IETF Logo Mail Archive

[dmarc-ietf] Guidance around constructing an AAR when multiple AR headers are present?

Seth Blank <seth@valimail.com> Wed, 24 May 2017 18:29 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B76212945A for <dmarc@ietfa.amsl.com>; Wed, 24 May 2017 11:29:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fMXnXSbKuAd for <dmarc@ietfa.amsl.com>; Wed, 24 May 2017 11:29:36 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D7B2124281 for <dmarc@ietf.org>; Wed, 24 May 2017 11:29:36 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id u75so160378750qka.3 for <dmarc@ietf.org>; Wed, 24 May 2017 11:29:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:from:date:message-id:subject:to; bh=lmY5NKhycXtUBtXScVD8uheAEGtQCNrxnl+E+l1XHSk=; b=BvBeaCJ8J64YpbmzXwbycXoZv/ttT6pAL20TW6OgII1//rD4BmMakdtlOnA71n95GZ CSMhsv1S4zAXpDy5kjBOVMUTibmSPTP2fspun6qZtUWcMqZN5x+2lsOrgsf+2S970FDC kQkjwrlrbF4F4b7Ax5ny0fIlUR46JOKBkk91r13UgTAbp9LO0J4rokRGqHTrCF96q8cs kwUlOg4IFIMiPVVTE6i4fdCDGB6Ei2kER4eqj9NTlTbLnmDNB7rPzIk6pXDuy2McRPWT 37wT4w5cP8u2o8Td9dpA9EWeXPciszHg9SLNS7m7fn2/QAqOR1dSuHt0e05JoA/fbDxs tL+A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=lmY5NKhycXtUBtXScVD8uheAEGtQCNrxnl+E+l1XHSk=; b=FSQkW3zxck4i0fsi2Yh61IHKY7kKnI9Lf8oqpDsb+9tPVAWl3R/Pw/hJ6CErrSiwg9 ajVdTg7jeWDlreBehCbChAUL0gtivDNpwq24odVP7a/9XM6J9o9clkord1fh1ve8BRfk KB6fsnSGyQLpaDllYLTb/b+GnWny9mznymS0ym7eVXT9Qyhi5Hcc1lfhSFPTqUgc8Tl/ UBAAxRZoJvNeayGMw5zLybw1efKmpCtR0bgbzu2Z0B1C75SObmSBih4j4nxu1ClJuvJy c2q1Ufi4NmODS58+yg7bIeD6EIeqvBr3rMSObZ8PthbPQkwhmAb8djhviIDfjaVm8pb/ iF/w==
X-Gm-Message-State: AODbwcBRgOgHf9wCdsylLaI6+HYHo4LxgmQ+h1eKy6NfqCdoe+FpAyPR 7Fq0EE00n9ARevaZ6kucj5AOAoDP3dRxvBmmrQ==
X-Received: by 10.55.204.16 with SMTP id r16mr34459608qki.169.1495650575471; Wed, 24 May 2017 11:29:35 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.42.242 with HTTP; Wed, 24 May 2017 11:29:15 -0700 (PDT)
From: Seth Blank <seth@valimail.com>
Date: Wed, 24 May 2017 11:29:15 -0700
Message-ID: <CAOZAAfOsRrQF2M3NzcB3h2Tc03mtFfG8mOJ0pqU+_cx=whcBLQ@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="001a1149ad64426d260550494951"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/pfY5TGTmc8sR7YpN-a04HCpSHQA>
Subject: [dmarc-ietf] Guidance around constructing an AAR when multiple AR headers are present?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 18:29:39 -0000

Under both the current spec (
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-03#section-5.1.3)
and the proposed spec (
http://blackops.org/~msk/draft-kucherawy-dmarc-arc-base.txt section 5.2),
an ARC Set [i] can have only a single AAR header.

It is clear how to construct an AAR when there are 0 or 1
Authentication-Result headers from the current ADMD.

Per spec it is ambiguous how to construct the AAR when there are multiple
AR headers.

Looking at random messages on this list, I've seen anywhere from two to
five AR headers per message. Locally, with opendkim and opendmarc running,
there are three locally generated AR headers that get passed to openarc. It
looks like seeing multiple AR headers is going to be a common occurrence
for ARC implementations to handle.

When there are multiple headers, the current openarc implementation just
uses the first AR header it sees and ignores the rest. Dkimpy leaves it to
the user to pass in the appropriate AR header as a parameter.

If the goal of the AAR is to provide a copy of ADMD authentication results
so that the originating dmarc disposition of a message can be determined
and trace information can be provided to the final receiver, then it seems
like:
1) there needs to be a discussion on how to handle multiple AR headers
2) this guidance is needed in spec

Is this a problem the group thinks needs discussion?

-- 

[image: logo for sig file.png]

Bringing Trust to Email

Seth Blank | Head of Product for Open Source and Protocols
seth@valimail.com
+1-415-894-2724 <415-894-2724>

v2.23.0 | Report a Bug | By Email