IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure-reporting-04.txt

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 18 August 2022 16:40 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 142B6C1522D0 for <dmarc@ietfa.amsl.com>; Thu, 18 Aug 2022 09:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ul90WdpWdss3 for <dmarc@ietfa.amsl.com>; Thu, 18 Aug 2022 09:40:46 -0700 (PDT)
Received: from mail-oa1-x32.google.com (mail-oa1-x32.google.com [IPv6:2001:4860:4864:20::32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A5FCC14CE20 for <dmarc@ietf.org>; Thu, 18 Aug 2022 09:40:46 -0700 (PDT)
Received: by mail-oa1-x32.google.com with SMTP id 586e51a60fabf-10ec41637b3so2403108fac.4 for <dmarc@ietf.org>; Thu, 18 Aug 2022 09:40:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=bVt62eqsn8hKoIPWapoetBHZsyxbaFk6wjQQkyX/k54=; b=CCWxK7D17/wEn6Pf/FhZ/nCNgmzwNAmxoif8OcJDSAZbGuwPr6J7xZcwm+ph5AkQIg TyUwp8FAaUeGeIFDS0qL9czZjAX0huo3ozpmc/W/NwwmSiPzLnFjL00woxvyP1k/p9yX 4v7Stwq/nVa7i5o98LRQIWO0QHaNoAPqwiwccTc7xdI0YNeY483cjVFIdPIL+TU71pxx 5kNaC5CSZbgBrhJukdTIjmOVFRK2V2nzjZdF5q/mok9cFFNj2C4djec+ks77PrALts35 BbWYw9lX4XpAzFWcwKhXFEvm+6oJ3DD02CRYhUwQYfP8zko9hMXh76MehaFG7Kk3+z/v 9wrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=bVt62eqsn8hKoIPWapoetBHZsyxbaFk6wjQQkyX/k54=; b=1sfRqhNJmUXKVrHhmRQIuBymbLIIYeEs/eKF9YYpsWcaH7YTYmaAqKFrmmT51YL7in vcL/wqdWZUhDPZDxJCMvHdwnnC5pldeRxUHVHxMQ+AIiRRO00KqnFGd+t7BCBrychd4z G5haXcGUWTCMisfc7iRoDjqPvE3a3uzi4Q0fTuxzvFpMG1AXaJ57jC6fWLbKGz2iNhPT /uOG7qsDcYtYKt4gV+5bmj15W/AI2v8JNG9eft6U383mWPyzkeolrVAbOat0AAgOqBX3 v/yy27vMug75ltRESfLfDdVseKlbI2kZgdFEAX1K/Cd8aPY5OExvyyyC3qlmIVcntyP7 HrfA==
X-Gm-Message-State: ACgBeo0LgVUyqzeRIe5Zj9WqU5JTKPtSTsvoLmIrkeSTpDaLi2ElH8V5 DaH7qGE7LPvqgE6wkTHoSTiP35sY96sN2dX/qcUdQaCa
X-Google-Smtp-Source: AA6agR7QO9kM6cH689FrhXQC3ttrVRMpwFcCZaheTrNJifHNbT2WBVLwvagb+Kep1yYpB1UhuX8FuQFWX8C/Fli79VU=
X-Received: by 2002:a05:6870:f613:b0:10e:62b:1556 with SMTP id ek19-20020a056870f61300b0010e062b1556mr1821412oab.51.1660840844856; Thu, 18 Aug 2022 09:40:44 -0700 (PDT)
MIME-Version: 1.0
References: <20220817151234.7C48547E2C1D@ary.local> <2865425.PqQoGlAqvt@zini-1880>
In-Reply-To: <2865425.PqQoGlAqvt@zini-1880>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 18 Aug 2022 12:40:33 -0400
Message-ID: <CAH48ZfxHj9-wbW7Eyo7O-jSGWB+A17dh7LbgzoMR+CovvoVH0A@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009626da05e686a4bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rIkzkpVCy_Y7TBjLzWX5xhHh-Y0>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure-reporting-04.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 16:40:50 -0000

