IETF Logo Mail Archive

Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

Laura Atkins <laura@wordtothewise.com> Wed, 19 April 2023 13:37 UTC

Return-Path: <laura@wordtothewise.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E80DC137386 for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 06:37:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WNrmZdXjRJA for <dmarc@ietfa.amsl.com>; Wed, 19 Apr 2023 06:37:39 -0700 (PDT)
Received: from mail.wordtothewise.com (mail.wordtothewise.com [104.225.223.158]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55113C151B3F for <dmarc@ietf.org>; Wed, 19 Apr 2023 06:37:38 -0700 (PDT)
Received: from smtpclient.apple (unknown [176.61.50.187]) by mail.wordtothewise.com (Postfix) with ESMTPSA id CAB529F21A for <dmarc@ietf.org>; Wed, 19 Apr 2023 06:37:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1681911458; bh=u0LRkjnEn/btD1UxSutbGCfpfyqGUaKjypYkSelKOas=; h=From:Subject:Date:References:To:In-Reply-To:From; b=n53TGXxOM3Gp81NFs7koccTl1/JhPuCFoto34SdnuvFkHSRXX/PVk6rfoOUhBLxY1 zLvUc7ZrGdWKyH8TumCjscX1as0J+r6KsDH10tgTUoAwZ2MVqPhf+Kh2BmzS/SOaD+ 3Kx/y/Z7mwcKG/c9UaxtcVzram8jMzB1o6tGyl00=
From: Laura Atkins <laura@wordtothewise.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_6E1C5AC7-0BEB-41FA-A112-77873C9E6C09"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\))
Date: Wed, 19 Apr 2023 14:37:25 +0100
References: <20230419132048.50E0CC01C901@ary.qy>
To: IETF DMARC WG <dmarc@ietf.org>
In-Reply-To: <20230419132048.50E0CC01C901@ary.qy>
Message-Id: <CF4A2AA2-7EAC-4525-844F-530A12DEC065@wordtothewise.com>
X-Mailer: Apple Mail (2.3731.500.231)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/oYdoIK0IbHFevuMqEAuP9stXTpE>
Subject: Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Apr 2023 13:37:43 -0000


> On 19 Apr 2023, at 14:20, John Levine <johnl@taugh.com> wrote:
> 
> It appears that Jesse Thompson  <zjt@fastmail.com> said:
>> -=-=-=-=-=-
>> 
>> On Mon, Apr 17, 2023, at 8:37 AM, Laura Atkins wrote:
>>> Should the IETF make the interoperability recommendation that SaaS providers who send mail on behalf of companies support
>> aligned authentication? That means custom SPF domains and custom DKIM signatures. 
>>> 
>>> And if they can’t, then do we make a different recommendation regarding spoofed mail that evades a company’s DMARC policy?
>> 
>> +1 to this question. It's entirely unclear to ESPs whether they're allowed to spoof a domain that has no DMARC policy. ESPs
>> can furthermore conclude that Domain Owners who publish p=reject|quarantine are violating DMARCbis, and subsequentlly the
>> domain's policy declaration is invalid, and can be ignored.
> 
> Please see my previous comment about trying to enumerate every dumb thing people might do.
> 
> I very strenuously do not want us trying to guess how ESPs think nor offering them advice beyond
> the interop advice we offer everyone else.

That was my question: is it an interop issue that ESPs (whether they be your traditional ESP or a SaaS provider that sends mail on behalf of their customers) cannot support custom domains in the SPF and DKIM and thus cannot support DMARC? Many of the current companies have made the decision that supporting DMARC is too hard, and so what they do is use their own domain for DMARC (some publish restrictive polices and some don’t). 

> In this specific case, if the company publishes p=reject, and they hire an ESP, and the company
> is too inept to figure out how to let the ESP send aligned mail, well, yeah, then the company's
> actual policy is clearly not their published policy, and the ESP can do whatever it wants.  So
> let's not go there.


To me it’s not so much the company can’t delegate authentication - it’s how many SaaS providers (some of which are ESPs and some of which are 3rd parties that send through ESPs) are incapable of supporting DMARC alignment. Not it’s hard, not it’s challenging, but simply … can’t. They cannot sign with foreign DKIM domains, and they cannot support different domains for SPF authentication. 

Should DMARCbis make the recommendation that if you are providing mail services that you SHOULD be able to support corporate customers using DMARC? 

laura 

-- 
The Delivery Experts

Laura Atkins
Word to the Wise
laura@wordtothewise.com		

Email Delivery Blog: http://wordtothewise.com/blog

v2.23.0 | Report a Bug | By Email