IETF Logo Mail Archive

Re: [dmarc-ietf] Example of Indirect Mail Flow Breakage with p=reject?

Jesse Thompson <zjt@fastmail.com> Thu, 06 April 2023 23:40 UTC

Return-Path: <zjt@fastmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7969C15C2B6 for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2023 16:40:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="bywPN2WL"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="H4+y+cZa"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V7K4sWqKOqG1 for <dmarc@ietfa.amsl.com>; Thu, 6 Apr 2023 16:40:31 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE6ECC15C289 for <dmarc@ietf.org>; Thu, 6 Apr 2023 16:40:31 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 9B58A5C006D; Thu, 6 Apr 2023 19:40:28 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Thu, 06 Apr 2023 19:40:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm2; t=1680824428; x=1680910828; bh=OR Xo9f+ERnjUew2OXMisFcZBFDD1IwO1+nGJzMf1oKs=; b=bywPN2WLxe6iHiHu0S 9lF04xS0S0yqfg8he/wcKmskeKMYn3zBbcemLtCFIPsn7JLt1lrEBL+qZM6UmH78 YSolXPqaHUT7f5mwxzmji5grl6yuoAie4rDZtmXCaXKdj9ntanmr6y/A0n9RrQAo XRp7/wRhg/WuEXuY8Py0hpLJMZpArAKJ3aUnrjr+EdaRVdiEn1mHRz/ctZhXvM6S ZL9OMgF5ieGOTDcUy4lLOXUfSKrODsVq/Y44mAXg5K3M3Dn9sS/zsYb8GNEMz+0b 81YN2Zl0/s5WTh1LfncsE8krkDRtZyjKL1uT1YjoOA5d1v/p2ktZ2bwgeUe0RMDQ LX7Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; t=1680824428; x=1680910828; bh=ORXo9f+ERnjUe w2OXMisFcZBFDD1IwO1+nGJzMf1oKs=; b=H4+y+cZaRj9CRZxi16gpBbMCAU0Bv +rbfXZaj1yBMuQ01pWJGQdzbEwK0kUnPIyiEzevGUIiEP19GUpzJMkolhw3BNKXk dTXw3fCaHfMHc1FTpipJ1bVa3CnsmK8F2/OvP8hFjUFMRg4o5VxlL4KhPAfp6Kuu 7bzHtynt6/ZAkaHqqrb+vbqFSlAe1f38eucq9fIyUmw2Hksl1Rn+pGIe+OivcHRf kBMvumeOof/3v+4SibHmyLvDeZoFgLoF68mJv8gbhEMvndxm6GLtgulK2opXHofi FijtySoymLCzZZ+9fI17Atqifgl+DapmYsock9tdSuIifEWAumOCwNFdQ==
X-ME-Sender: <xms:bFgvZKx_LQZvOSUmRrL7jsL1LsQ_vUtJT9Ve-hLdrd-GgCxH7j3ygg> <xme:bFgvZGQAmqQ0WdWwU-C2CZ0QRQAy5J-NYf0SU_ZSkXLza4Ebe2ZXS_Yovft9wMctq wWt_JOcANEt-nOW0jU>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrvdejgedgvdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvvefutgesrg dtreerreerjeenucfhrhhomhepfdflvghsshgvucfvhhhomhhpshhonhdfuceoiihjthes fhgrshhtmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpedufeeuieeggfdvheekhe egiefggffgvdelffdvhfeutdekfffhfeekfeeuveegveenucffohhmrghinhepihgvthhf rdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh epiihjthesfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:bFgvZMVafH2j3mNOQUKwU_DbcqQ74XPAsTFYmk_Gs86P_GnnuJWZcw> <xmx:bFgvZAgQ_-8rE39PJjgZeR6si6Bt7iuVq5cmrgwJ4sB9iHbCmy9MMw> <xmx:bFgvZMDHpEukapf3ZjiLls_Bk7Y2i5ba0wyruvGPKh-8fSIMrH4-Gg> <xmx:bFgvZL9bUHg8DFEUmWUBfIPg4rlPwYyjRRsSyirVmdCwGlhR2LNrow>
Feedback-ID: i1a614672:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 5E486BC0089; Thu, 6 Apr 2023 19:40:28 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-334-g8c072af647-fm-20230330.001-g8c072af6
Mime-Version: 1.0
Message-Id: <4b2435e2-2c63-4a29-8b36-e201a826f21b@app.fastmail.com>
In-Reply-To: <CAL0qLwZUnPzyEwBp6yXrGJyyj8voKM7B3ENFgC+FiW_p39GCAQ@mail.gmail.com>
References: <20230330011606.90C41B6CA4A5@dhcp-8e64.meeting.ietf.org> <64270119.2030207@isdg.net> <f10d8d59-8420-4d5b-9091-b1bc42d858c9@app.fastmail.com> <CAL0qLwZUnPzyEwBp6yXrGJyyj8voKM7B3ENFgC+FiW_p39GCAQ@mail.gmail.com>
Date: Thu, 06 Apr 2023 18:39:22 -0500
From: Jesse Thompson <zjt@fastmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="40c27967dc314130905383dd359261b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jX1CBzUyhYjj1aQGdrV79bcfj2k>
Subject: Re: [dmarc-ietf] Example of Indirect Mail Flow Breakage with p=reject?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Apr 2023 23:40:36 -0000

On Thu, Apr 6, 2023, at 11:43 AM, Murray S. Kucherawy wrote:
> 
> 
> On Sat, Apr 1, 2023 at 3:13 PM Jesse Thompson <zjt@fastmail.com> wrote:
>> __
>> I just read https://datatracker.ietf.org/doc/rfc6541/ (or, re-read, I can't remember)
>> 
>> I'm struggling to understand how ATPS is significantly better than delegation via DKIM CNAME records. I can see that it's simpler for a domain owner because they need only set 1 ATPS record vs. sometimes 3 CNAME records (for key rotation). But that's not enough to justify adoption.
> 
> ATPS is Experimental.  I don't think it's a serious candidate for solving the DMARC problem.  There's also a "conditional signatures" draft floating around someplace.

I'm just spit balling experimental ideas, of course, under the assumption of my prior statement, which was something along the lines of: equipping domain owners with more fine-grained delegation capabilities would reduce the amount of p=reject breakage for perpetual mixed-use domains.


> To answer your question, ATPS was among other things a substitute for delegation via CNAME when the author domain doesn't want to give some other party the ability to generate its own signatures as the author domain.  There was never, at the time it was written, a demand for doing this at a user level.  Also, DKIM has never been tied to specific individual email addresses because there's no reliable way for an external entity to verify that the email address is even real, much less meaningful within the domain.  This was ultimately why use of "i=" in the DKIM signature never really took off.

If my understanding is correct, the "i=" in the signature can be arbitrarily set by the signer, which already has delegated authority of the entire domain, so what's the purpose of setting it? That [lack of purpose] seems like a more likely reason it never took off (if I had to make a wild guess)

I don't think that particular usage of "i=" is an apt comparison to a domain owner delegating [via some DNS record] signing authority for a single address. 

The DNS entry could reference any 'non-real' address, of course... until it is seen in the rfc5322.from and the receiver finds the DNS entry, at which point it becomes as real as the domain owner intended it to be used by the signer for that purpose.

Jesse

v2.23.0 | Report a Bug | By Email