[dmarc-ietf] Ticket #11 (and #112) - Proposed language

Douglas Foster <dougfoster.emailstandards@gmail.com> Sat, 12 June 2021 12:55 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 826DB3A114C for <dmarc@ietfa.amsl.com>; Sat, 12 Jun 2021 05:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id twDSv5FX16yI for <dmarc@ietfa.amsl.com>; Sat, 12 Jun 2021 05:55:46 -0700 (PDT)
Received: from mail-oi1-x231.google.com (mail-oi1-x231.google.com [IPv6:2607:f8b0:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E4C163A114B for <dmarc@ietf.org>; Sat, 12 Jun 2021 05:55:45 -0700 (PDT)
Received: by mail-oi1-x231.google.com with SMTP id r16so8642438oiw.3 for <dmarc@ietf.org>; Sat, 12 Jun 2021 05:55:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=JLZ923bykjec/yJ0cK3D26KiCm/ZXva+wJ3HXJS5D5Y=; b=mB+tSWlEIPU5dL9QYdfmTBtkMbanKWSLFM2MaF9u+JtdXHnSljetbLx/AYKp5ovmFi Xj+ec0nIqCLBKqX2/DlOSifGvQ2OO0dpvsq+Vb48TMsqzYZIxCbFJcmSQcUEAtHRDH5a UCW1UKGP/uRttykvzKe11gQeNVhRYtTEzgmOTJoaJJ/Qs/ZLlrNOhFcieWOjlrZx8mlX YQhg224+BZSwc5WwLEoXwGN28C25Up5e+ARHsRJ1RJ/Nli7+Q2Q/Atp9NRRcIMzpxeXE W3nElVy70LUrMol4aeOt4KuFqUuX3Vd3aaAvB1/W9B8bi3QjWiMDC90ByvsPjvkxt0ES l6JQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JLZ923bykjec/yJ0cK3D26KiCm/ZXva+wJ3HXJS5D5Y=; b=lDmbI5XAq3JuR3j649gXzqHdarMakxUcO3TgDwCUeEqHZTN8mlHzZfWCI3D94DSMBD b5HO4GEBkHLXJn7n+exnyy1AOo6KYKpIaPEndnPTn4JNCdpoTb/TSsbpeKkyBoazEqPA xag7SYnpkAPrXXs4aPIenHgfAXg22x+Idq9Efx+qRe6Z6FWos5ImA/keJh/suAOijIzM OKNUChcurc+I6sAFqjmfGeWK5Ru//VIJ7fEoRQp5AGyXChJop/yXA10dHi5Km+Na+Jhx l3dpNNNHCMgyvYq/Ibjg9EXDl3wEEYQ5iGNnSImJNO3farkaJzBgT8c2OtXJ2VxXsepW FH5A==
X-Gm-Message-State: AOAM533V3SgwNmRI7/1hYrOPOOj6vnL/jprQDq71pOzLjOfDdSF4WsOt 01y0bCEgfCbZmDgQplJXCC6zmx//39gg4t6iG8nSCQp+EkI=
X-Google-Smtp-Source: ABdhPJw9EytanIjLSk7mtChvmO5ehZGac+/XaQiDXPx79wiBFa8/N3xbkTPN5GiLACdFd8Kei15hpWmuHljVOo4h7FA=
X-Received: by 2002:aca:bd42:: with SMTP id n63mr16367047oif.73.1623502543750; Sat, 12 Jun 2021 05:55:43 -0700 (PDT)
MIME-Version: 1.0
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Sat, 12 Jun 2021 08:55:33 -0400
Message-ID: <CAH48ZfzuM298fkmhoZtH1ZbK=9Ne9EYtyTYNV27PSsPBW=Gq-w@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000698adc05c4912423"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tiMnEXfVqCKtUYyukwxsCaRXAP4>
Subject: [dmarc-ietf] Ticket #11 (and #112) - Proposed language
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 12:55:49 -0000

Below is my proposed language for dealing with the problems that NP is
intended to address:
- unused DNS names
- non-existent DNS names

It provides supporting rationale, and provides a more complete solution
than anything suggested previously, and ties the design directly to the
mailing list problem.

I have labelled the sections starting with "X," because I am not sure of
the best way to position this text into the flow of the current draft.

