IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Scott Kitterman <sklist@kitterman.com> Tue, 18 April 2023 22:55 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47DF8C14CEFA for <dmarc@ietfa.amsl.com>; Tue, 18 Apr 2023 15:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="IRMOouRG"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="B1kWafZe"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R874f2M3Vehb for <dmarc@ietfa.amsl.com>; Tue, 18 Apr 2023 15:55:26 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 337C9C15154C for <dmarc@ietf.org>; Tue, 18 Apr 2023 15:55:25 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 251B2F80206; Tue, 18 Apr 2023 18:55:13 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1681858498; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=UIRz7X4+zAt82BWwoHiVBBpC1+QEAao+O/7eBUFOiSQ=; b=IRMOouRGxSHnc63VDooow09FWvp8bfb2nVdzKmDe3pIKF1gmEALejN/Ft6k4RGAp3ov8P 2bcjCJr86qUon6RCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1681858498; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=UIRz7X4+zAt82BWwoHiVBBpC1+QEAao+O/7eBUFOiSQ=; b=B1kWafZegwDE9j8aUIN9XctYKMvMqSfvQv8nQff18ctoeT3I+jGRlMFbuKmS6LHlJfQ76 0za+1TsxLPS+rDdRQ8gGhDy7TrCeblhiC3keZdQ3lz3G6KqUIgv4KwcCMTkszCPSWwwC2/w MJqP+DoQKWs7WIHGGirumqrT1x0cRarxeOq7oLBopW9YSiw9YlqH24oy1Abjvqj5TPBYKrK wfj9SAkY0csmz0qvzwGr5mFxSU91FPFDj0YXMrZu//TImdrwE6ALn9eU1bNL5Z4dTxkFjXj KlL4o3lyxNOcfUJyHsg+fCJ2N1WpsFnM+7zsJX8eulJACfgvF6tvU1tfRBrA==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 3B250F8009F; Tue, 18 Apr 2023 18:54:58 -0400 (EDT)
Date: Tue, 18 Apr 2023 22:54:56 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <3F55F853-C422-4925-9FA6-4CB08A43E570@bluepopcorn.net>
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com> <CALaySJLY-9O1Wauk50WMMobNs3cKUzmB+=np080nYCHEZa32UA@mail.gmail.com> <3129648.WqDQmVRvLn@localhost> <CAJ4XoYe3Z8=G8H6hQFuiMMwfZQt1JvLpK3bQmrtGCz=b-w=CJA@mail.gmail.com> <86E22FA6-759F-40F3-AEA3-119EE90F64A0@kitterman.com> <80086446-effa-7ee2-91c7-1f44449d92fb@tekmarc.com> <CAL0qLwaKO5A_OSjod00msw+8EALOUqYzeXb_aPjVhQ2R1wZKJg@mail.gmail.com> <3F55F853-C422-4925-9FA6-4CB08A43E570@bluepopcorn.net>
Message-ID: <78EC53BD-9E7E-40C0-9F26-2817A1FD8E98@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sxJSkP6DqEvKeq0DYPtR-IdPxts>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Apr 2023 22:55:30 -0000


On April 18, 2023 10:00:45 PM UTC, Jim Fenton <fenton@bluepopcorn.net> wrote:
>On 9 Apr 2023, at 0:50, Murray S. Kucherawy wrote:
>
>> (Note, here, that Barry has in his proposed text limited the constraint to
>> those types of deployments where the damage is likely.  I concur.  DMARC,
>> as currently defined, works just fine when deployed in transactional
>> situations.  Or, at least, I haven't seen that identified as a problem
>> case.)
>
>I have been trying to point out a problem in even for transactional messages. Some receive-side forwarders that people use break DKIM signatures, and of course break SPF. So a transactional message sent to a forwarded address might be rejected if the address to which it is forwarded enforces DMARC.
>
>IMO, receive-side forwarding is an important use case. It allows people to maintain a consistent email address if they change mail providers. For people whose email provider is their ISP, that keeps them from being locked into that ISP.
>
>It’s possible that this might be solved if the forwarder implements ARC, but only if the address to which it is forwarded knows how to implement ARC. I suspect that many DMARC enforcers currently don’t.
>
I think this is correct, but I also think the consequences for these failures are different enough that they don't carry the same degree of importance.

1.  Unlike on mailing lists, if you have set up a forwarder and you decline to accept mail from the forwarder and the forwarder unsubscribes you from their service, that's entirely a local problem.  I realize that this may not be very tractable for users of large mail services, but the simple answer is either whitelist such sources from DMARC checks and use ARC data if it's available (or parse the AR header field the forwarder includes) to find out if the message was spoofed when received by the forwarder.

There's no third-party damages as there can be with between ADMD mediators.

2.  The forwarder is the receiver's ADMD boundary with the Internet.  Internal forwarding beyond the border MTA is really an Internal problem.  I don't think it's technically an Internet interoperability problem in the way the IETF would normally think of it for mail services.  You're free to lose your own mail and no RFC will save you.

Scott K

v2.23.0 | Report a Bug | By Email