[dmarc-ietf] DMARC exceptions
Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 15 March 2024 05:47 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6972FC14F6B5 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 22:47:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mi4xHSQ54Gjx for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 22:47:07 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98671C14F6B3 for <dmarc@ietf.org>; Thu, 14 Mar 2024 22:47:07 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-2d28051376eso21873191fa.0 for <dmarc@ietf.org>; Thu, 14 Mar 2024 22:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710481624; x=1711086424; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=bBPAYr16Crgxm/S2JRlyiQo6aoEmPIHJOBtYBTkA1HY=; b=S1iCmBPnik6cYXcQaGVSbNo/1chivVE3qGggt/Ao1KjNi/2CkbpB5ubcAfV5KmzWb2 zn3axBpD9apiBuR25sEF6ojQrg5GSzhgjIhdAnIVvp0ZFtTtTuQsfTd20YiTvQKzsBWA kqJHCuNkct6+DrfuydHox/LY00ApNT1/w2fdeWkpuniCU8xKJrUQlvjm6SjR+oBRaeQs xriDSk8MYlEOnlV0UK9EZt5vWOBTlRnOz4W1JT8m32wKjCWxUYxP4Pvpuu5VGOghMUhc rKlKZDPXXEBWgqsgzKfWYaXj1egUJ/AAiFhDyhlOjT7mOML33CAujVuP9GC4nJN5RZA4 Xdbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710481624; x=1711086424; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=bBPAYr16Crgxm/S2JRlyiQo6aoEmPIHJOBtYBTkA1HY=; b=Vm9F3nzye6aHS+t3tPmCQfY3pyZW9uiI3mG2BaX5W6ZaYoJF10vUYxtFo+u4oGUNot o/3BtLtMoqsJJrJyXN62ShDBkNZYuOkuN9sfl4wwam5sXIoAScJEL6mmgXduIGMd/sx6 uvB1GtT6rcL4nEsS7suvHwqq1g89/QQr2VZS9N/vviONkSj5Q+6SC7orsfET6z3zGaMF +y0DjUyBxXZ8pjJ4JG2fWzZN9vQDwbEyNChbTRDnHgPdu37sTTJ+GqJv0d5rxum62Ee6 CfbSrGoOvDW0/yF0AVOjs94kIzirk9nncVqUFRXsZglUoN/hzUnCB2Qp1uEJrgFID0N7 kSfQ==
X-Gm-Message-State: AOJu0YwxDZKLbJCGMKWji+GKh9PsOtN18dlwTfrAljs5tH7SNJyih3jI KB5FJV1Sa5cyam6ZVEyV+x6bjYHUNNnHxbQfqBEpIKXJyS3K/cD1kc/mNvA1HBdcwz8/0u1f/sV I32TNLaA6ewmkhG9MuGRqOgSDGCUm/SRzOXw=
X-Google-Smtp-Source: AGHT+IENJGglYRHGuCoCPbB7aWR/zE9Clf5qFHwXnhkmFQKwSX4AFB288fdfNHQultUJCacKANYDxZhl/RZotqWKzJA=
X-Received: by 2002:a2e:9894:0:b0:2d4:7232:4597 with SMTP id b20-20020a2e9894000000b002d472324597mr1626596ljj.48.1710481624245; Thu, 14 Mar 2024 22:47:04 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 15 Mar 2024 01:46:53 -0400
Message-ID: <CAH48ZfygJ8zQfGWRnnsQ_XpSSpyUu1ZFeAaYgY6CCtdNdewETg@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009badd50613ac89e7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/rOZjZGHYpAKzqeGCiIUay9lg6Ng>
Subject: [dmarc-ietf] DMARC exceptions
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2024 05:47:08 -0000
DMARC is an imperfect tool, as evidenced by the mailing list problem, among others. DMARCbis has failed to integrate RFC7489 with RFC 7960, because it provides no discussion of the circumstances where an evaluator should override the DMARC result. I believe DMARCbis needs a discussion about the appropriate scope and characteristics of local policy. I have developed an initial draft of proposed language for that section, which appears below Doug Foster x. Exceptions / Local Policy A DMARC disposition policy communicates the domain owner’s recommendation for handling of messages which fail to authenticate. By definition, this recommendation cannot take into consideration the local interest of specific receivers, or the specific flow path of any specific message. As a result, evaluators should anticipate the need to implement local policy exceptions that override the DMARC recommended disposition when appropriate. These exceptions can be considered in two groups: policy overrides and authentication overrides. This section discusses some expected override scenarios, without intending to be comprehensive, so that product implementers can create appropriate exception structures for these and similar possible situations. x.1 Policy Overrides x.1.1 Override p=none A disposition policy of “none” indicates that the domain owner suspects that some evaluators may receive some legitimate and