[dmarc-ietf] The case for walking the domain

"Douglas E. Foster" <fosterd@bayviewphysicians.com> Sun, 15 March 2020 20:33 UTC

Return-Path: <btv1==34399b1a4e9==fosterd@bayviewphysicians.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 964683A1BD5 for <dmarc@ietfa.amsl.com>; Sun, 15 Mar 2020 13:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bayviewphysicians.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id G0xxFFa-Volz for <dmarc@ietfa.amsl.com>; Sun, 15 Mar 2020 13:33:13 -0700 (PDT)
Received: from mail.bayviewphysicians.com (mail.bayviewphysicians.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32A0D3A1BD4 for <dmarc@ietf.org>; Sun, 15 Mar 2020 13:33:13 -0700 (PDT)
X-ASG-Debug-ID: 1584304391-11fa3117c31a650001-K2EkT1
Received: from webmail.bayviewphysicians.com (smartermail4.bayviewphysicians.com []) by mail.bayviewphysicians.com with ESMTP id 3fqJrGWQWTq5SLCn (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NO) for <dmarc@ietf.org>; Sun, 15 Mar 2020 16:33:11 -0400 (EDT)
X-Barracuda-Envelope-From: fosterd@bayviewphysicians.com
X-SmarterMail-Authenticated-As: fosterd@bayviewphysicians.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bayviewphysicians.com; s=s1025; h=message-id:reply-to:subject:to:from; bh=+n5bXz4hoSHHrBW1nZyIqmKJAsljbPUBFznKAW/dVtI=; b=QrLBlsszcq2psPj+IAotIzu0h5cymapvyez5j0M2AORy/7bm9hgioP3kDMZnNJfoB U1bqopww+GMVY87VSyCydVViasUECjd1lXOApuNM9zDsAzeYmFXYa376dWhfD7jOf Bxt5ZFyLpg8Ac0PqTJKdV7v7KIete5fu4GXsmqmgA=
From: "Douglas E. Foster" <fosterd@bayviewphysicians.com>
To: <dmarc@ietf.org>
Date: Sun, 15 Mar 2020 20:33:02 GMT
X-ASG-Orig-Subj: The case for walking the domain
Reply-To: fosterd@bayviewphysicians.com
Message-ID: <ac5dfd883a8346abbe2423cfc176d503@bayviewphysicians.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary=c01a2495024e4323ae5713a52816794e
X-Exim-Id: ac5dfd883a8346abbe2423cfc176d503
X-Barracuda-Connect: smartermail4.bayviewphysicians.com[]
X-Barracuda-Start-Time: 1584304391
X-Barracuda-Encrypted: ECDHE-RSA-AES256-SHA384
X-Barracuda-URL: https://mail.bayviewphysicians.com:443/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at bayviewphysicians.com
X-Barracuda-Scan-Msg-Size: 4204
X-Barracuda-BRTS-Status: 1
X-Barracuda-Spam-Score: 0.00
X-Barracuda-Spam-Status: No, SCORE=0.00 using global scores of TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=9.0 tests=BSF_SC5_SA210e, HTML_MESSAGE
X-Barracuda-Spam-Report: Code version 3.2, rules version Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 BSF_SC5_SA210e Custom Rule SA210e
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/kRIlfJwsnawH1pEU9bZIjvdlCWM>
Subject: [dmarc-ietf] The case for walking the domain
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Mar 2020 20:34:23 -0000

The brilliance of DMARC is in its feedback mechanism.   For that feedback to be useful, it needs to reach someone who can act on it.   For a massive organization like the U.S. Government, I cannot imagine how feedback to a .gov catchall account could be actionable.

Suppose someone decides to send a newsletter to local farmers, from the Kansas office of the Agricultural Extension program of the Department of Agriculture.  He creates an account with Constant Contact and starts sending messages..

This violates the DMARC policy of Dept of Agriculture, so someone in D.C. starts getting notifications that Gmail is blocking lots of messages from Constant Contact.   What is to be done?

The "mail integrity program officer" of the Department of Agriculture calls Constant Contact, but they politely explain that they need proof of identity, which can be:
Knowledge of the login credentials for the Constant Contact account, orA court order
Eventually our "Mail Integrity" officer gets his court order and forces the account to be closed.  The farmer outreach officer in Kansas suddenly finds his Constant Contact account disabled, so he creates a new one.  All of this gets in the way of actually communicating with farmers who will benefit from the newsletter.

The internal communication problems will be difficult even if the Constant Contact account is tied to a valid subdomain of Agriculture, with a DMARC policy on that subdomain.  It becomes exponentially more difficult if the newsletter uses a non-existent subdomain, causing the feedback to go to a catchall account for Department of Agriculture or worse yet a catchall account for all of ".gov"

Walking the domain allows feedback, for both valid and non-existent domains, to go to the destination most able to use the information, and makes the .gov policy a trivial extension of the domain walk.

Doug Foster