[dmarc-ietf] Ticket #11 (and #112) - Proposed language
Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 12 June 2021 12:55 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826DB3A114C for <dmarc@ietfa.amsl.com>; Sat, 12 Jun 2021 05:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id twDSv5FX16yI for <dmarc@ietfa.amsl.com>; Sat, 12 Jun 2021 05:55:46 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4C163A114B for <dmarc@ietf.org>; Sat, 12 Jun 2021 05:55:45 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id r16so8642438oiw.3 for <dmarc@ietf.org>; Sat, 12 Jun 2021 05:55:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=JLZ923bykjec/yJ0cK3D26KiCm/ZXva+wJ3HXJS5D5Y=; b=mB+tSWlEIPU5dL9QYdfmTBtkMbanKWSLFM2MaF9u+JtdXHnSljetbLx/AYKp5ovmFi Xj+ec0nIqCLBKqX2/DlOSifGvQ2OO0dpvsq+Vb48TMsqzYZIxCbFJcmSQcUEAtHRDH5a UCW1UKGP/uRttykvzKe11gQeNVhRYtTEzgmOTJoaJJ/Qs/ZLlrNOhFcieWOjlrZx8mlX YQhg224+BZSwc5WwLEoXwGN28C25Up5e+ARHsRJ1RJ/Nli7+Q2Q/Atp9NRRcIMzpxeXE W3nElVy70LUrMol4aeOt4KuFqUuX3Vd3aaAvB1/W9B8bi3QjWiMDC90ByvsPjvkxt0ES l6JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JLZ923bykjec/yJ0cK3D26KiCm/ZXva+wJ3HXJS5D5Y=; b=lDmbI5XAq3JuR3j649gXzqHdarMakxUcO3TgDwCUeEqHZTN8mlHzZfWCI3D94DSMBD b5HO4GEBkHLXJn7n+exnyy1AOo6KYKpIaPEndnPTn4JNCdpoTb/TSsbpeKkyBoazEqPA xag7SYnpkAPrXXs4aPIenHgfAXg22x+Idq9Efx+qRe6Z6FWos5ImA/keJh/suAOijIzM OKNUChcurc+I6sAFqjmfGeWK5Ru//VIJ7fEoRQp5AGyXChJop/yXA10dHi5Km+Na+Jhx l3dpNNNHCMgyvYq/Ibjg9EXDl3wEEYQ5iGNnSImJNO3farkaJzBgT8c2OtXJ2VxXsepW FH5A==
X-Gm-Message-State: AOAM533V3SgwNmRI7/1hYrOPOOj6vnL/jprQDq71pOzLjOfDdSF4WsOt 01y0bCEgfCbZmDgQplJXCC6zmx//39gg4t6iG8nSCQp+EkI=
X-Google-Smtp-Source: ABdhPJw9EytanIjLSk7mtChvmO5ehZGac+/XaQiDXPx79wiBFa8/N3xbkTPN5GiLACdFd8Kei15hpWmuHljVOo4h7FA=
X-Received: by 2002:aca:bd42:: with SMTP id n63mr16367047oif.73.1623502543750; Sat, 12 Jun 2021 05:55:43 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sat, 12 Jun 2021 08:55:33 -0400
Message-ID: <CAH48ZfzuM298fkmhoZtH1ZbK=9Ne9EYtyTYNV27PSsPBW=Gq-w@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000698adc05c4912423"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tiMnEXfVqCKtUYyukwxsCaRXAP4>
Subject: [dmarc-ietf] Ticket #11 (and #112) - Proposed language
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 12:55:49 -0000
Below is my proposed language for dealing with the problems that NP is intended to address: - unused DNS names - non-existent DNS names It provides supporting rationale, and provides a more complete solution than anything suggested previously, and ties the design directly to the mailing list problem. I have labelled the sections starting with "X," because I am not sure of the best way to position this text into the flow of the current draft. Doug Foster x. Reducing the scope of the SP policy DMARC introduces a method for the domain owner to state "at time of transmission, authorized emails will always authenticate using DMARC criteria". However,this authentication can be lost in transit if message modification occurs in transit, as discussed in RFC 7960. This possibility can make domain owners reluctant to move beyond sp=none. This is a significant loss, because sp=none opens a vast namespace to domain abuse, including - names that are DNS domains but are not protected by a domain-level DMARC policy - names that are DNS records records rather than DNS names, and cannot be protected by a domain-level DMARC policy - names that are not in DNS at all, and therefore cannot be protected by a domain-level DMARC policy. To mitigate these impacts, it is useful to distinguish names used as email domains from names that are not used for email. Names that are never used for email are never authorized at time of transmission, and therefore can be blocked without concern about in-transit modifications. Several methods are presented for addressing this objective. x.1 Implement mail domains as DNS domains with domain-level DMARC policies. Mail domains are often implemented as DNS domains, but this is not required. MX records and SPF policies can be attached to a named resource record or a wildcard resource record, while DMARC policies can only be attached to a DNS domain. Any name that is configured as a DNS resource record can be reconfigured as a subdomain name supported by resource records