IETF Logo Mail Archive

Re: [dmarc-ietf] non-mailing list use case for differing header domains

Jesse Thompson <jesse.thompson@wisc.edu> Thu, 30 July 2020 17:26 UTC

Return-Path: <jesse.thompson@wisc.edu>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34F133A0FDE for <dmarc@ietfa.amsl.com>; Thu, 30 Jul 2020 10:26:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wisc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QlJdGi3cgghU for <dmarc@ietfa.amsl.com>; Thu, 30 Jul 2020 10:26:17 -0700 (PDT)
Received: from wmauth4.doit.wisc.edu (wmauth4.doit.wisc.edu [144.92.197.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2147F3A1419 for <dmarc@ietf.org>; Thu, 30 Jul 2020 10:25:00 -0700 (PDT)
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2172.outbound.protection.outlook.com [104.47.59.172]) by smtpauth4.wiscmail.wisc.edu (Oracle Communications Messaging Server 8.0.2.4.20190812 64bit (built Aug 12 2019)) with ESMTPS id <0QEA05HY2LN68320@smtpauth4.wiscmail.wisc.edu> for dmarc@ietf.org; Thu, 30 Jul 2020 12:23:31 -0500 (CDT)
X-Wisc-Env-From-B64: amVzc2UudGhvbXBzb25Ad2lzYy5lZHU=
X-Spam-PmxInfo: Server=avs-4, Version=6.4.7.2805085, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2020.7.30.171818, AntiVirus-Engine: 5.75.0, AntiVirus-Data: 2020.7.23.5750001, SenderIP=[104.47.59.172]
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UDMvHxfUbN9h+ncI1KZZfzPyiNDdgyiTO3/CBlAkvff9fbkHBl01LEq4t4BbDoQrfqVIBNXSxLWH6JSGldJJ0caAmFvDrE9fSKv+b2KD/Bk5hFzdahH89SiUYFJWiv1OzLdCNNjVWs+Fucgjfz9A57WqK/w+u1by4xYd0SOHIgP6FA8rPmz5ql8e2pSYK4obJvEunw+3ZOUxGpEFmk8VKDZPoMrckFonXp+cIEiM48ieV4I8z+fL/LTVg3JUWIXzht93qW39WXhxQjoqnRH7Zh3C5ve3nXxEFLEsYtWSlD6SHFdDlq+dUttM5T4mID94akJAa/Q+hEtY6vpZcj1zSQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CRtWLgzmcU9mpMj4/1PfXDsCzAnjTpvYBwBiy/3j+jg=; b=FFkwDTjtRDP5EtwuXFC0bv8iWqLt5knxvlLeuh4l9epYF1Tap0OAdV918oj9i/WQXa4H64wFXYFwGADn4EKNk8s6CQMFp7N5u3qejzc7s/do3au2twQCOaGhSSDbPnQIu5fUy6Y2xywzvEXnA1T01+m4PgepM1R+PR9BMJ3DCQdah4qgCl96k5rEDMtleAuKN6qwLmcptU7lHXnlx5OSHB++4UtIbs97x3B0LdGKx/ingu+Nu5OQsrTv/j2g8iNbsvHiYAYKKP71JEqsSD0Ys0qzRZsao2NRS1qGXj3z2JEtU20wuttJBRXZ5mg6Xz0ykMO7p+DaXu/T3JsmjhnpCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=wisc.edu; dmarc=pass action=none header.from=wisc.edu; dkim=pass header.d=wisc.edu; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wisc.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CRtWLgzmcU9mpMj4/1PfXDsCzAnjTpvYBwBiy/3j+jg=; b=ql4/OtWwABTaUf9U2AyWDwi6R/qcp6ZuHjXWD0rfWayA2tslJZ+NsJK6T6TfsGkmDViMZRhx0vRN/rXsLDZlpyUZ4IaSvT2scLS2mNeqMu/+twVc02rKWJTe1YKWn1+MTtDUPdj4tIS9N/mPHrHomhCcQRBbibhuBieXPZfkw7k=
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16) by DM6PR06MB3915.namprd06.prod.outlook.com (2603:10b6:5:8e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3216.21; Thu, 30 Jul 2020 17:23:30 +0000
Received: from DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::a92c:9a15:1bb0:4bfa]) by DM5PR0601MB3671.namprd06.prod.outlook.com ([fe80::a92c:9a15:1bb0:4bfa%7]) with mapi id 15.20.3216.033; Thu, 30 Jul 2020 17:23:30 +0000
To: dmarc@ietf.org
References: <BY5PR13MB29998094418C8A6C25902569D7730@BY5PR13MB2999.namprd13.prod.outlook.com> <c0361cb2-b25b-5d75-cb1f-f9c87e3ecccc@tana.it> <AE9A3A9F-27FC-4935-B8E6-AB0CE1A6D5E2@wordtothewise.com> <5F204CB3.7080404@isdg.net> <000001d66503$4d447e50$e7cd7af0$@bayviewphysicians.com> <5F21B338.8000700@isdg.net>
