Re: [dmarc-ietf] Ticket #1 - SPF alignment
Hector Santos <hsantos@isdg.net> Tue, 02 February 2021 15:42 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB7983A1BA6 for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 07:42:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=jcwqaYkx; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=zTDlaUgM
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLbWvDXnvh0Q for <dmarc@ietfa.amsl.com>; Tue, 2 Feb 2021 07:42:23 -0800 (PST)
Received: from mail.winserver.com (winserver.com [76.245.57.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7CD3A1262 for <dmarc@ietf.org>; Tue, 2 Feb 2021 07:42:23 -0800 (PST)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5470; t=1612280538; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=4v33hnWx5G6QZGvM6L5dDxnuc1ci VUDq6L3MpH5t+dA=; b=jcwqaYkxt3nrH7cTqCPMbaH+lALmLeRp/+H5asSX6RxI j0rpLMnGIokJa5qk4eP3OeYHLdxKZwQrn3ODbvc93R1b/m7Xzwysy/9NzNhmj3q0 Rz7MGKEoyXS4YrmjDe9eg1t0MsuB7rHGa4l040DiakK0+sCzW3+0ViivueDvuv4=
Received: by mail.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 02 Feb 2021 10:42:18 -0500
Authentication-Results: dkim.winserver.com; dkim=fail (DKIM_SELECTOR_DNS_PERM_FAILURE) header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; dmarc=dkim-fail policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([76.245.57.74]) by mail.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 608735401.16691.2868; Tue, 02 Feb 2021 10:42:07 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=5470; t=1612280502; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=4v33hnW x5G6QZGvM6L5dDxnuc1ciVUDq6L3MpH5t+dA=; b=zTDlaUgMXzHBKljMrtDW3/L 6Yb5KE4BxyF4jW+bFpkCzv7M31spz9VHPmdfzVmZdKyElbgGJ0bNryMnRyYNxqBo PkxXoAdtWUB5NRkmP3Jv5fjpPHfzPrTOJK1YA7OCDkeNFdSySdLSY5KtGk+cNBbp +s/kuRZBK5zomf58LYhY=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.10) for dmarc@ietf.org; Tue, 02 Feb 2021 10:41:42 -0500
Received: from [192.168.1.68] ([75.26.216.248]) by beta.winserver.com (Wildcat! SMTP v8.0.454.10) with ESMTP id 1292430971.1.24652; Tue, 02 Feb 2021 10:41:42 -0500
Message-ID: <601972CC.5000604@isdg.net>
Date: Tue, 02 Feb 2021 10:42:04 -0500
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
CC: Scott Kitterman <sklist@kitterman.com>, IETF DMARC WG <dmarc@ietf.org>, 'Hector Santos' <winserver@icloud.com>
References: <20210130212339.447316D04763@ary.qy> <1654196.ygyh55z74P@zini-1880> <babf1538-5172-f101-d5e4-c4fa33dea495@tana.it> <4489192.U1a6Vm75Xl@zini-1880> <CAH48ZfxB8OoA=3YCdj9mCf3sBzRo8Cu0Tg0z70_tCqQ6QmsCTg@mail.gmail.com>
In-Reply-To: <CAH48ZfxB8OoA=3YCdj9mCf3sBzRo8Cu0Tg0z70_tCqQ6QmsCTg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/s_HDbkQS3Tbpfhs9Tu4pO-a1A_Q>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Feb 2021 15:42:26 -0000
On 2/1/2021 7:11 PM, Douglas Foster wrote: > I think I finally understand the complexities of this issue. SPF is > two different validations, largely unrelated. > > Test One: > A connection comes in and a server asserts a HELO name. Before > proceeding, the recipient was to check if the HELO name is plausible > or fraudulent. One way to do this would be to forward-confirm the > HELO DNS name to the source IP. An alternate method is to use SPF to > see if the SPF policy says that the HELO domain can send from the > Source IP. I do not understand why the domain owner would be able to > configure the SPF policy but not the host name in DNS. There is a history of Machine Host Name and IP misconfiguration -- EASILY possible by simply moving a machine or trying to use many machines correctly and generically with one configuration profile. If rDNS is not available for the host, its all part of the unreliability. Unless you write SMTP code for outbound mailing, its hard to see this. You can try to automate the smtp client design so that the EHLO is always correct with the IP, but there will be MANY times where it won't be right for ABC customer for their XYZ reasons. Its possible but its not without optional fields to override an automated logic. > Test Two: > If the conversation proceeds past HELO to MAILFROM, then the second > validation is performed: Is the Source IP is authorized to send on > behalf of the SMTP domain? When the SMTP address is null, then > postmaster@HeloDomain serves as a proxy for performing this test. That's one theory possible, but the main thing to remember that a BOUNCE is required in the name of mail delivery and notifications when delivery