which match the subdomain name, and names that are not in DNS can be added as DNS domain names. Once all used mail domain names are configured as DNS domains, they can be configured with DMARC policies. Once this is complete, the SP policy will only apply to unused and non-existent names. This will permit use of SP=reject because any such messages will have been unauthenticated at origin as well as being unauthenticated at reception. This approach is fully compatible with RFC 7489 implementations of DMARC. x.2 Implement an NP policy The NP policy assumes that names used for mail can be reliably identified, so that names not used for mail can be categorized as not authorized. Two approaches are used: - For mail domain names that are used with SMTP, the name is assumed to also be used as an RFC5322.From domain name. This is indicated by an MX record which evaluates to an IP address, or an SPF policy which does not begin with an ALL term. (RFC 7505 indicates that an MX record which does not evaluate to an IP address is useful to indicate that a domain does not accept incoming mail. Based on RFC 7208, content after an ALL term is ignored, so a policy of "-ALL" indicates that the name is never used as an RFC5321.MailFrom domain and an ALL term with any other modifier is a meaningless policy.) - For mail domain names that are not used with SMTP, a new TXT record is defined, with content "DMARCFROMv1". The presence of this TXT record indicates that the associated DNS domain, named DNS resource record, or wildcard DNS record should be considered as potentially in use as an RFC5322.From domain name. Names which are identified by MX record, SPF policy, or DMARCFROMv1 TXT record are considered in use names and are evaluated using the P or SP policy. Names which do not match these criteria are evaluated using the NP policy. This allows unused and non-existent names to be given a stricter DMARC policy than used names. To implement an NP policy, domain owners may need to make DNS changes: - For used domain names that are only identified by an A or AAAA record, an MX record or DMARCFROMv1 TXT record is needed to explicitly indicate that the name is used for mail. - For used domain names that are not in DNS at all, a DMARCFROMv1 TXT record is needed to indicate that the name is used for mail. The NP policy does not require that all mail domains become DNS domains, but the NP policy will only be understood by evaluators which use this specification. Consequently, it is preferable to ensure that all mail domains are implemented as DNS domains. x,3 Implement SPF -ALL policies on unused names. Organizations that have configured SPF to protect their valid RFC5321.MailFrom domains may not have taken the extra measure of using SPF to obstruct names that are not used for mail. While not directly part of DMARC, an authentication result of "DMARC=NONE SPF=FAIL" is a more meaningful result than "DMARC=NONE, SPF=NONE". Consequently, it is desirable to ensure SPF=FAIL for any names that are never used as RFC5321.MailFrom domain names. Since SPF has no inheritance, this requires many entries. To demonstrate, assume that the domain "nomail.example.com" contains only a webserver at "www.nomail.example.com". Multiple SPF records are needed to maximize protection of this subdomain from improper use. An SPF policy of "-ALL" is needed on: - the domain itself, nomail.example.com, - named resource records, including www.nomail.example.com - the wildcard resource record, *.example.com.
- [dmarc-ietf] Ticket #11 (and #112) - Proposed lan… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Dotzero
- Re: [dmarc-ietf] Ticket #111 (and #112) - Propose… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… John Levine
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… John Levine
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Dotzero
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Ken O'Driscoll
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Alessandro Vesely
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… John R Levine
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Douglas Foster
- Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed… Murray S. Kucherawy
- Re: [dmarc-ietf] Ticket #111 (and #112) - Propose… Douglas Foster