[dmarc-ietf] WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
Seth Blank <seth@valimail.com> Sat, 30 March 2024 20:05 UTC
Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3AA9C14F60F for <dmarc@ietfa.amsl.com>; Sat, 30 Mar 2024 13:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ygIGicm-HCkF for <dmarc@ietfa.amsl.com>; Sat, 30 Mar 2024 13:05:30 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF80BC14F60C for <dmarc@ietf.org>; Sat, 30 Mar 2024 13:05:29 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1e0bfc42783so24591955ad.0 for <dmarc@ietf.org>; Sat, 30 Mar 2024 13:05:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1711829129; x=1712433929; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=rftRvX4PZh37L83Pxl2SrgDUzka7GUSWCu7CLHNG760=; b=F4hOEYbuO6QXze4uhbGzUZ7HXv1XviRAr/3VDP2vfGgafswOPj0yO5MYOtM4ddzWVi avRWjNIyLz8P28+0XQDKcw/Gc8Plys0srhWpbtUrQvoN3LWKwfFNvTuznNJzJKcP1+IB TcGPFDReTD8ChRcftaaxG//5RaJ0LJyGV/+Y1z8Gna8Q2AZ9QAdxzUMhH7T1U/0jztdM Cag7O/wyzIw9fKGSunBHQfWldTlnOAec4lOMVZj6H/BeFczACpKHWq6XlNKjxqMgVXrG Lw6SNx2q+ormMo2CvyhhUbQfhrIGWZnO1VwVLJSv2ArdHAkiVod52jcBbt6xaLYhJ54G JoLw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711829129; x=1712433929; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=rftRvX4PZh37L83Pxl2SrgDUzka7GUSWCu7CLHNG760=; b=s1imXrw1hlK6/+HqZW79wm0dSRrbh3l+b8FpdIbzIfC2g02ezBEm5p8hib0WSuvgIh xC0Wg2OPC6gdGt4UJTsFBnyjm3KqeNLXeeIB6wgwuvwutnzxQ2ZE42/PwgLmvC+tGEg2 TOZS9xtI4er6GA/IXyFaMiQTdIuNqEsLWC/R1YxxEXKfBLvFF4JkI+WwQVpVST2Dr3eN 4JuLFltsax9pq2AXaVKMun1XKz0k3N1CKkVhuhigof4qGuRtozinIVvGu1wzPJ4Kp2qs Q3Ys2g2CLya1f5An2CxaNcl2t65nKFjiEjFRtiFu/idJVjqTL4K9zCkroA5Eom3OWpMb BkIA==
X-Gm-Message-State: AOJu0Yw2ObZr4zoGg6FMCEOGPxLQ/TcwldBddJC+bkp72/Kt50ElLDxJ F83OVJDsAIDN/caf7FhowGf296I9Mcdy3Pg8mfzIJDuoW3xuH+AJ02qtrePUY8UG5TVQcBbob1t QR1bHYcFGDn2d1S0bD2/PMONfeGsPl8Nxhy9XPLzu3HA3cpAxnFQ=
X-Google-Smtp-Source: AGHT+IGQq7oBybtUZnI5yTqL7G0SfAOFiuS8x8YwFZkWjGWRLpH/P8m903jVQWZdLA3346fL/+Sr/HiabFmKIX4ex0s=
X-Received: by 2002:a05:6a20:7484:b0:1a7:1c7:69e6 with SMTP id p4-20020a056a20748400b001a701c769e6mr4007080pzd.6.1711829128468; Sat, 30 Mar 2024 13:05:28 -0700 (PDT)
MIME-Version: 1.0
From: Seth Blank <seth@valimail.com>
Date: Sat, 30 Mar 2024 16:05:17 -0400
Message-ID: <CAOZAAfPwJHKGyLjTkdGDqkMeK4RQX4Fj0rw-Upn0cLZ+cE74aA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001e7b390614e6472a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/p9Ll1zkx-wn2LEZ5zoQDoVyDQoE>
Subject: [dmarc-ietf] WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Mar 2024 20:05:34 -0000
As an individual, below are my comments and nits. Top line: 1. The document needs to consistently use "verification" "validation" or "authentication" -- 7489 used "validation" in its abstract, and I'd recommend we stick with that. 2. The abstract, introduction section 2.2 still needs to be tightened up after the rest of the document settles. In particular, alignment is the most critical component of DMARC, and it is not mentioned in the abstract. The introduction and anti-phishing (2.2) sections can be made much tighter and to the point, and with fewer subjective parantheticals. I'm happy to propose text here once the rest of the document is settled. 3. Domain Owner Actions section needs cleanup; notes below. I'm also willing to propose text for this. 4. Consistency and definition of terms: In general, terms should be defined before they're used. Probably because some of the document has been reordered, there are several places that begin text without properly referencing or defining terms. For example, the term "target domain" appears three times in the document but is never defined. Is this an accidental shorthand for Author Domain? Something else? There are a bunch of throw away terms like "DMARC-Compliant" which are only used once. Can we get rid of these and use simple descriptive language like "Receiving mail systems that properly evaluate DMARC"? 