Re: [dmarc-ietf] DMARC policy overrides
Franck Martin <fmartin@linkedin.com> Tue, 02 July 2013 19:12 UTC
Return-Path: <prvs=888df1167=fmartin@linkedin.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C39B821F9BB4 for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2013 12:12:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.905
X-Spam-Level:
X-Spam-Status: No, score=-5.905 tagged_above=-999 required=5 tests=[AWL=-0.240, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etDB7m9sWKcr for <dmarc@ietfa.amsl.com>; Tue, 2 Jul 2013 12:12:39 -0700 (PDT)
Received: from esv4-mav05.corp.linkedin.com (esv4-mav05.corp.linkedin.com [69.28.149.81]) by ietfa.amsl.com (Postfix) with ESMTP id D494311E80D3 for <dmarc@ietf.org>; Tue, 2 Jul 2013 12:12:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; i=@linkedin.com; q=dns/txt; s=proddkim1024; t=1372792346; x=1404328346; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=fU3GfFJEcK5E83vqC9jDdHYPHog4L6S6wVWyEVTuxhU=; b=AhFIUZX1sOCQgEaYinyEls2UlWPq0x8MxHd1DV8OKXR/BofRquBPMVYu hAoG9qTvq8zOWbypK+ZZVRBaq4DYRUXwbrkTQ9UeSc/zSFY1IApPbHQdo saLXNGXUCbo2F5R2ADQcEKZogDWWpMgUrPTPbjIV/OBSjSTxoJEx/+OSd I=;
X-IronPort-AV: E=Sophos;i="4.87,982,1363158000"; d="scan'208";a="54522522"
Received: from ESV4-HT02.linkedin.biz (172.18.46.236) by esv4-cas01.linkedin.biz (172.18.46.140) with Microsoft SMTP Server (TLS) id 14.2.328.11; Tue, 2 Jul 2013 12:11:51 -0700
Received: from ESV4-MBX01.linkedin.biz ([fe80::d029:a1fa:62c4:2641]) by ESV4-HT02.linkedin.biz ([::1]) with mapi id 14.02.0328.009; Tue, 2 Jul 2013 12:11:51 -0700
From: Franck Martin <fmartin@linkedin.com>
To: Scott Kitterman <sklist@kitterman.com>
Thread-Topic: [dmarc-ietf] DMARC policy overrides
Thread-Index: AQHOd1Qt4G/x1dE5/0mSwEkA7nXYtZlSMt+AgAAD44A=
Date: Tue, 02 Jul 2013 19:11:50 +0000
Message-ID: <77426B543150464AA3F30DF1A91365DE533DDDF6@ESV4-MBX01.linkedin.biz>
References: <77426B543150464AA3F30DF1A91365DE533DD678@ESV4-MBX01.linkedin.biz> <b6717f52-fdb0-43b7-b490-c4c3b3f0dca1@email.android.com>
In-Reply-To: <b6717f52-fdb0-43b7-b490-c4c3b3f0dca1@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.18.46.252]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8D1236F921B6184DA49CD75A9752A934@linkedin.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] DMARC policy overrides
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jul 2013 19:12:43 -0000
This is what I just said, if you want to implement DMARC as a receiver this is what you have to do, for all the reasons I have explained. You are free to not implement DMARC as a receiver if your infrastructure cannot do it, but you are not free to implement it in a way that brings inconsistency across implementers which create inconsistent aggregate reports and therefore email discarding because the receiver does not send to the sender a complete view. On Jul 2, 2013, at 11:58 AM, Scott Kitterman <sklist@kitterman.com> wrote: > Except you can't tell if DMARC applies to a message until DATA, so the only way to implement this is to change all SPF checks to after DATA whether they are related to DMARC or not. I think imposing such architectural change on unrelated message processing is inappropriate. I think some discussion of this absent the 2119 words is fine. > > Scott K > > Franck Martin <fmartin@linkedin.com> wrote: > >> "DMARC-compliant Mail Receivers SHOULD disregard any mail directive >> discovered as part of an authentication mechanism (e.g., ADSP, SPF) >> where a DMARC policy is also discovered that specifies a policy other >> than "none". {R7} To enable Domain Owners to receive DMARC feedback >> without impacting existing mail processing, discovered policies of >> "p=none" SHOULD NOT modify existing mail disposition processing. >> Note that some Mail Receivers may reject email based upon SPF policy >> mechanisms before email enters DMARC-specific processing. >> >> Mail Receivers SHOULD also implement reporting instructions of DMARC >> in place of any extensions to SPF or DKIM that might enable such >> reporting. {R10}" >> >> As a sender I want certainty in the processing. The DMARC mechanism is >> of better strength than SPF alone, because it does SPF AND DKIM. >> However not everyone does DMARC on the receiving side, so there is >> still a need to publish a -all SPF policy for the receivers that are >> not yet on DMARC. If a sender does DMARC with p!=none this is because >> it has a (serious) spoofing problem. >> >> With such SPF policy I don't want it to overrides DMARC, as DMARC is of >> more superior nature (this is my judgement otherwise I would not care >> about DMARC). >> >> But to encourage adoption, and make transition smooth, when p=none, the >> email flow must not be affected by DMARC. DMARC is transparent to the >> email in that case, providing reports to allow you to put your mail in >> order. >> >> The problem arises because SPF can be evaluated at the end of the RCPT >> TO phase, well before DKIM and therefore DMARC is evaluated. In >> practices, few enforces SPF policy and uses it later as a scoring >> mechanism like spamassassin do. >> >> This is why in the text above there is a SHOULD, this brings constancy >> in the processing, but depending on the receiver infrastructure, then >> it certainly can deviate from ignoring SPF, but this is not the >> recommended practice. >> >> Furthermore, for the aggregate reports to be accurate, they need to see >> all the emails, regardless of SPF policy. Once you implement DMARC as a >> receiver, you should move your SPF policy decision to the end of DATA, >> so you can make an accurate aggregate report. This will provide >> certainty on what will happen when the sender moves away from p=none >> policy. >> >> A receiver can do what it wants, but the SHOULD above is common sense >> when you decide to do DMARC as a receiver. >> >> I think the text, could be more focused, and speak only of overriding >> only policies that use the same underlying authentication mechanisms, >> and this is only SPF, DKIM and ADSP. TLS to other scheme would not be >> affected.
- [dmarc-ietf] DMARC policy overrides Franck Martin
- Re: [dmarc-ietf] DMARC policy overrides Scott Kitterman
- Re: [dmarc-ietf] DMARC policy overrides Franck Martin
- Re: [dmarc-ietf] DMARC policy overrides Dave Crocker
- Re: [dmarc-ietf] DMARC policy overrides Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC policy overrides Dave Crocker
- Re: [dmarc-ietf] DMARC policy overrides Scott Kitterman
- Re: [dmarc-ietf] DMARC policy overrides Franck Martin
- Re: [dmarc-ietf] DMARC policy overrides Matt Simerson
- Re: [dmarc-ietf] DMARC policy overrides Scott Kitterman
- Re: [dmarc-ietf] DMARC policy overrides Dave Crocker
- Re: [dmarc-ietf] DMARC policy overrides Scott Kitterman