From: Jesse Thompson <jesse.thompson@wisc.edu>
Message-id: <542c8309-de14-330a-cfe9-26a03191dc84@wisc.edu>
Date: Thu, 30 Jul 2020 12:23:27 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Thunderbird/80.0a1
In-reply-to: <5F21B338.8000700@isdg.net>
Content-type: text/plain; charset="utf-8"
Content-language: en-US
Content-transfer-encoding: 8bit
X-ClientProxiedBy: CH2PR12CA0010.namprd12.prod.outlook.com (2603:10b6:610:57::20) To DM5PR0601MB3671.namprd06.prod.outlook.com (2603:10b6:4:7b::16)
MIME-version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.0.2.111] (47.12.96.133) by CH2PR12CA0010.namprd12.prod.outlook.com (2603:10b6:610:57::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3239.17 via Frontend Transport; Thu, 30 Jul 2020 17:23:29 +0000
X-Originating-IP: [47.12.96.133]
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 8011511e-5f3a-400a-2ef6-08d834ad471b
X-MS-TrafficTypeDiagnostic: DM6PR06MB3915:
X-Microsoft-Antispam-PRVS: <DM6PR06MB3915C652C528CE203EB8E572F6710@DM6PR06MB3915.namprd06.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: cN3fhnfVJxwz372fyNX9lDttq0R/bN1W72kyEIjiCKAF9pTDsU0Oj9zhjkrNgHao43RMlEK9pg7+JzkGpSEmkwKdf80+h3/8aTlN/+EPpZ8+yZ/SJEaIQIzTj066jCYFZTqwrS6RE/4QIkTBJa749adb/ZnHzcLo6lZKStFaP5/DFUznA/O8yqfS6v90+/V/8wt3a9N3byPvW+yYUC8AZvBf7vQvfuF48VrGVPQEcReUcLO/dVP8ihLnyHJXInPBef+a4umfeR3CneOB3MQUMdaYey/CIJ34duajh2kxqKRIU1nOe6gFn34sxceqr7JeMDxAGaXA30YRf7HZnn4ctW07sTB/mSepoKeNWCM5qPao2m7GRGqJ7QHeFwE9qsiUda+yPNOST5i+pNw46EWXNSCZhDH7cbA+3Y98bTG89l0HmJMy60/SV0L/LcDrjTknKYRAjdKbXrjlUnJY3ThOqWdUuuVYiKcgEMEgtK8StiY=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR0601MB3671.namprd06.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(366004)(346002)(396003)(39860400002)(136003)(376002)(8936002)(75432002)(786003)(16576012)(5660300002)(86362001)(26005)(8676002)(316002)(66946007)(44832011)(66556008)(66476007)(966005)(2616005)(66574015)(83380400001)(6486002)(6916009)(36756003)(16526019)(478600001)(53546011)(956004)(31696002)(2906002)(31686004)(186003)(223123001)(43740500002)(130980200001); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: AtoOy/f7rEL5/obA49P3qP6vp86PSzEOGkjHPKIcYZrbbOOnVP/FgSzs1ZnsG2XzPc1rxioyzfVl4q1GADEfYDsifOWLuokcCAHoR45QfX8sOUf+jqQgMS1jhU/BeIuBvWsb1+qjqTVhQ+k7PyJb2/K5StUIxUYhuOFcc9/IRIsT1FWybD1arsHwnC70uZKVEJ6mZ0UFN4XSkUZco8l7sqj4Au2OYhpxmDnbCrcuVsN/A4p688D6qCIx9WFzp1KmhrgdVN/yLvTlKsUHb+KEf7y+z4vOAYM8S/gRY2i9QNtXJF0pnMMYxUz2J2clsFqCbGVauZFYzrq0D9dPRnavCydzavuYVauPKAljT5H2PRY8L85zun08/cHduiDM8LiyvoBpX6t0elLXpAwnt9EZXZaFsgq6mA3SwUsgDksV7OvLB9mILo6vBQRYUnbJiqlZIRox7njby/B6kFt9tq+IjMjzTCjzfSaMOGhCDU8b9Fg=
X-OriginatorOrg: wisc.edu
X-MS-Exchange-CrossTenant-Network-Message-Id: 8011511e-5f3a-400a-2ef6-08d834ad471b
X-MS-Exchange-CrossTenant-AuthSource: DM5PR0601MB3671.namprd06.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jul 2020 17:23:30.2024 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 2ca68321-0eda-4908-88b2-424a8cb4b0f9
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: A92JtVlsvJ644xIXUu2wc4voZjunevGzC94TC91z+VZU+PWD4ej7RMJZF7oYo+2UWf35OLf/P/ttFSf4jrtBbg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR06MB3915
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/oZ6VkrX5Yi_xONeKNu9j1crN-VI>
Subject: Re: [dmarc-ietf] non-mailing list use case for differing header domains
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 17:26:20 -0000

