Re: [dmarc-ietf] Trying to understand DMARC in light of Sender/indicators
Brandon Long <blong@google.com> Wed, 30 September 2020 02:05 UTC
Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4C73A0B98 for <dmarc@ietfa.amsl.com>; Tue, 29 Sep 2020 19:05:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-8-xQ8Tny9e for <dmarc@ietfa.amsl.com>; Tue, 29 Sep 2020 19:04:58 -0700 (PDT)
Received: from mail-vk1-xa2d.google.com (mail-vk1-xa2d.google.com [IPv6:2607:f8b0:4864:20::a2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B61443A0B85 for <dmarc@ietf.org>; Tue, 29 Sep 2020 19:04:58 -0700 (PDT)
Received: by mail-vk1-xa2d.google.com with SMTP id c25so63636vkm.1 for <dmarc@ietf.org>; Tue, 29 Sep 2020 19:04:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=WbTegj/FgnN/Wkyt0+2woI5PX6p8fLi4Dq8iHFkfAio=; b=m3TYipgOprgK7jszs/du/FS9B6bj83UGnnZygB6yghuG+BqNOuX7VL9f8WNrRIgAHT Cv8C1NJ2SdRdUPopaRRKGzSeB+TJMnBBa+LGsXCQalv9H2rfDPnbvJ8fMug7ECwAJtGO rJgOcnpv13kJ6mOVDNXbxq2qDFoLGoXIHdUq4khVQ/zgVX14fnatEoulQOP18xAfBbtB wg2QYl95L3XvoztCU5zDqZ7r+GoMZjgtGI/XDKM0LOo/YtAY0AjEAIzBR5qQyerWWEsB YQoMKDMulrvSFmyZacYut3wUj4pJ3eO3cozWY3RMMN/vdclbGbUitufgVPj+PIw8gytJ ZlxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=WbTegj/FgnN/Wkyt0+2woI5PX6p8fLi4Dq8iHFkfAio=; b=rbPskVrrCvrQ5xm3TAWxgMSqEa6eZL0DE2OzAl+feBPIvuAh1TkvT8ooVZbvBeq0BV eapq9Hw3uqCBfrGyMTfZRO74zEkE+SW2UtwwWPhqGJrVopZji36N/pUB5AXl9EGMjNf+ 8IPfvxu8QDHgMHvgWqoB5VxWBXOIeDpBgZ012NCf0a96KLUnWqWpGoXgE+eDCnboX2sU j8B2fBxCngnfUzx+Yw0O0lEddLrT3Fo8eoYKZI652bmir7qui4mUHcCOUOPZd8+H9ne/ 6cKRg0IZDRq7kXvSJf28R+SEPDosqXxSAtGGt1JFlVexg7F8l9IaM+lAwOgEObLzHuxY 0t9Q==
X-Gm-Message-State: AOAM533Xj2PvX/n5B/G2nEblkJ5zBw85TsMeoibwiL2TeXlImwqQZnkR v4miq3Pbtovbz+XvTIQqd5KudBcJaf3g6l62s0BWOO9MK8vs
X-Google-Smtp-Source: ABdhPJyO52KFQpLExXhA54LbpomYqAfPzhl4+oKnds/iotb6NIr1krkOQDVbWbAkJlOEaxbqtRFRWkPQ+qirc3WH/zg=
X-Received: by 2002:a1f:41d2:: with SMTP id o201mr190544vka.10.1601431496469; Tue, 29 Sep 2020 19:04:56 -0700 (PDT)
MIME-Version: 1.0
References: <CABa8R6u-mcaUD8Nkz0o8LVU9OXbwW0=+FjvzSz9xer60h_ckfQ@mail.gmail.com>
In-Reply-To: <CABa8R6u-mcaUD8Nkz0o8LVU9OXbwW0=+FjvzSz9xer60h_ckfQ@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Tue, 29 Sep 2020 19:04:44 -0700
Message-ID: <CABa8R6tWNJjeVvPvfWqbArdatC+aJznTf_nf_PPU-k_7BejHoA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007b5ba105b07e5382"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/jbGuNIdZBaEgaWw5yE5tjlWYv18>
Subject: Re: [dmarc-ietf] Trying to understand DMARC in light of Sender/indicators
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 02:05:01 -0000
I should also add, that making Sender a standardized local policy override (like ARC), we could expand the reporting to include that, allowing those who ingest reports to help explain it to admins and highlight various things about the Sender... this could assuage some of the admin understanding issue. Brandon On Tue, Sep 29, 2020 at 6:56 PM Brandon Long <blong@google.com> wrote: > Although I'm not fully convinced by Dave's point on whether indicators are > useless (they certainly are not of large value, I'm less certain in the > margins).. I think I need to work through what DMARC is without that. > > DMARC is composed of three things: alignment, policy and reporting. I > think the argument is that the most important thing that DMARC brings is > message authentication.. but that's not actually what DMARC brings, but > perhaps we can view the point of DMARC as pushing forward the authenticated > message agenda. In some ways, it's well defined to be such a forcing > function. Policy and alignment make it easy for various bodies to point to > it as something they require entities to do, and reporting gives them the > path to do it and measure their success against it. > > Alignment makes policy application easy, and it also makes reporting > easy. The Sender proposal hijacks the alignment, bringing in another > possible policy to enforce and a different potential reporting path. The > draft makes it clear which policy is enforced (though of course that only > works if the receiver supports the Sender extension), but various folks on > the list have referred to the matrix problem of looking at the policies of > both, so at least it brings confusion. It does provide confusion of > "ownership". DMARC currently provides very clear ownership, even if that > is overly simplified for the pre-existing ecosystem. Adding Sender muddies > that, even if it is a better match. > > If both Sender & From fail evaluation, do we report to both? Should we > report Sender overrides to the From, should we report which From we're > overriding to the Sender? How does the Sender overrider benefit from > reporting? They'll have even less opportunity to "fix" things, since > presumably they have a more straightforward role, and without the existence > of the header, they have no role at all, so the best it could be is "places > we add the header but fail to sign" or all the other normal intermediary > cases where DMARC currently fails. > > Does DMARC that allows third party overrides via Sender provide the same > incentive to originators? In the sense that it makes it easier to get to > p=reject as there are fewer false rejects, probably. In the sense that it > undermines the simple explanation for what DMARC does, I think it will harm > DMARC adoption. ""Why did this phishing message get through" "Because > example.com added a Sender header that's aligned" "What's the point of > me doing all this if it can be bypassed that easily?" "See, the receiving > system knows it wasn't yours and so it's on them that they didn't catch it" > > In some ways, I fear that the Sender proposal is a solution for the > mailing list problem that throws out almost everything that DMARC added. > > Brandon >
- [dmarc-ietf] Trying to understand DMARC in light … Brandon Long
- Re: [dmarc-ietf] Trying to understand DMARC in li… Brandon Long
- Re: [dmarc-ietf] Trying to understand DMARC in li… Dave Crocker