IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Douglas Foster <dougfoster.emailstandards@gmail.com> Tue, 11 October 2022 01:56 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44B37C14CE20 for <dmarc@ietfa.amsl.com>; Mon, 10 Oct 2022 18:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pbJOj7scyGTx for <dmarc@ietfa.amsl.com>; Mon, 10 Oct 2022 18:56:20 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D7EC14F733 for <dmarc@ietf.org>; Mon, 10 Oct 2022 18:56:20 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id a29so19020739lfo.1 for <dmarc@ietf.org>; Mon, 10 Oct 2022 18:56:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=J8PxEl0gfNuK+0UjBoSmGc+e9ovIjYeuRm6r/m5xy/8=; b=mkWzAKma1E8OUU6ULk3Q8Xlrq1Nu+5DWOTnCxpm/h5c9KzJZ3RuLERZ4zMpOTwu24n PyQVW4yKCwMhqlSv0Auvli3uWU3jL1ttZL9/Ho144ivjf+f/tTmxG07UZK2LBxINQtol CTrRpaECWPsWOadpLZcGdCIRWjDeTI7gxH6WPFSAwO9Aplo4hIb6IulXXbX+y+hJ/J71 ZrJr82PWwgpApFYFZGFl1m2OQ6n+9wO1xVPkAjtodO9k9diTwopwKgV0CGIZdeDyTIVy vUxaxVfQ5GWvzBfJVVvgeGNbgfNXM0/RV/3rhSd8+psfSsfosVtCRmYyY+ejOQ+md/as yYcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=J8PxEl0gfNuK+0UjBoSmGc+e9ovIjYeuRm6r/m5xy/8=; b=iCG6eBbsj/T9ZdbqD1PCZ0gVSx4QFPmrM0rtes+9JeTETQMUnTkZR8tb0aobz/wczY aReTrAb3j24G/6c9M6CMXVTqpAac82XiUj/A+DaceSgp0Pzh1P/YMGyu8doBvuSx395l QoRDM5LCglp9X8Xnb8pQ+DO2vSm5g9VXBelkmizVqYn1TUtb2H370dJjNosVvqtxSPiH fQorYqkdZe4dc134OXBVheRTOo3EeJfbf+pJ16usSFd5ga6ll1k4IcmG0i1rOjWY3YH1 rSQctpM1cUayD8WvAdqb9//i6UNKM7NTEsve+8eo472Yogu2ZWdmhMOgfQxP9YAd/BDr FgBg==
X-Gm-Message-State: ACrzQf0FVjmh54QiSN9S++qcCnLrJGuIgcIpsLGI6WS8H1V2OTqkyjIf zJWj16cH/khqF5Tn556vheuE9Xd4m2YPngYeaQqnER0qf+Y=
X-Google-Smtp-Source: AMsMyM50dPCVAUPKyYyy1fJq2Rt5p1QzV/oQXxH8tCvHvkBH2NX/ump25OJwAo7MmWcNSNVFfYR9DAu4OjX1Jse88iw=
X-Received: by 2002:a19:915b:0:b0:4a2:69e1:f110 with SMTP id y27-20020a19915b000000b004a269e1f110mr7278259lfj.64.1665453377510; Mon, 10 Oct 2022 18:56:17 -0700 (PDT)
MIME-Version: 1.0
References: <165046214335.10055.16398898629460366752@ietfa.amsl.com> <CAH48ZfxZOq68=P-Qxjvjk1c8PxWAWDvaBPPQcb4DWmd6cL=u4Q@mail.gmail.com> <CAJ4XoYen6n06L1UBqzu9nr2jCC7v_-GOAdJXMzCks6d-AaKqUA@mail.gmail.com> <CAH48ZfzVt=+yoj280VxL_SV+YM4C7eqMWhL=41YpVybaPmLcLg@mail.gmail.com> <CAHej_8mgKjpo6DDbOS9bBdTarThKOa9F55QBtrM6G-oq1YfX+w@mail.gmail.com> <CAL0qLwYjYY4OvShqACWPz0vdJcAubdU1csFFVSkqzsReZSZxuw@mail.gmail.com> <MN2PR11MB43514940B87730CC9D476AACF75B9@MN2PR11MB4351.namprd11.prod.outlook.com> <CAL0qLwb=1CZN6s2QzWJGFeO3=iPWZ-eS=7hvi4B6jhuh+hLJ0w@mail.gmail.com> <8ab0943b-9805-1a0e-528d-9cf45f2eaf9c@tana.it> <CAH48ZfzM2J0_RizqESbFSm3ASfc2x6nsdxUXWEWO+4g2vXsz+g@mail.gmail.com> <38BC22D3-3A29-47E0-9E51-DD862FDD4947@wordtothewise.com>
In-Reply-To: <38BC22D3-3A29-47E0-9E51-DD862FDD4947@wordtothewise.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 10 Oct 2022 21:56:06 -0400
Message-ID: <CAH48ZfysLqgxi1mTjxEMVgSqgmj8J2=2coC0FRaHLQsJx2yQKQ@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f4df8605eab89412"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/lGo1NnuZp9SR0ioiBm9hLnWePxk>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2022 01:56:27 -0000

Scope considerations
----------------------------
For those who can speak on behalf of domain owners, it would be helpful to
clarify scope:

- If a message has multiple signatures for the same domain, do you want all
or one included in the DMARC aggregate report?   I can imagine that having
both PASS and FAIL for the same domain could cause confusion, but perhaps
that confusion has already been prevented in all running code.

