[dmarc-ietf] WGLC contentious topics (I'm in the rough and I know it) in draft-ietf-dmarc-dmarcbis-30
Seth Blank <seth@valimail.com> Mon, 01 April 2024 01:37 UTC
Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24EF9C14F749 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 18:37:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0onTdUMZsPO9 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 18:37:06 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 865FDC14F747 for <dmarc@ietf.org>; Sun, 31 Mar 2024 18:37:06 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1e0d82d441bso32795075ad.3 for <dmarc@ietf.org>; Sun, 31 Mar 2024 18:37:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1711935425; x=1712540225; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=1pFOZ9G6AD2sCNObNISNXyjSLWU78Ammm6agGQ3FPbA=; b=U5176NvQZbxH1kbYgh6F2emP8VTjSmrGQsVHrKZI1+TgyHZiWc4i9cOUgZ9uPofm21 rjgO/q4tialFvAbzRJu+LdjK2C9tMxkD17UUz5WROkKNGhhCak/hiSTyFioivHjutWNz 2gtnLuVBHc4B3fL3GnYVqF4aH+PPK2J6QRU4iSjl+YaC3U+9cg0ivu8MeimTHqY8c9eP cduCIpmnUf6tNl90QWrN7e1Eo4+jxs4UEdCNNq/Q6iS5LBV1MdBvQaZwVMzZmJGznYLC uBMfjtnj6TDDSy1g2Fvi+N1BrQfRHV7YgNdfbu1G8f4HHSJ00Zy+y5YuI7HrwdzXzfxR ItCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711935425; x=1712540225; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=1pFOZ9G6AD2sCNObNISNXyjSLWU78Ammm6agGQ3FPbA=; b=Bul8g2D5FVl/bdk+ojAbjA3RhCnqVWKgTLoMQlon+Nqoln+Erv7rhrau5jiNATDwtr X5/Q9sa3qUiiHOkZR5ahHFJ+fwFoOrZJkeuzuRMCPpX8j/gz9tC410b3AbaUBrxq6AIQ IUKByB/jae0vDKrSoR1ArIXl8agcrNPrjDtTGQ3KgOG2urYzxq+ji81obQDIDqBbDAG3 QqcYoxudSbAx67r2cmEn9ZHu+U85IKyqTPw8OEpFNT7FAkfKXVEMKWm6ZW3J9BTesVIq Te+VPBP6dDEpBup4JfbTanemlxAj5WdG3QLt2mudnP9dZBMviyycgFVM2JwY5mVByMkN zsVA==
X-Gm-Message-State: AOJu0Yxpkrhs6oZdTUCOFNtmYSE9+H5O7SsPsrg6pPET+ArcQgLb8lo1 PyliwUVZiBCmned4sYV0noLeKWCSa96SxcLlQKZWuYi1YwzSAWWVSrI0EGG/DwU1dgqGV4p8Bjr dLsaywdaDqkc5viyHqKiQ74QJRnje8r8v00ozaaGOwUQnTztca4w=
X-Google-Smtp-Source: AGHT+IFR327xA0VoBqgACpQDS6RuyXvibD2UJfMSQscarsIHDGXT+kb4Schj0Q9EmczD74UMywsu85EKBICJovjVwJE=
X-Received: by 2002:a17:902:e750:b0:1dd:b73a:352c with SMTP id p16-20020a170902e75000b001ddb73a352cmr10392112plf.53.1711935424838; Sun, 31 Mar 2024 18:37:04 -0700 (PDT)
MIME-Version: 1.0
From: Seth Blank <seth@valimail.com>
Date: Sun, 31 Mar 2024 21:36:53 -0400
Message-ID: <CAOZAAfPmjD--xBzLbwtD5uzr_gubKDYz7sHiPufML1JbYU8=4Q@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e05cd00614ff062b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/mSP2yYek6F7HmUmLE-3Y0hQtVe0>
Subject: [dmarc-ietf] WGLC contentious topics (I'm in the rough and I know it) in draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2024 01:37:10 -0000
There are three items in the document that have consensus, which I believe are wrong. I am in the rough on these, and not looking to relitigate them. I am hoping to provide text that clarifies concerns in a manner that leads consumers of the document to make better informed implementations, and I provide what I've previously shared to the list as rationale for the language but not as relitigation of the core topics. In order from most to least contentious: 1. 8.6. Interoperability Considerations "It is therefore critical that domains that host users who might post messages to mailing lists SHOULD NOT publish p=reject." While this advice represents consensus, it does not represent operational best practice, nor where the market is moving to stop fraud and abuse. DMARC is becoming increasingly required at the major mail receivers, and messages that cannot get a DMARC pass are increasingly likely to get rejected outright. This language feels like it is creating an even worse interoperability problem-- giving guidance to people that will guarantee their mail gets rejected by major mail systems. These DMARC mandates arose after consensus was called, and have changed the playing field materially. More accurate language that alleviates the concern would be "It is therefore critical that domains that host users who wish for their messages to be modified and spoofed by downstream intermediaries, such as alumni forwarders or mailing lists, SHOULD NOT publish p=reject. Such spoofed messages may still be rejected, regardless of a domain owner's published DMARC policy." When it comes to the Charter, the document is supposed to articulate how to address indirect mail flow, and this would be the place. Therefore, I believe it is also worthwhile in this section to reference both ARC, as well as other mechanisms that such breaking intermediaries that create new messages (and therefore spoof the sender) could undertake, such as From rewriting to properly claim ownership of the message, or not making changes to the message that invalidate DKIM. 2. 