Re: [dmarc-ietf] Improving feedback using additional status codes
Dilyan Palauzov <Dilyan.Palauzov@aegee.org> Sun, 26 May 2019 06:27 UTC
Return-Path: <Dilyan.Palauzov@aegee.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B87A2120099 for <dmarc@ietfa.amsl.com>; Sat, 25 May 2019 23:27:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lMWRGoVF6cG for <dmarc@ietfa.amsl.com>; Sat, 25 May 2019 23:27:44 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7F1A120048 for <dmarc@ietf.org>; Sat, 25 May 2019 23:27:43 -0700 (PDT)
Received: from mail.aegee.org (localhost [127.0.0.1]) by mail.aegee.org (8.15.2/8.15.2) with ESMTP id x4Q6Rbp9017615; Sun, 26 May 2019 06:27:37 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1558852058; i=dkim+sm-localhost@aegee.org; r=y; bh=jQkqRwpM07V3Awu8dKhrVtsAzuaWZigpfzyc3/ZJtTQ=; h=Date:From:To:Cc:Subject:In-Reply-To; b=QnownvTD7K9nuLdFD3AaOiYoYQyFB2z2IaaIZKypsXE9wOzLcSDgMg3E1EksWBUs0 +NVhomRJdCkRqeCE9ZcETRw7eI9j5G/p64j04Ih+lX7V1qaXHhBZedK9k5F2qscnM/ K9RkolXZEnjmTFQjZVaxvmG9DpEJwkBt+ws7u76oPkMDai0cpkVc2LjrpAjqlsUHIq XV94pWMb7xxmuu8a3v/BO1XBb1k1DUQQpHt08zJaoqZVG0Yj98AxIZZK8PdcrW1iGm zphgF414HJHXJIKDAR76Dkwvi1FQW1B5cLv8Zh75A54lnUB79z5mciZHbLZgbDx4IN cyc71o9k9gHFcdqVXR1OrE/TAb9onll9bZjfvl5yPWIQeYnNunOaxniiQmZ/x+86AT Mx8Uj7LRP92vsoR8BYecyH7hDhB6CbnqQPX48ilO1Da9iSmf1wRTE5mYGu1hOumL53 DqDXLcoBrcniKhZyYB1Y0RU1kv7YpaWclHrIBHRGPLKFa5QrxNIN26praNmHTWo0OI C1uc2d57PBLRyjzIZpbbLsw67SxRbBNl9P/dvtlmDg58IrMSHKlCoic38Yblkd+/hy ZWhk60nr9J9rNWTc82pZJFVxHMMXP6fwQdUe74Vy+pxH1vq0ZYdXT2Tf61AbQgZeI6 Vc0CBzTopbW17azb5KCIESUw=
Authentication-Results: mail.aegee.org/x4Q6Rbp9017615; dkim=none
Received: from 87-118-146-153.ip.btc-net.bg (87-118-146-153.ip.btc-net.bg [87.118.146.153]) by webmail.aegee.org (Horde Framework) with HTTPS; Sun, 26 May 2019 06:27:37 +0000
Date: Sun, 26 May 2019 06:27:37 +0000
Message-ID: <20190526062737.Horde.9pyk978ud1nkcO9wThyPbab@webmail.aegee.org>
From: Dilyan Palauzov <Dilyan.Palauzov@aegee.org>
To: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
Cc: dmarc@ietf.org
In-Reply-To: <1ee3bd2ebd204746a0d0641e186ca8a8@bayviewphysicians.com>
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset="utf-8"; format="flowed"; DelSp="Yes"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jSi6Gzb7ealJ9rRUkP1Vd_cGZ9Q>
Subject: Re: [dmarc-ietf] Improving feedback using additional status codes
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 May 2019 06:27:46 -0000
Hello Douglas, RFC 7372 describes these status codes. To my knowledge these are not used. SPF helps on DMARC with MTAs, which cannot include DKIM signature under circumstances (e.g in bounces). In all othercases SPF does not provide added value to DKIM. If you want errors about failed DKIM validation, remove the SPF records, set DMARC policy reject and scan your logs for rejected messages to see on which messages DMARC/DKIM have failed. Regards Дилян ----- Message from "Douglas E. Foster" <fosterd@bayviewphysicians.com> --------- Date: Sat, 25 May 2019 15:42:57 -0400 From: "Douglas E. Foster" <fosterd@bayviewphysicians.com> Reply-To: fosterd@bayviewphysicians.com Subject: [dmarc-ietf] Improving feedback using additional status codes To: dmarc@ietf.org > The genius of DMARC, as compared to DKIM and SPF alone, is the feedback > component. Unfortunately, sender authentication remains challenged by > these issues: > Limited deployment of DMARC feedback between senders and receivers. > Significant levels of SPF and DKIM validation errors, on legitimate > mail, even when indirect mail is not involved. Handling false positives > becomes a significant obstacle to implementation of Sender Authentication > by receivers. > When the sender has not implemented DMARC, the recipient has difficulty > communicating with the sender about Sender Authentication problems. > Finding a knowledgeable employee is difficult and time consuming, so it > will rarely be attempted. (And I have tried it.) > I propose two improvements to deal with this issue. The first is to > define another feedback mechanism using message reception status code. > The second is intended to reduce DKIM verification errors, and will be > posted later. > > PROPOSAL > > When a recipient detects an SPF or DKIM problem, it can provide immediate > feedback to the sender with message status codes. I think these are a > complete list of the conditions which would need a result status defined. > The approach should be entirely upward-compatible with the existing > infrastructure. > > Message Success with SPF warning > Accepted despite SPF=NONE & Source IP not in MX list Accepted despite > SPF=NEUTRAL Accepted despite SPF=SOFTFAIL Accepted despite SPF=FAIL > Accepted despite SPF TempError Accepted despite SPF PermError > Message PermFail because of SPF > Rejected because of SPF=NONE & Source IP not in MX list Rejected > because of SPF=NEUTRAL Rejected because of SPF=SOFTFAIL Rejected because > of SPF=FAIL Rejected because of SPF TempError Rejected because of SPF > PermError > Message TempFail because of SPF > TempFail due to SPF TempError > > Message accepted despite DKIM > Accepted despite DKIM PermError Accepted despite DKIM TempError > Message PermFail because of DKIM (not recommended) > Rejected because of DKIM PermError Rejected because of DKIM TempError > Message TempFail because of DKIM > TempFail because of DKIM TempFail > > Since DMARC evaluation is based on SPF and DKIM evaluated together, the > above codes would seem applicable even with DMARC enforcement. I think > these additional codes should be sufficient: > DMARC PermError (invalid policy record) DMARC TempError (problem > retrieving policy record.) > Is this reasonable? > > Doug Foster ----- End message from "Douglas E. Foster" <fosterd@bayviewphysicians.com> -----
- Re: [dmarc-ietf] Improving feedback using additio… Dilyan Palauzov
- [dmarc-ietf] Improving feedback using additional … Douglas E. Foster
- Re: [dmarc-ietf] Improving feedback using additio… John Levine