5. To channel Crocker: always "header field" never just "header" Specific nits: Section 1: Introduction: "As with SPF and DKIM, DMARC reports results as "pass" or "fail"." is confusing to someone expecting the introduction to cover reporting. Clearer would be "As with SPF and DKIM, DMARC validation results in a "pass" or "fail" verdict." The introduction should also more clearly and simply call out that DMARC is about Aligned Authentication, Reporting, and Policy Conformance and how they interrelate in one place, before describing them separately. I have many other concerns/recommendations in this section, but will provide text separately. Section 4:2: Use of RFC5322.From: Is it also worth it to call out that time and operational impact have proven this to be the right choice? Section 4.4: Identifier Alignment Explained: Both relaxed and strict alignment are defined in the midst of paragraphs in this section, but have no section headings nor earlier high level definitions in 3.2. As they're such core concepts, this feels lacking. Section 4.4.1 and 4.4.2: Naive question: Both sections call out requiring the aligned identifier to be an FQDN. Is this sufficient with the extension of DMARC to PSDs? Would this mean that .google can never be a source of authenticated mail? Is that desirable? Do we want to remove the reference to FQDN and say that an aligned identifier must be at or below a valid Organizational Domain? Section 4.6: DNS Tree Walk: The text is correct, but N is wrong. I've shared my notes with this list but we never reached consensus: https://mailarchive.ietf.org/arch/msg/dmarc/GoExCeJYWhxnvH8lwjbr7nAcFh4/ tl;dr: N of 5 works for *org domain discovery* but falls short *policy/reporting* discovery. The algorithm can stay the same, but N needs to be increased and the text to match. I *strongly* believe that N needs to be 8 to meet operational use cases we see today, and may still fall short in the future as this use case is unlocked by the tree walk. Section 4.7: Policy Discovery: The policy discovery that covers p=, sp=, and np= is technically correct, but confusing to parse. I'd recommend this be a clear algorithm like the preceding tree walk and the following org domain discovery. Section 4.8: Organizational Domain Discovery: The algorithm (step 2) that covers the psd=y case could use an example. "One label below" is technically correct, but anyone not intimately familiar with DNS terminology might make a mistake, so a precise example would help. Section 5.3: General Record Format: Shouldn't the RUF options be defined in the RUF document, as opposed to the primary bis document? psd: "n: The DMARC policy record is published for a PSD, but it is the Organizational Domain for itself and its subdomain." -> "subdomains." Section 5.5. Domain Owner Actions This section makes sense piecemeal, but doesn't quite work as a whole. The text in 5.5, 5.5.1, and 5.5.2 should be reordered a touch and cleaned up. Explanation for both SPF and DKIM is in the SPF section, and the DKIM section covers too much about SPF. Also, the "SHOULD first ensure SPF and DKIM" in 5.5.1. seems strange, as there's no way to do this prior to section 5.5.4. I would argue the 5.5.1 and 5.5.2 should be moved after 5.5.4. There also appears to be a missing section between sections 5.5.5. and 5.5.6. which should be "remediate unaligned or unauthenticated mail streams" i.e. use the output from collecting and analyzing reports to actually make sure all your mail flow is properly authenticated, ideally with both SPF and DKIM, with at least one aligned. Section 5.5.6. Decide Whether to Update DMARC Policy: The final paragraph mentions "deliverability" which I do not think is appropriate for this document. It is also worth calling out here the interoperability challenges of NOT sending aligned mail that is capable of receiving an aligned pass, as this mail is increasingly likely to get rejected regardless of what policy you publish. Section: 5.7.2. Determine Handling Policy I know we say the steps MAY be done in parallel, but even so shouldn't step 4 (SPF) come before step 3 (DKIM)? In practice, SPF was designed to be validated as early in the mail flow as possible (during 5321), and this could be an unintended normative change to SPF in a DMARC context by requiring evaluation after DKIM can validate 5322. The penultimate paragraph also exposes a nasty security consideration. If an attacker can get SPF and DKIM responses to return temperrors, then DMARC evaluation will fail and advertised policy will not be applied. This doesn't seem desirable. If there's a policy that is not none, and SPF and DKIM can't pass, why wouldn't the policy get applied? Section 7.6: Expansion of Domain Owner Actions Section Already covered