Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure-reporting-04.txt
Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 18 August 2022 16:40 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 142B6C1522D0 for <dmarc@ietfa.amsl.com>; Thu, 18 Aug 2022 09:40:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ul90WdpWdss3 for <dmarc@ietfa.amsl.com>; Thu, 18 Aug 2022 09:40:46 -0700 (PDT)
Received: from mail-oa1-x32.google.com (mail-oa1-x32.google.com [IPv6:2001:4860:4864:20::32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A5FCC14CE20 for <dmarc@ietf.org>; Thu, 18 Aug 2022 09:40:46 -0700 (PDT)
Received: by mail-oa1-x32.google.com with SMTP id 586e51a60fabf-10ec41637b3so2403108fac.4 for <dmarc@ietf.org>; Thu, 18 Aug 2022 09:40:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=bVt62eqsn8hKoIPWapoetBHZsyxbaFk6wjQQkyX/k54=; b=CCWxK7D17/wEn6Pf/FhZ/nCNgmzwNAmxoif8OcJDSAZbGuwPr6J7xZcwm+ph5AkQIg TyUwp8FAaUeGeIFDS0qL9czZjAX0huo3ozpmc/W/NwwmSiPzLnFjL00woxvyP1k/p9yX 4v7Stwq/nVa7i5o98LRQIWO0QHaNoAPqwiwccTc7xdI0YNeY483cjVFIdPIL+TU71pxx 5kNaC5CSZbgBrhJukdTIjmOVFRK2V2nzjZdF5q/mok9cFFNj2C4djec+ks77PrALts35 BbWYw9lX4XpAzFWcwKhXFEvm+6oJ3DD02CRYhUwQYfP8zko9hMXh76MehaFG7Kk3+z/v 9wrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=bVt62eqsn8hKoIPWapoetBHZsyxbaFk6wjQQkyX/k54=; b=1sfRqhNJmUXKVrHhmRQIuBymbLIIYeEs/eKF9YYpsWcaH7YTYmaAqKFrmmT51YL7in vcL/wqdWZUhDPZDxJCMvHdwnnC5pldeRxUHVHxMQ+AIiRRO00KqnFGd+t7BCBrychd4z G5haXcGUWTCMisfc7iRoDjqPvE3a3uzi4Q0fTuxzvFpMG1AXaJ57jC6fWLbKGz2iNhPT /uOG7qsDcYtYKt4gV+5bmj15W/AI2v8JNG9eft6U383mWPyzkeolrVAbOat0AAgOqBX3 v/yy27vMug75ltRESfLfDdVseKlbI2kZgdFEAX1K/Cd8aPY5OExvyyyC3qlmIVcntyP7 HrfA==
X-Gm-Message-State: ACgBeo0LgVUyqzeRIe5Zj9WqU5JTKPtSTsvoLmIrkeSTpDaLi2ElH8V5 DaH7qGE7LPvqgE6wkTHoSTiP35sY96sN2dX/qcUdQaCa
X-Google-Smtp-Source: AA6agR7QO9kM6cH689FrhXQC3ttrVRMpwFcCZaheTrNJifHNbT2WBVLwvagb+Kep1yYpB1UhuX8FuQFWX8C/Fli79VU=
X-Received: by 2002:a05:6870:f613:b0:10e:62b:1556 with SMTP id ek19-20020a056870f61300b0010e062b1556mr1821412oab.51.1660840844856; Thu, 18 Aug 2022 09:40:44 -0700 (PDT)
MIME-Version: 1.0
References: <20220817151234.7C48547E2C1D@ary.local> <2865425.PqQoGlAqvt@zini-1880>
In-Reply-To: <2865425.PqQoGlAqvt@zini-1880>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 18 Aug 2022 12:40:33 -0400
Message-ID: <CAH48ZfxHj9-wbW7Eyo7O-jSGWB+A17dh7LbgzoMR+CovvoVH0A@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009626da05e686a4bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rIkzkpVCy_Y7TBjLzWX5xhHh-Y0>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure-reporting-04.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2022 16:40:50 -0000
If RFC7591bis is attempted, I suggest that we need result types for authenticated reception, such as - SMTP Auth of Mailfrom address - SMTP Auth of server using an address other than MailFrom - SMTP whitelist of server IP - Trusted server via VPN Tunnel The particular concern relates to outbound filtering and relay services. Those vendors have some mechanism for distinguishing clients from non-clients, and clients from each other. That mechanism has to involve more than SPF and DKIM. Lacking an alternative way to document trust, I noticed a Microsoft server using ARC to assert DMARC PASS on a message for which it was never more than a relay agent on behalf of the originating domain. DF On Thu, Aug 18, 2022, 11:08 AM Scott Kitterman <sklist@kitterman.com> wrote: > On Wednesday, August 17, 2022 11:12:32 AM EDT John Levine wrote: > > It appears that Alessandro Vesely <vesely@tana.it> said: > > >> There is also an HTML version available at: > > >> > https://www.ietf.org/archive/id/draft-ietf-dmarc-failure-reporting-04.htm > > >> l > > > > > >This version requires some revision/ discussion by the WG. > > > > > >In particular, IANA considerations has two subsections which may neew > the > > >chairs approval. > > > > I see no need to invent new IANA registries and oppose the proposed > > registries. > > > > It redefines the SPF-DNS report item defined