- If a message has a valid ARC chain, and the evaluator performs ARC
checking on the message, what signatures do you want included in the
aggregate report?   Note that ARC sets will increase the likelihood of
duplicate results.  If ARC signatures are to be included, we need to
provide details on how this is done.

- As requested previously, what is the preferred behavior if the evaluator
does not evaluate all signatures but is aware that additional signatures
were present in a particular message?  My specific suggestion is included
at the bottom of this post.


Message Limits
---------------------
https://www.rfc-editor.org/rfc/rfc6376.html#section-4.2 says:
"To limit potential denial-of-service attacks, Verifiers MAY limit the
total number of signatures they will attempt to verify."

I would choose stronger language:  "Verifiers SHOULD limit the total number
of signatures that they will attempt to verify, based on the design and
testing limits of the software being used."

For interoperability, aggregate reports need to stay within the safe design
limits of both the generating and the receiving applications, even the the
design limits of downstream systems are unknown.  Our very limited data
suggests that legitimate messages will have 10 or fewer DKIM signatures,
and possibly 10 or fewer ARC signatures.  Our specification should limit
the maximum number of included signatures to ensure that neither the report
generator nor the report recipient can be sabotaged by an oddball message
with an unexpectedly large number of signatures.   This also reduces the
overhead imposed on the report generating system.


Signatures not Evaluated
----------------------------------
Based on the above, a message may have signatures which lack reported
results for any of these reasons:
- The verifier evaluated signatures until its hard limit on the number of
signatures was reached, then stopped.
- The verifier evaluated more signatures than the reporting specification
allows, so it could not report all of them.
- The verifier evaluated only those signatures needed to obtain a PASS
result, then stopped evaluating.

I suggest that all three of these situations can be handled with an
additional counter.
The data on each row would include:
(a) the number of messages that are covered by the aggregation key, and
(b) the number of messages within that total which had additional
signatures which were not included in the aggregation key.

The aggregation key should only include evaluated signatures and their
results, so the "Not Evaluated" result is discarded because the domains of
any such signatures are not itemized.

 Doug Foster






On Tue, Oct 4, 2022 at 5:23 AM Laura Atkins <laura@wordtothewise.com> wrote:

>
>
> On 3 Oct 2022, at 23:31, Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
> The primary key for aggregation is the SMTP domain (up to 255 characters),
> plus each DKIM domain (up to 255 characters) and its DKIM scope (up to 64
> characters).    For 100 DKIM domains to be included, the primary key
> becomes up to 201 fields with up to 25,919 characters.  This is
> unmanageable with readily available tools like a SQL database.
>
> I suggest that we start simplifying the scope, by limiting the items of
> interest to:
> (a) SPF whether pass or fail,
> (b) aligned DKIM domains, whether pass or fail, and
> (c) non-aligned DKIM domains that pass.
>
> I don't see any value in knowing about failed DKIM signatures for
> non-aligned domains.   Perhaps someone with a sophisticated report parsing
> capability will be kind enough to correct me and explain.
>
>
> Knowing what domain is signing is important if you think things should be
> signed but they’re not aligning. Knowing what they’re being signed with
> helps treat the problem.
>
> A very simple case is: if you have 2 domains you’re using at Google
> Workspace sometimes Google will pick the wrong one to sign. So your mail
> fails DKIM alignment. Without knowing the domain, it’s impossible to
> troubleshoot what’s going on here.
>
> Then I suggest that the DKIM upper limit by 10, not 100.   At some point,
> an excess of domains becomes a DDoS attack on the evaluator, and to a much
> lesser extent, the report recipient.
>
>
> This is the type of suggestion that has broken SPF. I do not support it.
>
> laura
>
>
> Doug Foster
>
>
> On Mon, Oct 3, 2022 at 2:17 PM Alessandro Vesely <vesely@tana.it> wrote:
>
>> On Mon 03/Oct/2022 18:01:06 +0200 Murray S. Kucherawy wrote:
>> > On Mon, Oct 3, 2022 at 10:26 AM Brotman, Alex <Alex_Brotman@comcast.com>
>> wrote:
>> >
>> >> So we would likely need a section in the core document with a SHOULD
>> for
>> >> evaluation (if it’s not already there), and then a section in the
>> aggregate
>> >> reporting for a MUST for reporting on evaluated information (if they
>> choose
>> >> to send reports at all), correct?
>> >
>> > [...]
>> >
>> > From the actual protocol standpoint, the filtering part of DMARC
>> operates
>> > just fine if you make the shortcut Doug is proposing, so the first
>> SHOULD
>> > is probably apt but the MUST is moot because it doesn't change
>> > interoperability.
>>
>>
>> Let me add that reporting /all/ identifiers can be unfeasible.  (I, for
>> example, collect identifiers to be reported using SQL left join of
>> various
>> copies of the table, which delivers results as just that many columns,
>> although
>> more might have been evaluated at reception time.)
>>
>> Reporting just the "most important" identifiers could be an option.
>>
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>
> --
> The Delivery Experts
>
> Laura Atkins
> Word to the Wise
> laura@wordtothewise.com
>
> Email Delivery Blog: http://wordtothewise.com/blog
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email