by Todd, but this should be SHOULD NOT, not MUST NOT. Section 8.1. Issues Specific to SPF: This is a real operational problem, so I wanted to expand guidance. The note about best practice may or may not be appropriate here, but I think it works. There are multiple M3AAWG documents which cover this use case, and we can also link them if valuable. OLD: Some Mail Receiver architectures might implement SPF in advance of any DMARC operations. This means that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Operators choosing to use "-all" should be aware of this. NEW: Some Mail Receiver architectures implement SPF in advance of any DMARC operations. This means that an SPF hard fail ("-") prefix on a sender's SPF mechanism, such as "-all", could cause that rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place, and DKIM has a chance to validate the message instead of SPF. Operators choosing to use "-all" to terminate SPF records should be aware of this. Since DMARC only relies on an SPF pass, all failures are treated equally. Therefore, it is considered best practice when using SPF in a DMARC context for domains that send email to end records with a soft fail ("~" / "~all"). Section 10.2. Failure Report Considerations: Add a preceding sentence before "out of band" that says "Due to the nature of the email contents which may be shared through Failure Reports, most major receivers refuse to send these reports on privacy grounds." Section 11.4: Display Name Attacks: This feels out of place. Even though it's mentioned as a different problem, this is a lot of content irrelevant to the spec itself. Do we need it at all outside the second paragraph? -- Seth Blank | Chief Technology Officer Email: seth@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- [dmarc-ietf] WGLC editorial review of draft-ietf-… Seth Blank
- Re: [dmarc-ietf] WGLC editorial review of draft-i… John Levine
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Seth Blank
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Douglas Foster
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Mark Alley
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… John Levine
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Seth Blank
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Richard Clayton
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Seth Blank
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Tero Kivinen
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Brotman, Alex
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Dotzero
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Tim Wicinski
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Todd Herr
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Tim Wicinski
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Jim Fenton
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Brotman, Alex
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Todd Herr
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Murray S. Kucherawy
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… John Levine
- Re: [dmarc-ietf] ARC, was WGLC editorial review o… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Tim Wicinski
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Laura Atkins
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Dotzero
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Scott Kitterman
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Scott Kitterman
- Re: [dmarc-ietf] the long march, WGLC editorial r… John R. Levine
- Re: [dmarc-ietf] the long march, WGLC editorial r… Scott Kitterman
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Neil Anuskiewicz
- Re: [dmarc-ietf] the long march, WGLC editorial r… Murray S. Kucherawy
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N Alessandro Vesely
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Todd Herr
- Re: [dmarc-ietf] Thoughts on choosing N Murray S. Kucherawy
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N (choose 6) Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N Todd Herr
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Todd Herr
- Re: [dmarc-ietf] Thoughts on choosing N Alessandro Vesely
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Neil Anuskiewicz
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N Alessandro Vesely