in RFC 6591 in a way that is > > neither forward nor backward compatible. I oppose this change. > > > > >The concept of debug messages might be dropped or expanded. > > > > I see no basis for this change either, > > I have similar concerns. Thoughts on the changes in this revision: > > I think adding the reference to Section 3.2 about external destination > verification is good. > > RFC 9091 says, "PSD DMARC feedback MUST be limited to Aggregate Reports." > I > think that should be carried forward and so the SHOULD NOT consider RUF= > tags > should be MUST NOT and the bit after the comma (unless there are ...) > needs to > be deleted. > > I agree that 'aggregation techniques' should be changed since there's no > aggregation involved. I don't love 'pruning', but I think it's better. > > I think the changes in the techniques list is problematic. I don't see > why > sending a report to only the first recipient was dropped. I don't think > it's > appropriate to specify only sending debugging messages when there's no > mechanism for identifying such messages. In any case, that's more of a > privacy risk mitigation strategy than a denial of service mitigation. > Generally for denial of service mitigation during normal operations, > debugging > would be one of the first things to go. > > In 3.1 (1) I do not agree with the change to only require DKIM/SPF related > fields on failure instead of when the message was signed by DKIM or has an > SPF > result. In the case of partial failures, the information is useful. > Additionally, the limitation to aligned failures further excludes useful > information. The change in 3.1 (2) is also problematic as it is > predicated on > the changes in 3.1 (1). > > I think redefining SPF-DNS is a horrible idea. I agree that, in theory, > the > txt/spf distinction is no longer needed, this would complicate receive > processing substantially (would need to be able to distinguish between the > to > field formats and to process both) for the very negligible benefit of > saving a > few bits on the wire. > > I think the 3.2 change to more fully describe the conditions for the > external > destination verification method is a good one. > > For IANA considerations, I think updating the reference for > Identity-Alignment > to this document is correct. I don't understand the need for a new > Authentication Failure Types registry. To the extent it may be a good > idea, I > think this is the wrong place to do it. This kind of issue should be > addressed by any RFC6591bis effort that may be done at some point in the > future. > > Related to the failure reporting discussion for PSDs above, the Privacy > Considerations section of this draft needs to document the information > leakage > potential associated with failure reporting based on PSD records (which is > why > it needs to be a MUST NOT). > > Scott K > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] I-D Action: draft-ietf-dmarc-failure… internet-drafts
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Alessandro Vesely
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… John Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Murray S. Kucherawy
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… John Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Murray S. Kucherawy
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Alessandro Vesely
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… John R Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Todd Herr
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Scott Kitterman
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Douglas Foster
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Alessandro Vesely
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Alessandro Vesely
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… John R. Levine
- Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-fai… Alessandro Vesely
- Re: [dmarc-ietf] now with marldownI-D Action: dra… John R. Levine