5.7.4. Send Aggregate Reports There are no protocol police, and implementers are free to follow or ignore normative guidance at their whim. For a domain owner, it is an interoperability problem to not receive reports, and therefore this meets the normative requirement to be a MUST. Smaller receivers are of course free to ignore this if the burden is too high, but that should be their guidance to ignore, not the document's duty to presuppose. Domain owners need reports, or they cannot put the work in to authenticate their mail and publish a policy that has an impact they can expect. So reports MUST be sent. Given the consensus around SHOULD, I'd recommend the following change: OLD: Given the above, to ensure maximum usefulness for DMARC across the email ecosystem, Mail Receivers SHOULD generate and send aggregate reports with a frequency of at least once every 24 hours. NEW: In order for domain owners to properly collect and analyze reports (section 5.5.5) in order to authenticate their mail and publish a policy if they wish (section 5.5.6), mail receivers need to supply those reports. To ensure maximum usefulness for DMARC across the email ecosystem, understanding that some receivers may find this an undue burden, Mail Receivers SHOULD generate and send aggregate reports with a frequency of at least once every 24 hours. 3. 4.4. Identifier Alignment Explained If we ever open alignment again for a future document, I hope we do away with strict alignment. It would also simplify the document and the examples greatly. Early on, consensus was that we should keep strict alignment, as it was used by a very small handful of organizations, but primary amongst them were some banks who took strict to mean more secure. Further details were discussed at the interim here: https://mailarchive.ietf.org/arch/msg/dmarc/PPskhJKs-cvXJpjzh-UiJQ9ba4M/ This decision to keep strict alignment made sense in isolation. Since then, we've discussed two other removals -- relying on SPF at all, and not worrying about mailing list traffic at all -- both of which affect more mailflow and deployment than strict alignment. If we're willing to seriously discuss things that affect more mail, should we not also review the need for strict alignment? I also don't think we really reviewed strict alignment after incorporating the tree walk into the document. Most of the uses for strict alignment were in the "I have a large organization, and want to make sure one part of the organization cannot spoof another" camp-- which now the tree walk should have provided a more scalable solution for. As was discussed during the interim, there is not operational practice that underscores strict alignment actually providing any real advantage. Practically speaking, almost no one uses strict alignment. And for those that do, it tends to be significantly more difficult to implement, for no actual benefit that's ever been presented to this working group. Further, there are many that look at "strict" as "better" and "more secure" and then find themselves unable to implement DMARC, when relaxed alignment would have actually given them everything they need and the protections they're looking for. At a minimum, I think the second paragraph of section 4.4 should be changed: OLD: The choice of relaxed or strict alignment is left to the Domain Owner and is expressed in the domain's DMARC policy record. NEW: The choice of relaxed or strict alignment is left to the Domain Owner and is expressed in the domain's DMARC policy record. In practice, nearly all domain owners have found relaxed alignment sufficient to meet their needs. Seth, as an individual, not trying to relitigate, just trying to clarify concerns, and not dying on any of these hills. -- Seth Blank | Chief Technology Officer Email: seth@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] WGLC contentious topics (I'm in the … Seth Blank
- [dmarc-ietf] WGLC contentious topics (I'm in the … Tero Kivinen
- Re: [dmarc-ietf] WGLC contentious topics (I'm in … Baptiste Carvello
- Re: [dmarc-ietf] WGLC contentious topics (I'm in … Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC contentious topics (I'm in … John Levine