fails. You still have the unreliable nature of HELO checking and a bounce is too important to be making it dependent on an unreliable HELO SPF check. Many systems do a variety of RFC5322 checks for a BOUNCE message after it is accepted or maybe at the DATA state. It would be nice if we could enforce DSN (RFC3464) but that is not possible. Its optional and the old way of doing BOUNCE messages, formats and layouts varies. Inconsistent. There are some keep addresses that "must" or "should" exist in the 5322.From, like the user part has "Mailer-Daemon" and "postmaster" when the 5321.MailFrom is NULL. If not, it could be rejected then. Finally...... Back in early days of LMAP "Lightweight MTA Authentication Protocol" [1] , 2003, 2004, Meng Wong made his version of a LMAP protocol called SPF. Before SPF, there were others like DMP "Designated Mailers Protocols" [2] and RMX [3]. SPF is a merge of these two LMAP methods. My wcSMTP was among the early LMAP explorers (wcSMTP had DMP support before SPF came). I did an LMAP analysis and provided it to Meng Wong. We had an email conversation about the need to document SPF CheckHost() for HELO (despite its unreliability and ambiguity) but do not enforce HELO checking because there will a wide degree of different implementations possible when it comes to HELO checking and the order of checking the identities. For example, in wcSMTP, the order is as follows: 1- RCPT TO 2- MAIL FROM 3- EHLO/HELO (optional which is OFF by default) Before any extended, DNS overhead augmented technology is performed, RCPT TO is checked for validity and existence. So when the client issues MAIL FROM, the following response is issued by wcSMTP: C: MAIL FROM:<return-address> S: 250 <return-path>... Sender validation pending. Continue. Then the RCPT TO issued: C: RCPT TO:<forwarding-address> If the RCPT TO address is good, then it now checks the envelope parameters against a suite of protocols that include RBL, SPF, CBV and local rules filters. But if the RCPT TO address is not good, then a 550 is issued because there is no need to check for any DNS related policies. If SPF fails here, DATA is never reached -- its considered an optimizer and remember please, SPF predated DKIM POLICIES (SSP, ADSP and DMARC). In additional, there is the PRA and SUBMITTER protocol that wcSMTP SPF implementation considers. PRA/SUBMITTER provides the 5322.From address at the SMTP level. It can be used to for SPF checking. Its optional. But now with DMARC, I think PRA/SUBMITTER can play a big role and enhance these DMARC SMTP/SPF checking adjustment. Its unfortunate there isn't another "mail engineer" that can see the benefit of these protocols used together. SPF doesn't need to change, DMARC does!!! Here is the LMAP analysis I did. wcSMTP follows the concepts this analysis to help optimize LMAP protocols checking at the SMTP level: https://secure.winserver.com/public/antispam/lmap/draft-LmapAnalysis1-2.htm I hope this helps your understanding of the complexity of all this, but for me, there are some basic filter concepts that can be applied and I do for my wcSMTP package before all the extra DNS overhead can be applied. -- Hector Santos, https://secure.santronics.com https://twitter.com/hectorsantos [1] Lightweight MTA Authentication Protocol (LMAP) Discussion and Applicability Statement, https://secure.winserver.com/public/ietf/drafts/draft-irtf-asrg-lmap-discussion-00.txt [2] Designated Mailers Protocol (DMP), https://tools.ietf.org/html/draft-fecyk-dmp-01 [3] The RMX DNS RR and method for lightweight SMTP sender authorization, https://tools.ietf.org/html/draft-danisch-dns-rr-smtp-03
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Michael Thomas
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Hector Santos
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Jim Fenton
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John R Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dotzero
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Todd Herr
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Kurt Andersen (b)
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Dave Crocker
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Alessandro Vesely
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Douglas Foster
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Scott Kitterman
- Re: [dmarc-ietf] Ticket #1 - SPF alignment Seth Blank
- Re: [dmarc-ietf] Ticket #1 - SPF alignment John Levine