Re: [dmarc-ietf] Problem with multiple policies, different alignment
Tobias Herkula <tobias.herkula@1und1.de> Tue, 12 March 2024 13:23 UTC
Return-Path: <tobias.herkula@1und1.de>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11402C14F703 for <dmarc@ietfa.amsl.com>; Tue, 12 Mar 2024 06:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1und1.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kklfz7FItiYn for <dmarc@ietfa.amsl.com>; Tue, 12 Mar 2024 06:23:06 -0700 (PDT)
Received: from moint.1and1.com (moint.1and1.com [212.227.15.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFCB1C14F6BE for <dmarc@ietf.org>; Tue, 12 Mar 2024 06:23:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=MIME-Version:Message-ID:Date:Subject:To:From:cc:sender:reply-to; bh=+0PwAPnGmGbtiUXGSdoofWw+5shV+eUMFS6MpdPGFY4=; b=uOvEr+qAuogdQtgpxu75EMe+P 0Y51oZK20NKjP5ZnedumTBGZcZ59MEv/QzMICWZNyC5CMxtFHC7DlaXe8PCU3KGw07PdwH+zNOU2/ Ewjf/2cROXy2bFux5lR2wSore5i2KvG9JN3xNktYUbuffjG4cR5+P4Fa/Twzf9MOD2thMUWYJhiHw KzaukpyRo6a3mCWhTv7lI3+lPRQ3tcFGnqMjcCYw4EEBcfwfMreFzhal30OvDJKq9gTrb5py9QEbg yYEM4holnUyZYdctcfg76QlwWH8BDgDpq+ajANgQOHyYvbKtww7tqOUm+zVfo3PHgqv9iN4I7XBND 25CPNVL/w==;
Received: from [10.98.28.9] (helo=KAPPEX024.united.domain) by mrint.1and1.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <tobias.herkula@1und1.de>) id 1rk25w-0002Uv-7C for dmarc@ietf.org; Tue, 12 Mar 2024 14:23:04 +0100
From: Tobias Herkula <tobias.herkula@1und1.de>
To: IETF DMARC WG <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Problem with multiple policies, different alignment
Thread-Index: AQHadG6ZZdd6kjltIkqIhx1IsMfDKLE0Foxw
Date: Tue, 12 Mar 2024 13:23:03 +0000
Message-ID: <b12c755d8edc48d9b9f9480219b3c09d@1und1.de>
References: <CAH48Zfz+60=UOrBsuMvScFcDphpLF975jsbaEiX-2xSMzQUoPA@mail.gmail.com>
In-Reply-To: <CAH48Zfz+60=UOrBsuMvScFcDphpLF975jsbaEiX-2xSMzQUoPA@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.98.28.55]
Content-Type: multipart/alternative; boundary="_000_b12c755d8edc48d9b9f9480219b3c09d1und1de_"
MIME-Version: 1.0
X-Virus-Scanned: ClamAV@mvs-ha-bs
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/nxy6whxCak7zReRY0-AKRv08kmQ>
Subject: Re: [dmarc-ietf] Problem with multiple policies, different alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Mar 2024 13:23:10 -0000
The DMARC Record on the DKIM signing domain is not relevant for DMARC evaluation, so if the 5322.From header domain is “example.com” the “adkim:r” is relevant for evaluation regarding your example setup and would consider a DKIM signature domain of “sub1.example.com” as aligned. It’s the same behavior as vice versa. As if the 5322.From header domain is “sub1.example.com” the “adkim:s” would apply and a DKIM signature Domain of “example.com” should not be considered aligned. / Tobias Herkula From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Douglas Foster Sent: Tuesday, March 12, 2024 12:15 PM To: IETF DMARC WG <dmarc@ietf.org> Subject: [dmarc-ietf] Problem with multiple policies, different alignment I have been building a DMARC implementation, starting with a simple function: TreeWalk(domain) which returns: * Policy found or not found indicator * Policy Domain * Organizational Domain * Policy record My thought was that the Tree Walk result was independent of the domain identifier being checked, but this is not true. Assume these DMARC policies: * example.com<http://example.com> aspf:r adkim:r * sub1.example.com<http://sub1.example.com> aspf:s akim:s When the message contains: * From: user@sub1.example.com<mailto:user@sub1.example.com> * DKIM: d=example.com<http://example.com> Strict alignment on the From domain makes the organizational domain unimportant, so the PSL lookup or Tree Walk are not necessary. The organizational domain used for reporting purposes is sub1.example.com<http://sub1.example.com>. The DKIM signature is not aligned. But when the message contains the reverse, the logic gets complicated: * From: user@example.com<mailto:user@example.com> * DKIM: d=sub1.example.com<http://sub1.example.com> If we apply the same Tree Walk to this message, we have a problem. The From domain Tree Walk returns "example.com<http://example.com>" as the organizational domain, and the Tree Walk of the DKIM domain returns "sub1.example.com<http://sub1.example.com>" as the organizational domain because of strict alignment. So the result appears to be unaligned. Consequently, the Tree Walk needs to be sensitive to the identifier being checked. If the identifier is not the From address, the Tree Walk is only interested in the existence of a policy and the PSL tags, and the special case related to strict alignment needs to be bypassed. I don't think this case was covered in previous discussions. Doug Foster
- [dmarc-ietf] Problem with multiple policies, diff… Douglas Foster
- Re: [dmarc-ietf] Problem with multiple policies, … Tobias Herkula
- Re: [dmarc-ietf] Problem with multiple policies, … Murray S. Kucherawy
- Re: [dmarc-ietf] Problem with multiple policies, … Tobias Herkula
- Re: [dmarc-ietf] Problem with multiple policies, … Douglas Foster
- Re: [dmarc-ietf] Problem with multiple policies, … Alessandro Vesely
- Re: [dmarc-ietf] Problem with multiple policies, … Douglas Foster
- Re: [dmarc-ietf] Problem with multiple policies, … Todd Herr
- Re: [dmarc-ietf] Problem with multiple policies, … Douglas Foster
- Re: [dmarc-ietf] Problem with multiple policies, … Alessandro Vesely
- Re: [dmarc-ietf] Problem with multiple policies, … Murray S. Kucherawy
- Re: [dmarc-ietf] Problem with multiple policies, … John Levine
- Re: [dmarc-ietf] Problem with multiple policies, … OLIVIER HUREAU
- Re: [dmarc-ietf] Problem with multiple policies, … John R. Levine