IETF Logo Mail Archive

Re: [dmarc-ietf] Objections to Sender header as override

Brandon Long <blong@google.com> Wed, 30 September 2020 02:01 UTC

Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E4233A0B2A for <dmarc@ietfa.amsl.com>; Tue, 29 Sep 2020 19:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.6
X-Spam-Level:
X-Spam-Status: No, score=-17.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mdha1B59Kb59 for <dmarc@ietfa.amsl.com>; Tue, 29 Sep 2020 19:01:14 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D364E3A0AC8 for <dmarc@ietf.org>; Tue, 29 Sep 2020 19:01:13 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id h15so4155302uab.3 for <dmarc@ietf.org>; Tue, 29 Sep 2020 19:01:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2JsCoCZ/bJzGV3q+foc6r0EjKY1fYC0ilwqpcGsYLiE=; b=oB4FRHeQl1xBy8ZaAIkOGgjnWl9/qU6ktQQz/C40pTsky+GtOmlRGGqoM++uqbhq2p 9tNzRRVS0U7kOazlKtAGtuvDzhNC0LvQifhJD4LCYfnFw6zO2HOUKFQrHhKiMLO5Ue4a kLWrySkGgihnT253WRU/F+8iHAORzoFtgpoKodLyN0dg2iP7fHGplQuqwBIviTfk407f ylfOp3O3gdvKu6EMp2E9sq/fxzvnS8x3UlevKPyIn5bXTYqmSnLnw1skGHu8ajTViWno 4n9U75UVMzESgTqWS6w1SJ8z9LAznQ9G5+nncYZW2l9ifuUmNn1O6h5FYOF0Yjo9djMc +TlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2JsCoCZ/bJzGV3q+foc6r0EjKY1fYC0ilwqpcGsYLiE=; b=ADz5vxZ2zvLTycJOl3mDYNWuLgZriitdgd92nFLAtUyiDbtj3/0ILlka97u0AC5sYy URqVn0NADL85kFfJtvRop14T2waxvpsb2x4QK6Xkly836wRBbQTzXILaoZMiv4Ga9kFf EDNVQ5JMk1gU8FbaM3YeQUD4glQZL1aE5tEJZYPYk+fGjlP0OXcKZteAjTeT2+16L/iS 2AYBcy3unXURoq/q6ta5L3SwyjK6/Pt+ByZO5eCgI0dUq6Xvy1m7vh9dlmwUW1x8K0J0 QLN4SKjmDb3rQMuXYjzhC3arNjPpIxoLEZ8q1L1RMGvxWfGjjbXeOBEGr0DLyyh9xXCg l8lg==
X-Gm-Message-State: AOAM530VYVkWSO20wkVp25KJAg2kFW9WTaaRy8lSyzUj/b/wkpg88cFH mtQy9I2NULFvFc3S3jCWBzZLL+oPKldhzhLrTul3omGwO9NK
X-Google-Smtp-Source: ABdhPJzZ62AjBm8VtLC6bT2atuAZPAX51M2QY/8yfg6SxRM+xIxwYWgnO54H39p/KATLWsb5v5pSCnB2EDj2zs9mvF8=
X-Received: by 2002:ab0:4d42:: with SMTP id k2mr225027uag.10.1601431271502; Tue, 29 Sep 2020 19:01:11 -0700 (PDT)
MIME-Version: 1.0
References: <20200927171611.838B321D9BAD@ary.qy> <5069099.lO0Lvmlme3@zini-1880> <a4e016ba-673a-81f0-829b-b3b7adb6fcac@dcrocker.net> <5F73393D.4010805@isdg.net> <7afb25f6-c258-e92c-fdfe-10fe26ccecec@dcrocker.net> <5F73B80F.2000402@isdg.net> <b52efd45-cec3-1ceb-5ff6-c455e8b46b84@dcrocker.net> <CABa8R6uS80Jy=xcMi-XFmD=W7QwkMi1A8ebyGoCJCjeq6=61Yw@mail.gmail.com>
In-Reply-To: <CABa8R6uS80Jy=xcMi-XFmD=W7QwkMi1A8ebyGoCJCjeq6=61Yw@mail.gmail.com>
From: Brandon Long <blong@google.com>
Date: Tue, 29 Sep 2020 19:00:59 -0700
Message-ID: <CABa8R6sdgays+yh3+KjkxPiVj6r0ip7J2TVh7r7ETsj44ZVTzw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000012562805b07e463d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/m0kYUum5u6fwkP6Ypo-M9Ltn5yI>
Subject: Re: [dmarc-ietf] Objections to Sender header as override
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 02:01:15 -0000

Another issue, I think we should investigate how various systems display
(or not) the Sender header.  My understanding was that Outlook in
particular displayed it, and so encouraging it's widespread use could have
unexpected consequences.

It may be that it already displays it in a way that makes sense in the way
it's used, I think Gmail's display of Sender is (it'll add a "via sender
address" in some circumstances, which seems compatible).

Brandon

On Tue, Sep 29, 2020 at 5:54 PM Brandon Long <blong@google.com> wrote:

> Lacks backward compatibility:
> If we adopt the Sender header as a method to work around DMARC, it is
> obviously a simpler thing to do than ARC, doesn't provide quite as much
> (but what it provides may be sufficient)... but still suffers from one of
> the main issues with ARC, which is that it requires widespread adoption to
> replace some of the other workarounds.
>
> Ie, a mailing list that adopts the Sender header still won't know when it
> can do that over rewriting.
>
> Shouldn't be separate as defined:
> The Sender header proposal is also an adjunct directly to DMARC itself,
> changing the existing dmarc policy evaluation in a direct way.  I don't
> think that should be done by a separate spec, if we do decide to, it should
> be part of the DMARC spec itself, especially so we can explore all the ways
> that it changes the existing spec.  I agree with others who have said that
> adding this makes DMARC not DMARC, though I'm willing to explore that in
> more depth.  I understand Dave's points regarding user level signals, but I
> think alignment benefits in other ways.
>
> If you instead wanted to add it as a separate thing, I don't think it
> should be couched as overriding DMARC like it does, but as the same way we
> expected ARC to override DMARC, as a well defined local policy override.
>
> Really bad third party signing:
> I've objected in the past to various third party signing approaches as
> being non-starters for high value domains.  Google does not use SPF's
> include mechanism, and is not going to list hundreds of possible third
> parties as "ok" for signing to cover all possible mailing lists that are
> employees work on.
>
> In some sense, the Sender override is basically third party signing
> without any actual relationship... which is both good and bad.  It's bad in
> that anyone can now send a phishing message... but I guess anyone could
> have before as well.  It's bad in that we wouldn't say "yes, this is fine"
> for any specific sender... but now we're more at the whim of the receivers.
>
> It's good in that maybe it standardizes a kind of local policy override.
>
> Brandon
>
>
>

v2.23.0 | Report a Bug | By Email