Re: [dmarc-ietf] Concerns for not Sending a Failure Report?

Дилян Палаузов <dilyan.palauzov@aegee.org> Sun, 04 August 2019 10:10 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA40E120041 for <dmarc@ietfa.amsl.com>; Sun, 4 Aug 2019 03:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (4096-bit key) header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtL8DK_l3fLK for <dmarc@ietfa.amsl.com>; Sun, 4 Aug 2019 03:10:56 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AC5A12000F for <dmarc@ietf.org>; Sun, 4 Aug 2019 03:10:55 -0700 (PDT)
Authentication-Results: mail.aegee.org/x74AApov008316; auth=pass (LOGIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1564913453; i=dkim+MSA-tls@aegee.org; r=y; bh=IIfzTDwrmLT2ftpMlv5jYriXRNoiZhFxYslAEJhHw44=; h=Subject:From:To:Date:In-Reply-To:References; b=AgHxpwIp/PmDsy+yHUr3sqovFZ6lWYIPBG1Tn5oA1IDJn2ownY24WsS6YjkSwk1Gk NHOC2fPTDTtAi51U2HE/zWLoZ3wBXhGwk5ooPALpnGZX/TLHkCqVD8jYBhOykok59F IgmdwTi2mGk6Qd5pyKteNNvv4ZilVKJXiSujN5jBuoD26svxXVjOM+WJS5Pf9SDl/N AVArhEjardNFn17O+XtqYu4G9onNMXZcgri1PnSQlThuuPkqMjR32AUF7KyPnLHY1P PVUstvlxq5aP8jB2e8McgB0DlpL8t4MBDEsYig0ONiGmDlWdWKOVWKpCYb7Ph2F9EM Q551WcmZGb+1vvNk/R739oYWD05YGN4yKC6WoGoDfj2W6htctAncaMiXcPNvNCPLHY lespcVlFr1z3TiLnhtbpSTV4YBu0jq+aHMIoshScVWOOqb+fisqly0OnXH3lLIduSP dCV5haWpP6bceklkeEGiIFwSqCbIqS3gPm57o876fv1PM2qpJa4pX66/UbGlk03dxg SvAQ3ufXRG4I6ye/d/diTd6oetnxGG3VFvrliZs6FLU2FktBlcFj/D/d1PyjFXlUrD ZVhV5kflmfM2nd9ERyDt+Rx5Nb/vk40nY6DRpn7NRHGeiPvyYYYWRoQWcD72vlY+MS NWtpn+RHmXOaiSx0gAZrJd/I=
Authentication-Results: mail.aegee.org/x74AApov008316; dkim=none
Received: from Tylan (87-118-146-153.ip.btc-net.bg [87.118.146.153]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x74AApov008316 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Sun, 4 Aug 2019 10:10:52 GMT
Message-ID: <bf96723d0a98477bac0f6f54742d3eb4d03f30a6.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <dilyan.palauzov@aegee.org>
To: Steve Atkins <steve@wordtothewise.com>, dmarc <dmarc@ietf.org>
Date: Sun, 04 Aug 2019 10:10:51 +0000
In-Reply-To: <6FCCAD3E-C2EB-4613-B0C0-148AE3387D21@wordtothewise.com>
References: <e84652a9df6b61e599f30e7fae6c0c728faf5ce5.camel@aegee.org> <5DD2CBA9-6F28-483C-9B08-8D3A41526BD7@wordtothewise.com> <d36a922d6bbb8426167e44d434e07b62faf86f21.camel@aegee.org> <6FCCAD3E-C2EB-4613-B0C0-148AE3387D21@wordtothewise.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.33.90
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/kCYWj6m7zEJGG54bh8JXFJArHag>
Subject: Re: [dmarc-ietf] Concerns for not Sending a Failure Report?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Aug 2019 10:10:59 -0000

Hello Steve,

do you mean, that a mailhost sending emails for a particular domain, protected by restrictive DMARC policy, has no
authority to decide, that persons appointed by the mailhost provider can read any email and any report?

