  Some receivers follow p=reject all the time, 
> some follow it sometimes, some follow it never (me.)


I follow it sometimes, but it would be easier to follow it always.  If it were 
set up correctly, the latter would also be more reliable.

To suggest disposition, I'd add an "snd=" tag in the From: domain's DMARC 
record, having one of the following values:

*none*: Sender: field shall not be considered for messages From: this domain. 
This should be the default, for compatibility with existing settings.

*any*: Accept messages forwarded by any Sender:, provided it validates.

*/reputation domain/*: Supply a domain to be looked up for Sender: reputation. 
If Sender: validates and has a positive reputation, then accept the message.


> I think that in practice the situations where someone else is going to resign 
> your mail with a Sender DMARC policy are narrow enough that most IT departments 
> wouldn't even notice.


Except if setting Sender: to the next trash domain becomes an attack path for 
phishing.


Best
Ale
--

v2.23.0 | Report a Bug | By Email