If RFC7591bis is attempted, I suggest that we need result types for
authenticated reception, such as
- SMTP Auth of Mailfrom address
- SMTP Auth of server using an address other than MailFrom
- SMTP whitelist of server IP
- Trusted server via VPN Tunnel

The particular concern relates to outbound filtering and relay services.
 Those vendors have some mechanism for distinguishing clients from
non-clients, and clients from each other.  That mechanism has to involve
more than SPF and DKIM.
Lacking an alternative way to document trust, I noticed a Microsoft server
using ARC to assert DMARC PASS on a message for which it was never more
than a relay agent on behalf of the originating domain.

DF

On Thu, Aug 18, 2022, 11:08 AM Scott Kitterman <sklist@kitterman.com> wrote:

> On Wednesday, August 17, 2022 11:12:32 AM EDT John Levine wrote:
> > It appears that Alessandro Vesely  <vesely@tana.it> said:
> > >> There is also an HTML version available at:
> > >>
> https://www.ietf.org/archive/id/draft-ietf-dmarc-failure-reporting-04.htm
> > >> l
> > >
> > >This version requires some revision/ discussion by the WG.
> > >
> > >In particular, IANA considerations has two subsections which may neew
> the
> > >chairs approval.
> >
> > I see no need to invent new IANA registries and oppose the proposed
> > registries.
> >
> > It redefines the SPF-DNS report item defined in RFC 6591 in a way that is
> > neither forward nor backward compatible.  I oppose this change.
> >
> > >The concept of debug messages might be dropped or expanded.
> >
> > I see no basis for this change either,
>
> I have similar concerns.  Thoughts on the changes in this revision:
>
> I think adding the reference to Section 3.2 about external destination
> verification is good.
>
> RFC 9091 says, "PSD DMARC feedback MUST be limited to Aggregate Reports."
> I
> think that should be carried forward and so the SHOULD NOT consider RUF=
> tags
> should be MUST NOT and the bit after the comma (unless there are ...)
> needs to
> be deleted.
>
> I agree that 'aggregation techniques' should be changed since there's no
> aggregation involved.  I don't love 'pruning', but I think it's better.
>
> I think the changes in the techniques list is problematic.  I don't see
> why
> sending a report to only the first recipient was dropped.  I don't think
> it's
> appropriate to specify only sending debugging messages when there's no
> mechanism for identifying such messages.  In any case, that's more of a
> privacy risk mitigation strategy than a denial of service mitigation.
> Generally for denial of service mitigation during normal operations,
> debugging
> would be one of the first things to go.
>
> In 3.1 (1) I do not agree with the change to only require DKIM/SPF related
> fields on failure instead of when the message was signed by DKIM or has an
> SPF
> result.  In the case of partial failures, the information is useful.
> Additionally, the limitation to aligned failures further excludes useful
> information.  The change in 3.1 (2) is also problematic as it is
> predicated on
> the changes in 3.1 (1).
>
> I think redefining SPF-DNS is a horrible idea.  I agree that, in theory,
> the
> txt/spf distinction is no longer needed, this would complicate receive
> processing substantially (would need to be able to distinguish between the
> to
> field formats and to process both) for the very negligible benefit of
> saving a
> few bits on the wire.
>
> I think the 3.2 change to more fully describe the conditions for the
> external
> destination verification method is a good one.
>
> For IANA considerations, I think updating the reference for
> Identity-Alignment
> to this document is correct.  I don't understand the need for a new
> Authentication Failure Types registry.  To the extent it may be a good
> idea, I
> think this is the wrong place to do it.  This kind of issue should be
> addressed by any RFC6591bis effort that may be done at some point in the
> future.
>
> Related to the failure reporting discussion for PSDs above, the Privacy
> Considerations section of this draft needs to document the information
> leakage
> potential associated with failure reporting based on PSD records (which is
> why
> it needs to be a MUST NOT).
>
> Scott K
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email