[dmarc-ietf] Extracting AAR information
Brandon Long <blong@google.com> Wed, 10 May 2017 07:50 UTC
Return-Path: <blong@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85A4B120227 for <dmarc@ietfa.amsl.com>; Wed, 10 May 2017 00:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j9AaKjUgxu3o for <dmarc@ietfa.amsl.com>; Wed, 10 May 2017 00:50:31 -0700 (PDT)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51B36129AE0 for <dmarc@ietf.org>; Wed, 10 May 2017 00:50:29 -0700 (PDT)
Received: by mail-oi0-x230.google.com with SMTP id w10so26904140oif.0 for <dmarc@ietf.org>; Wed, 10 May 2017 00:50:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=MAvNAQrIbnyqwZ3/OJLqm+iiHwgAqvdOLBDym3wx5wg=; b=P7KiVnS7WyoZYmXBvSZYI9IRauRG4EetWZaRPqsQPKqdrjY06m3qb2I1v7zpFfkQNa /Z/wbMRbL2wRhSvYWI7SUtPOZWusw0uAumZyiWSSf80/M9RozUormGcIOg82T7xJIaSS 3xgIXeuY/be/MfxoguuecDisrKJiJkYq7OmvU3r7tZ+J7ep9My3m6g/ScIejOk8YGEx5 wTqOTlvYYePVIcwFo2ZZXygnfvotI6Z6YyDxUkkt8cxjsCQnF+ltu4vhezfcKKZzrBcl UifItYgjt45uJtgR8QzVZfeAz1iBV4qKxNPzmVQw4C9uzoMNQ4FmK6a0a9+vj3gF5gr+ QvKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=MAvNAQrIbnyqwZ3/OJLqm+iiHwgAqvdOLBDym3wx5wg=; b=YwrxnPGiYMG6bWAMnsZMjkGlOgNnFIZRH+8yUyVyrhEfp2w2oI1Z/dx8KGmXl7+XxD akz792ytiQU5WPQqfLAaY4t/FaAfOp69hVxOM6bqt+JEayAUXJcN1OuI9OAi0MHR3cPi 6f2qNqEre5eShscpPocnhyiPLP9fz4JtiVBMIbJNz/3dUszkeEuJlnzL/wDiJ+dFTiBM frk0oeJA5aawstwUWtVzlA/JRvMbxOEtZlFpqQBLX8KWY4Wk/uXKlS9p3+LaM2QtNT6d kLwKHZFnz+x5hYWG5fZ2dtQpGhiPAYB+xVexMAxGYDozL1x5R/GiIe0+wCn3iXIncEnN 6f3A==
X-Gm-Message-State: AODbwcC6XuOcg3xuLW3CKotUReyCQo3lekfimarwNqBUawKGXoKqhgqR znj1pCVIMhhh6tZ5nl8YI5VBo2jSNLUW
X-Received: by 10.202.178.193 with SMTP id b184mr1716203oif.51.1494402628471; Wed, 10 May 2017 00:50:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.8.34 with HTTP; Wed, 10 May 2017 00:50:28 -0700 (PDT)
From: Brandon Long <blong@google.com>
Date: Wed, 10 May 2017 00:50:28 -0700
Message-ID: <CABa8R6tvv59OkKG-beyCcfc9=VwowLEBRd8H-uiOGaBDFAv-3g@mail.gmail.com>
To: Seth Blank <seth@valimail.com>
Cc: "dmarc@ietf.org" <dmarc@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Gene Shuman <gene@valimail.com>
Content-Type: multipart/alternative; boundary="001a113b80c8d2d712054f26b990"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/t2CDTIWb-IqviBD-uQJ8Y0oEsLw>
Subject: [dmarc-ietf] Extracting AAR information
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 May 2017 07:50:33 -0000
On Tue, May 9, 2017 at 5:39 PM, Seth Blank <seth@valimail.com> wrote: > I've got two follow ups from Gene's notes on the proposed draft: > > 1. I am also confused by section 5.2, specifically the penultimate > sentence in the section. I think - but am not certain - that I understand > what is meant. I've suggested new language below to clarify. > > Original: > > "Of particular importance is the recording of the "i=2" instance of this > field, which is the first available opportunity in the handling chain of > the message to evaluate its apparent validity since departing its > originating ADMD." > > Suggested: > > "Of particular importance is the first AAR header after an ARC signed > message leaves its originating ADMD, which is generally but not always the > "i=1" instance of this field. This instance contains the authentication > information of first receipt which the ARC chain is establishing custody of > to a final receiver." > This and other comments I've heard seems to put an undue benefit on the first receiver. I'm not sure that's warranted. Ie, if you're hoping through a group that right now rewrites the From header, the auth information in the first hop isn't the useful data for validating DMARC. Message from a REJECT domain -> mailing list which rewrites From and is a different REJECT domain -> anti-phishing vendor which rewrites all urls to bounce through them In this case, the final recipient doing a DMARC check would see the From of the mailing list and would need the i=2 (or maybe i=3, depending on whether the mailing list service adds one or two headers) AAR to validate that the auth for the mailing list domain. (in reality, the anti-phishing vendor should be an inbound gateway and dmarc shouldn't be evaluated, but it could be a hop through a second mailing list. An example recently had the anti-phishing get forwarded from the edu domain to a user's personal gmail, so more hops) The logic I'm looking at is more complicated. If you assume a whitelist model, where you are willing to use any information provided by a whitelisted domain, then you basically walk the hops backwards, taking any DKIM auth info given as long as the hop is whitelisted. SPF is a bit different, because you don't want a message "acquiring" SPF auth when it's relayed (I spoof a mail from a non-reject GSuite domain through any service hosted at Google and it'll acquire that domain's SPF auth, for example). So, as you walk backwards, you want an SPF fail/neutral to override a pass. (Theoretically, you could use ARC to override the current SPF evaluation as well. This also assume you wouldn't ARC sign during an initial MSA or RELAY hop, only when it hits a new ADMD). And if you reach a hop where the AMS doesn't verify any more, you have to stop evaluating at the next unwhitelisted hop, since the message could have been completely modified by an unwhitelisted hop and a replayed chain used. Now, most mail we'll see will be a single hop through a mailing list, and so any rewriting will be handled by the new dkim signature or spf, and any non-rewrites will be from the i=1 AAR. If that's all we cared about, that would just be the original XOAR spec as implemented by Google, it only ever handled one hop. Brandon
- [dmarc-ietf] Extracting AAR information Brandon Long