I mean, a domain @A.int publishes “p=reject; ruf=z@a.int” and sends all emails over host mail.a.int .  The provider
gives access to all (sent) emails to person Z.  Does publishing ruf=z@a.int, by the domain owner mean, that the domain
owner is capable to ensure that the persons who receive the failure reports and the persons who can read all sent mails
from @a.int are the same persons?  Or it means, that the domain owner is not capable to make such decision?

Z is capable to sent a copy of all outgoing mails indended for a particular provider to a dedicated mailbox at that
provider, fetch then the emails from the dedicated mailbox and filter the ones with Authentication-Result: dmarc=fail .

> The mailbox provider has no way of knowing that you sent the mail. If it was authenticated as coming from you this
wouldn't be an issue.

The receiving server knows, which IP address sent the mail and it knows, to which IP addresses set the failure report
will go.  If there is a match in the IP addresses, then the receiving server knows that the one who will get the report
is also the one, who has anyway access to the message.

I think now, that not sending failure reports has nothing to do with (privacy) concerns.  It is either laziness of the
receiving site to make the appropriate setup, or unwillingness to reveal information about mismatching DKIM
implementation of sender and receiver.

With willingness to align the implementations, a receiving site having (privacy) concerns, can offer a mailbox to the
sending site, where the sending mailhost duplicates each email from the sending to the receiving host.  Then the sending
host can fetch the mails and look for A-R: dmarc=fail.

That said I would like to see some text in the revisited DMARC specification about obtaining information about messages
failing DMARC, sent from a particular mailhost to another mailhost, when the receiving site does not send failure
reporst (for any reason), but is otherwise willing to exchange information about messages, failing DMARC validation.

Regards
  Дилян

On Sun, 2019-08-04 at 10:35 +0100, Steve Atkins wrote:
> > On Aug 4, 2019, at 9:18 AM, Дилян Палаузов <dilyan.palauzov@aegee.org>; wrote:
> > 
> > Hello Steve,
> > 
> > in both cases it is about information that was sent over from the same mailhost.  
> 
> The mailbox provider has no way of knowing that you sent the mail. If it was authenticated as coming from you this wouldn't be an issue.
> 
> One mail was sent to *you*. It's OK for you to have access to it.
> 
> The other mail was sent to someone *not you*. There's no a priori reason you should have access to the content of the message.
> 
> Cheers,
>   Steve
> 
> 
> > To whom the information was sent
> > decides the operator of the mailhost, not the one who suppresses failure reports.
> > 
> > In any case, for a failure report containing only the Message-Id it does not matter what information the email carried
> > and to whom the information was sent.
> > 
> > Regards
> >  Дилян
> > 
> > On Sun, 2019-08-04 at 09:07 +0100, Steve Atkins wrote:
> > > > On Aug 2, 2019, at 10:41 PM, Дилян Палаузов <dilyan.palauzov@aegee.org>; wrote:
> > > > 
> > > > Hello,
> > > > 
> > > > I just thougth once again on this.
> > > > 
> > > > Some of the senders of aggregate reports offer free mailboxes.
> > > > 
> > > > Aggregate reports show that emails from a host to a provider of free mailboxes sometimes do not validate DMARC.
> > > > 
> > > > The one provider sending emails opens a free mailbox on the receiver and then sends a secret copy of each, otherwise
> > > > ordinary delivered email, to that special mailbox.
> > > > 
> > > > Then the mails from that mailbox are downloaded, and the A-R header is checked.  By this way the sender finds out, which
> > > > messages exactly have failed DMARC validation.
> > > > 
> > > > At the end the same information is obtained, that can be obtained by exchanging a failure report: which messages have
> > > > failed.
> > > 
> > > Information found in mail mail headers in accounts that you have created includes email that's been sent to you.
> > > 
> > > Information found in failure reports includes email that generally was not sent to you.
> > > 
> > > Cheers,
> > >  Steve
> > > _______________________________________________
> > > dmarc mailing list
> > > dmarc@ietf.org
> > > https://www.ietf.org/mailman/listinfo/dmarc
> 
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc