IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Scott Kitterman <sklist@kitterman.com> Sat, 08 April 2023 20:17 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA45C14CEFE for <dmarc@ietfa.amsl.com>; Sat, 8 Apr 2023 13:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="sPJ0GJv2"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="O85JUH47"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FyvUzt6xlrXs for <dmarc@ietfa.amsl.com>; Sat, 8 Apr 2023 13:17:12 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1BFAC14CEFC for <dmarc@ietf.org>; Sat, 8 Apr 2023 13:17:11 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 8A5E9F8027C for <dmarc@ietf.org>; Sat, 8 Apr 2023 16:17:01 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1680985006; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=2qNZCJouUvfXyMdUEEeka5zINJa99eMcfMOSk2Zgl5E=; b=sPJ0GJv2ktfeFp5C8ENq2DmOCXC5ESIZ/VvBSPdgI9qe1HL7GINQpjFR3WZneosRf4txZ wtPAYFqkNnBl5JrAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1680985006; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=2qNZCJouUvfXyMdUEEeka5zINJa99eMcfMOSk2Zgl5E=; b=O85JUH47cUZNfzS3r3EffSxw2h1Dibb0/XNVhbKvhVnd5c+RO8UXxHSiktY741/Wo9wlx s92yYRdQCzcRIeR6FpIdrpRiXb5wHGr9e3GuTnjuDlxQ4DX95G/aAjKxpx71bmqnch30oA/ 1Bm/9FXrB8WL6ZMdTAVBC0Lln+NOPwTakrzAmW8Sf+QNake6wIQjV4ieLh7jqHJwzUzG6ap Vv/a85salcvZqB8NhaJQoyaTXrz6oRlXLNTPuXMkzA7qDB3KX8a9kVqNmm0GX62xOOAbU4G 55zkNwW6sHtAiFzkMKaM2k5u3orPqEtPLfMBphhISns5+XcNUvLDFABM4F/Q==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 67299F801F8 for <dmarc@ietf.org>; Sat, 8 Apr 2023 16:16:46 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sat, 08 Apr 2023 16:16:42 -0400
Message-ID: <3129648.WqDQmVRvLn@localhost>
In-Reply-To: <CALaySJLY-9O1Wauk50WMMobNs3cKUzmB+=np080nYCHEZa32UA@mail.gmail.com>
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <13603D87-4FDE-4768-9712-E6DB0818C802@kitterman.com> <CALaySJLY-9O1Wauk50WMMobNs3cKUzmB+=np080nYCHEZa32UA@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tFdI27KEN7sVX_MHv7YNq05DRsk>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Apr 2023 20:17:16 -0000

We've gone nearly a week without any further discussion on this thread.

I reviewed the thread and I think this is the closest we got to anything 
(most) people agreed on.  I know not everyone liked it, but I doubt we're 
going to get closer to a consensus on this.

Can we adopt this and move forward on to the next thing?

Scott K

On Wednesday, March 29, 2023 7:42:49 PM EDT Barry Leiba wrote:
> I'm happy with that suggestion.
> 
> Barry
> 
> On Thu, Mar 30, 2023 at 6:00 AM Scott Kitterman <sklist@kitterman.com> 
wrote:
> > Would you feel any better if the MUST NOT was followed by 'to preserve
> > interoperability '?  That's implicitly there and I believe technically
> > correct.  If you value other properties of the system higher than
> > interoperability, then the advice may not apply, which is fine.
> > 
> > Scott K
> > 
> > On March 29, 2023 3:32:10 PM UTC, "Brotman, Alex" 
<Alex_Brotman=40comcast.com@dmarc.ietf.org> wrote:
> > >I’m just not sure how we determine what is high-value.
> > >
> > >comcast.com: p=reject
> > >comcast.net: p=none
> > >xfinity.com: p=quarantine
> > >
> > >The top one is corporate, middle is consumer, bottom is consumer (but not
> > >actually used) & customer comms (sub-domains).  They’re all used in
> > >various ways for internal messaging.  Should I tell our corporate admins
> > >that they need to no longer publish p=reject?  They’re violating the RFC
> > >by doing so?  There are very few consumer-oriented messages that
> > >originate from comcast.com.  Are we doing it right?  It makes things a
> > >little harder when one of our employees wants to use a mailing list. 
> > >But that still feels like the right thing to do.
> > >
> > >If it’s not obvious, I’m having a hard time with “MUST NOT”, and
> > >dictating to domain owners what is in their best interests, regardless
> > >of our perceived value of their domain.
> > >
> > >--
> > >Alex Brotman
> > >Sr. Engineer, Anti-Abuse & Messaging Policy
> > >Comcast
> > >
> > >From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Barry Leiba
> > >Sent: Wednesday, March 29, 2023 10:15 AM
> > >To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
> > >Cc: dmarc@ietf.org
> > >Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail
> > >flows
> > >
> > >I'm very much against text such as this, as I think it encourages
> > >deployments that are contrary to interoperability and to the intent of
> > >p=reject.
> > >
> > >I contend that p=reject (as with the similar construct in the older ADSP)
> > >was intended for high-value domains and transactional mail, and that it
> > >was never intended for use in domains where general users send general
> > >email.
> > >
> > >I stand by the MUST NOT that I proposed.
> > >
> > >Barry
> > >
> > >
> > >On Wed, Mar 29, 2023 at 10:33 PM Todd Herr
> > ><todd.herr=40valimail.com@dmarc.ietf.org<mailto:40valimail.com@dmarc.iet
> > >f.org>> wrote: On Tue, Mar 28, 2023 at 9:06 PM Pete Resnick
> > ><resnick@episteme.net<mailto:resnick@episteme.net>> wrote:
> > >
> > >If you agree that interoperability is increased, then I'd suggest that
> > >you actually do agree that the proposed text is appropriate.
> > >
> > >
> > >I don't know that I agree that interoperability is increased...
> > >
> > >I'm having trouble squaring proposed language that says "Domain owners
> > >MUST NOT publish p=reject because it breaks interoperability" with the
> > >following language from section 5.8:
> > >
> > >
> > >Mail Receivers **MAY** choose to accept email that fails the DMARC
> > >
> > >mechanism check even if the published Domain Owner Assessment Policy
> > >
> > >is "reject". In particular, because of the considerations discussed
> > >
> > >in [@!RFC7960], it is important that Mail Receivers **SHOULD NOT** reject
> > >
> > >messages solely because of a published policy of "reject", but that
> > >
> > >they apply other knowledge and analysis to avoid situations such as
> > >
> > >rejection of legitimate messages sent in ways that DMARC cannot
> > >describe, harm to the operation of mailing lists, and similar.
> > >
> > >It seems inconsistent to state with certainty that authorized mail will
> > >be rejected due to authentication breakage when there is no requirement
> > >that a reject policy be honored (and we have plenty of evidence that
> > >Mail Receivers are following the 'SHOULD NOT reject messages' guidance).
> > >
> > >Language that would be more consistent in guidance to the domain owners
> > >might look something like this:
> > >
> > >After careful analysis of the aggregate report data as described in
> > >section 5.5.5 (Collect and Analyze Reports), Domain Owners **MAY**
> > >choose to change their policy from 'none' to 'quarantine' or 'reject'.
> > >If, in the Domain Owner's judgement, unauthorized and deceptive use of
> > >its domain name in the RFC5322.From field puts at risk the trust it has
> > >built with its recipients, then it is **RECOMMENDED** that the Domain
> > >Owner make use of the p and/or sp tags to set policy to 'quarantine' or
> > >'reject' for those streams most at risk of loss of trust.
> > >
> > >If going that route, probably want to consider expanding on 5.5.5, too; I
> > >need to think about it some more.

v2.23.0 | Report a Bug | By Email