IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?

Scott Kitterman <sklist@kitterman.com> Mon, 18 March 2024 20:37 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1006C180B77 for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2024 13:37:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="wUe7RP9j"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="SOC/ZKpZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ufsJkPfJrypV for <dmarc@ietfa.amsl.com>; Mon, 18 Mar 2024 13:37:40 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE1A9C1D5C73 for <dmarc@ietf.org>; Mon, 18 Mar 2024 13:37:35 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 391EBF8029B; Mon, 18 Mar 2024 16:37:23 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710794229; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=gQgW9nK4laFiaqQnWW5768Huxbi1RNpZ6D4aVP7/3i4=; b=wUe7RP9j7n8uNxGyoX2QJ7TetiaVMtPqi/vxWLY90lwNNlPXDDTiJY/m9uxADB+525OXx pwsX5u5KG3k0WqVCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710794229; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=gQgW9nK4laFiaqQnWW5768Huxbi1RNpZ6D4aVP7/3i4=; b=SOC/ZKpZWPnqvaqGY/5mwqVSPU5FdjFP69nD4DZ+9E43/ty/asXRx73WJ42Md0r9HsjJW Kstt2YDGYNUu4rfL0PmjABBLWPjzY2YyY2bnjn/94l3dxMsTRnA550MJq9gK47J74C0bj+T mWNwhz+NpwMoaFh24o/tOwPNbroiuYaQW++a1/9deIvS5jkLLQpZh8190wSNGDHO8d0/Mfj 9FRs20iEzbwQxTo6koJl77J+AexHrT9RRNxQWlIa23IsjYBwrVRjk8GsjqdOUSeTZgnbQL0 rm8bBCKn2rtK785lw9o2+jrYxVFeh3xYvmyjTK1bSWr1n5PPARRFxPmiLHGA==
Received: from [127.0.0.1] (mobile-166-171-58-151.mycingular.net [166.171.58.151]) by interserver.kitterman.com (Postfix) with ESMTPSA id 00481F80211; Mon, 18 Mar 2024 16:37:08 -0400 (EDT)
Date: Mon, 18 Mar 2024 20:37:02 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <40acfc56-8d00-4be1-b3fb-c5f2670b0b88@tana.it>
References: <2068150.yCtiIVWOOC@zini-1880> <20240318013630.455118593233@ary.qy> <CAJ4XoYcoJFqYoAt_jq6jfsSjqtjaifiUzaqY-zkg7R3o5Bio0A@mail.gmail.com> <810a3322-4ba3-ac67-5c7b-0118028aeb34@taugh.com> <CAJ4XoYfCgo6DrD0HLMrL3+xT=K0TebQJdKjsUh3e+d-1ND3uUQ@mail.gmail.com> <40acfc56-8d00-4be1-b3fb-c5f2670b0b88@tana.it>
Message-ID: <97F2B58E-587D-4AC1-AC1B-F4A14EAFDC03@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/nVE7vx62HRZOkyDW0d0lFDmUvAM>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 135 - What To Say About Too-Permissive/Third-Party SPF and Where To Say It?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 20:37:45 -0000


On March 18, 2024 6:40:54 PM UTC, Alessandro Vesely <vesely@tana.it> wrote:
>On Mon 18/Mar/2024 09:14:26 +0100 Dotzero wrote:
>> On Mon, Mar 18, 2024 at 2:38 AM John R Levine <johnl@taugh.com> wrote:
>>> On Sun, 17 Mar 2024, Dotzero wrote:
>>>>> Whenever mail is sent, there is a risk that an overly permissive source
>>>>> may send mail which will receive a DMARC pass result that was not, in
>>>>> fact, authorized by the Domain Owner. These false positives may lead
>>>>> to issues when systems interpret DMARC pass results to indicate
>>>>> a message is in some way authentic. They also allow such unauthorized
>>>>> senders to evade the Domain Owner's requested message handling for
>>>>> authentication failures.
>>> 
>>>> I have a problem with this 2nd paragraph and believe it is factually incorrect. The Domain Owner has in fact authorized the message(s) as a result of an overly permissive approach. I would suggest that in fact any resulting DMARC pass is technically NOT a false positive because it is authorized by the overly permissive approach..
>>> 
>>> Seems to me we it depends on what you think "authorized" means.  My sense is I told you it's OK to send the message, yours seme to be that any host on an IP in the SPF record or anyone who steals your DKIM key is authorized by definition.
>>> 
>>> Is there some other wording that can make the difference clear?
>> 
>> Here's a quick stab at some modified wording for the second paragraph:
>> 
>> Whenever mail is sent, there is a risk that an overly permissive source
>> may send mail which will receive a DMARC pass result that was not, in
>> fact, intended by the Domain Owner. These results may lead
>> to issues when systems interpret DMARC pass results to indicate
>> a message is in some way authentic. They also allow such unauthorized
>> senders to evade the Domain Owner's intended message handling for
>> authentication failures.
>
>
>That's better.  At least it's formally correct.  Still, it is rather obscure for an average reader.
>
>The attempt to make this issue general, in the sense that it is valid for SPF and DKIM alike, makes no sense.  Stealing a DKIM key is not comparable to an overly permissive SPF record.
>
>The text should be terser and clearer, possibly with an example.
>
No one said anything about stealing a DKIM key.

Scott K

v2.23.0 | Report a Bug | By Email