wanted messages which lack authentication when received. The evaluator may reasonably conclude that its risk of allowing a message which maliciously impersonates the domain is much greater than the risk of hindering a legitimate-but-unauthenticated message from the domain. In such cases, the local policy will override p=none and handle the domain with p=quarantine or p=reject. x.1.2 Override missing PSL=Y Some PSDs have implemented DMARC policies in accordance with RFC 9901, without a PSL tag because that RFC assumed that organizational domain determination would be provided by the PSL. Particularly during the early rollout of this specification, evaluators should use the PSL to identify DMARC policies which are intended to be treated as PSL=Y even though the PSD’s policy has not yet been updated to include the PSD=Y tag. x.1.3 Override strict alignment A domain may publish aspf=s or adkim=s incorrectly, which the evaluator will detect when legitimate and wanted messages produce a DMARC Fail result, even though they would produce Pass using relaxed alignment. In this case, the evaluator overrides the strict alignment rules in the published policy and applies a local policy of relaxed alignment. x.2 Authentication Overrides An Authentication Override provides alternate authentication when a message is acceptable but the DMARC algorithm produces a result of Fail. To ensure that the exception does not create a vulnerability, the rule should include at least one verified identifier with a value that indicates the trusted message source, often coupled with unverified identifiers with specific values the further narrow scope of the rule. x.2.1 Mailing List messages Mailing Lists typically add content to the Subject or Body, and replace the Mail From address, while forwarding a message. As a result, the RFC5322.From address of the author can no longer produce SPF Pass or DKIM Pass. If list messages are received directly, without secondary forwarding, an exception rule can typically use the Mail From address of the list coupled with a result of SPF Pass on that address. If the message is received after secondary forwarding, the rule might be based on a DKIM signature matching the list domain and a List-ID header with the list identity. The specific parameters will vary based on the list characteristics and the message flow between the list and the evaluator. x.2.2 SPF Distrust SPF Pass is designed on the assumption that a submitting server does not have multiple tenant domains, or does not allow domain tenants to impersonate each other. Some shared tenancy environments have difficulty ensuring that this assumption is valid, weakening trust in a result of DMARC Pass based on SPF Pass. When an evaluator has determined that messages from a particular domain are reliably signed, and that the SPF policy includes an environment with weak controls, the evaluator may implement a local policy to reject or quarantine unsigned messages from that domain, even if the messages produce SPF PASS x.2.3 Non-malicious impersonators Some legitimate network services provide services to individual clients from many domains, and generate messages on behalf of those individual clients using the client’s email address. These messages fail DMARC authentication because they originate outside control of the client’s domain owner. While the intent of DMARC is to encourage such services to identify their email differently, not all legitimate senders have done so. As with Mailing List messages, an evaluator will typically need to replace DMARC authentication with a local policy which allows the message based on Mail From address, SPF Pass, and the acceptable RFC5322.From domains to which the rule applies.
- [dmarc-ietf] DMARC exceptions Douglas Foster
- Re: [dmarc-ietf] DMARC exceptions Todd Herr
- Re: [dmarc-ietf] DMARC exceptions Scott Kitterman
- Re: [dmarc-ietf] DMARC exceptions Hector Santos