On 7/29/20 12:34 PM, Hector Santos wrote:
> On 7/28/2020 1:19 PM, Doug Foster wrote:
>> Hector, I do not understand this comment:
>>
>> "The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party domains. DMARC did not address the problem and reason ADSP was abandoned. Hence the on-going dilemma."
>>
> 
> SSP, ADSP and DMARC are technical specs for a DKIM POLICY Model.
> 
> The problem we have with DMARC was the same with SSP which was replaced by ADSP which attempted to ignore the problem. Generally, as it often done with ambiguous issues in the IETF, we ignore it, we make it out of scope, we keep it open ended, etc.  It just wasn't resolved and ADSP was abandoned but returned as DMARC but it also kept the same 3rd party ignorance as ADSP did.   If this issue is not resolved for DMARC, I see an interesting situation during DMARCBis Last Call explaining how we abandoned ADSP for having problem XYZ and then reintroduced "SUPER ADSP" as DMARC but it still has the problem XYZ.
> 
>> Domains that participate with a mailing list have the option of including the ML servers in their SPF record, or delegating them a DKIM scope and key.    But to obtain that authorization from the sending domain, someone would have to ask for it, and might not receive the desired answer.
>>
>> The goal of this discussion is to find a way to coerce trust.   We do not lack ways to grant trust on request.
> 
> This issue is not about the known, but the unknown. We don't have an issue with proactive authorization and whitelisting methods.
> 
> I've been in this DKIM project for 15+ years, and to me, the goal has also been to find a reasonable, scalable deterministic protocol that will handle unsolicited, unknown 3rd party domain signers. Not necessarily unknown in a bad sense, unknown that you don't know anything about them. So you ask the author, "Hey, is this 3rd party signer ok?"
> 
> SPF allows 3rd party IP declarations.  DKIM POLICY model does not offer this capability.
> 
> We have DKIM Policy extension proposals like ATPS (RFC6541) that offers a deterministic method to associate the author domain with 3rd party signer domains.   This authorization is defined by the Originating, Author Domain.
> 
> Look at my DMARC record for my isdg.net domain:
> 
> v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-rua@isdg.net; ruf=mailto:dmarc-ruf@isdg.net;
> 
> The atps=y tells an ATPS compliant receiver that if it sees a 3rd party domain signature:
> 
>   Author Domain IS NOT EQUAL TO Signer Domain
> 
> Then it can do a ATPS look:
> 
>    base32(sha1(SIGNER-DOMAIN))._atps.isdg.net
> 
> So if I wanted to authorized bayviewphysicians.com to be able to sign for me, I would go to the wizard https://secure.winserver.com/public/wcdmarc,  enter your domain in the list of authorized signers, click Zone Record and I get a record I can add to my isdg.net zone:
> 
> e25dhs2vmyjf2tc2df4efpeu7js7hbik._atps  TXT ("v=atps01; d=bayviewphysicians.com;")
> 
> So anyone out there can see that I authorized bayviewphysicians.com to sign for isdg.net
> 
> It is really sample.
> 
> Whether we can "coerce" receivers to honor any of this is a different situation.  In general, all you can do create a PROTOCOL that makes good engineering sense and usable by the IETF community. If not, then generally systems will ignore it.

I admittedly know nothing about ATPS, but I think its fundamental problem is that it authorizes 3rd parties at the domain level and that makes it not much better than SPF, just different.  

Email domains that have more than a few users don't want to authorize every potential 3rd party (converges quickly to all of them, for large/complex organizations) to sign as every user/address in the domain.  Even if SPF didn't have the 10 DNS lookup limitation, I would not choose put every 3rd party into our domains' SPF records.  I'd essentially be authorizing most of the [legitimate] internet to use the domains.

Ironically, you'll notice some domains actually doing this via SPF record flattening and macros specifically because they do not even want to attempt to solve the 3rd party authorization problem (look at umich.edu).

On the other hand, something like ATPS might be a partial solution for the MLM header munging problem, at least for intra-organizational email leveraging 3rd party platforms.  e.g. If I authorize only mlm.wisc.edu (and not every subdomain, so aspf=r is not an option) to send as wisc.edu (and potentially all of our ~480 domains which aren't all subdomains of wisc.edu), then the MLM platform should know that it doesn't need to rewrite the From header for messages from users in those domains.

It's kind of the inverse of the ARC dillemma.  ARC is missing a mechanism to tell an Intermediary if it will be safe to *not* rewrite the From header, and the lack of having a mechanism to convey historical or intended trust means that Intermediaries will always need to munge all email, by default.

Jesse

v2.23.0 | Report a Bug | By Email