Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
Scott Kitterman <sklist@kitterman.com> Thu, 14 March 2024 18:29 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882C3C14F6A1 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 11:29:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="GQMBFOey"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="M937z1qP"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZTo7mhJUlS46 for <dmarc@ietfa.amsl.com>; Thu, 14 Mar 2024 11:29:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B1C6C14F5F5 for <dmarc@ietf.org>; Thu, 14 Mar 2024 11:29:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 89562F80245 for <dmarc@ietf.org>; Thu, 14 Mar 2024 14:28:56 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1710440914; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=C1BFi7MMJ1/o9L/aUdUHDlebyOftaKq/V9tSe3QvHfs=; b=GQMBFOeyT/SFoK9aZrCGlK8pUPCoHp2VGEX5d9CY0uXNZqwTFHAGHanffHmUzzglHM+2l h3k/slPjj43rkJ4CA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1710440914; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=C1BFi7MMJ1/o9L/aUdUHDlebyOftaKq/V9tSe3QvHfs=; b=M937z1qP/lTfuZ1e8uwW+tXfjjr3MBhs6UhtjYXJwFEHISzo4Gk5M5YDwkO2jnR1mtPxV 6AhmFtxiIxEPrDhp0swoDDKHAZyUGNi5fTEW7aYFhaJXxLPoS06RD/gSYmQj1lE/90UVNQM nqQj2AuNoAPC8ionO2iP6eo6ZrJUpz24ABSMDz8P+1F0DAcrXTd8vs49QmPUjv4Ep0TX/XQ J6OizquF5vTFHWbGTaf31YCA40Qcv9KmbduJnQaHfbeOolO3dG49Bjy92VZUrlFp1Cvo9Wh f4d+GcbAPTs9Dx0+/3D0IKF6mdkGTjBLaD14qgvPjyvE4gxl3EKUvlZVNHKg==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 07EDBF80211 for <dmarc@ietf.org>; Thu, 14 Mar 2024 14:28:34 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Thu, 14 Mar 2024 14:28:27 -0400
Message-ID: <9400216.9ixZcBn5L4@zini-1880>
In-Reply-To: <78e6261a-acdc-483f-b692-0ece05f1b1e4@tana.it>
References: <CAHej_8k=GC11rNesi6dRnMv+Bdrtq-GRfFPuGAJxfWa9ydpcPw@mail.gmail.com> <5647198.Kyp0lPT3oT@zini-1880> <78e6261a-acdc-483f-b692-0ece05f1b1e4@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/s-rucCHKKW_Mi6cS78xsjWWKnjE>
Subject: Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and 5.5.2 SHOULD vs MUST (was Another point for SPF advice)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 18:29:13 -0000
On Thursday, March 14, 2024 1:59:58 PM EDT Alessandro Vesely wrote: > On Thu 14/Mar/2024 18:35:05 +0100 Scott Kitterman wrote: > > On Thursday, March 14, 2024 11:27:03 AM EDT Alessandro Vesely wrote: > >> On Thu 14/Mar/2024 15:09:37 +0100 Todd Herr wrote: > >>> [...] > >>> > >>> In the ticket, I propose the following replacement text: > >>> > >>> ================================================== > >>> Because DMARC relies on SPF [[RFC7208]] and DKIM [[RFC6376], in order to > >>> take full advantage of DMARC, a Domain Owner MUST first ensure that > >>> either > >>> SPF or DKIM authentication are properly configured, and SHOULD ensure > >>> that > >>> both are. > >>> > >>> To configure SPF for DMARC, the Domain Owner MUST choose a domain to use > >>> as > >>> the RFC5321.MailFrom domain (i.e., the Return-Path domain) for its mail > >>> that aligns with the Author Domain, and then publish an SPF policy in > >>> DNS > >>> for that domain. The SPF record MUST be constructed at a minimum to > >>> ensure > >>> an SPF pass verdict for all known sources of mail for the > >>> RFC5321.MailFrom > >>> domain. > >>> ================================================== > >> > >> Wouldn't you at least add "trusted", "ensure an SPF pass verdict for all > >> known, trusted sources of mail"? To avoid mandating an insecure > >> behavior. > >> Consider: > >> > >> _ Hey dude, they're spoofing your domain with a tide of phishing. > >> > >> _ How come? > >> > >> _ You have an include:phisherman.example in your SPF. Remove it. > >> > >> _ No, since they occasionally send a true message from us, the RFC says I > >> MUST keep it. > > [...] > > > I think that's issue 135, not this one. > > SPF it treated in multiple places. We cannot warn against a bad practice in > one place (135) and recommend it unconditionally in another (132). That is exactly how one handles Security Considerations. So 132 says do SPF. Security Considerations gives you stuff to think about how you do SPF. There's not need to embed mitigations for the considerations throughout the draft (someone with more IETF experience than me, please correct me if I'm wrong about this). Scott K
- [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 and … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … John Levine
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Hector Santos
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Hector Santos
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC Issue 132 - 5.5.1 … Alessandro Vesely