Doug Foster

x. Reducing the scope of the SP policy

DMARC introduces a method for the domain owner to state "at time of
transmission, authorized emails will always authenticate using DMARC
criteria".   However,this authentication can be lost in transit if message
modification occurs in transit, as discussed in RFC 7960.  This possibility
can make domain owners reluctant to move beyond sp=none.  This is a
significant loss, because sp=none opens a vast namespace to domain abuse,
- names that are DNS domains but are not protected by a domain-level DMARC
- names that are DNS records records rather than DNS names, and cannot be
protected by a domain-level DMARC policy
- names that are not in DNS at all, and therefore cannot be protected by a
domain-level DMARC policy.

To mitigate these impacts, it is useful to distinguish names used as email
domains from names that are not used for email.   Names that are never used
for email are never authorized at time of transmission, and therefore can
be blocked without concern about in-transit modifications.   Several
methods are presented for addressing this objective.

x.1 Implement mail domains as DNS domains with domain-level DMARC policies.

Mail domains are often implemented as DNS domains, but this is not
required.   MX records and SPF policies can be attached to a named resource
record or a wildcard resource record, while DMARC policies can only be
attached to a DNS domain.

Any name that is configured as a DNS resource record can be reconfigured as
a subdomain name supported by resource records which match the subdomain
name, and names that are not in DNS can be added as DNS domain names.  Once
all used mail domain names are configured as DNS domains, they can be
configured with DMARC policies.   Once this is complete, the SP policy will
only apply to unused and non-existent names.  This will permit use of
SP=reject because any such messages will have been unauthenticated at
origin as well as being unauthenticated at reception.   This approach is
fully compatible with RFC 7489 implementations of DMARC.

x.2 Implement an NP policy

The NP policy assumes that names used for mail can be reliably identified,
so that names not used for mail can be categorized as not authorized.  Two
approaches are used:

- For mail domain names that are used with SMTP, the name is assumed to
also be used as an RFC5322.From domain name.   This is indicated by an MX
record which evaluates to an IP address, or an SPF policy which does not
begin with an ALL term.  (RFC 7505 indicates that an MX record which does
not evaluate to an IP address is useful to indicate that a domain does not
accept incoming mail.  Based on RFC 7208, content after an ALL term is
ignored, so a policy of "-ALL" indicates that the name is never used as an
RFC5321.MailFrom domain and an ALL term with any other modifier is a
meaningless policy.)

- For mail domain names that are not used with SMTP, a new TXT record is
defined, with content "DMARCFROMv1".   The presence of this TXT record
indicates that the associated DNS domain, named DNS resource record, or
wildcard DNS record should be considered as potentially in use as an
RFC5322.From domain name.

Names which are identified by MX record, SPF policy, or DMARCFROMv1 TXT
record are considered in use names and are evaluated using the P or SP
policy.   Names which do not match these criteria are evaluated using the
NP policy.   This allows unused and non-existent names to be given a
stricter DMARC policy than used names.

To implement an NP policy, domain owners may need to make DNS changes:
- For used domain names that are only identified by an A or AAAA record, an
MX record or DMARCFROMv1 TXT record is needed to explicitly indicate that
the name is used for mail.
- For used domain names that are not in DNS at all, a DMARCFROMv1 TXT
record is needed to indicate that the name is used for mail.

The NP policy does not require that all mail domains become DNS domains,
but the NP policy will only be understood by evaluators which use this
specification.  Consequently, it is preferable to ensure that all mail
domains are implemented as DNS domains.

x,3 Implement SPF -ALL policies on unused names.

Organizations that have configured SPF to protect their valid
RFC5321.MailFrom domains may not have taken the extra measure of using SPF
to obstruct names that are not used for mail.  While not directly part of
DMARC, an authentication result of "DMARC=NONE SPF=FAIL" is a more
meaningful result than "DMARC=NONE, SPF=NONE".  Consequently, it is
desirable to  ensure SPF=FAIL for any names that are never used as
RFC5321.MailFrom domain names.   Since SPF has no inheritance, this
requires many entries.

To demonstrate, assume that the domain "nomail.example.com" contains only a
webserver at "www.nomail.example.com".   Multiple SPF records are needed to
maximize protection of this subdomain from improper use.   An SPF policy of
"-ALL" is needed on:
- the domain itself, nomail.example.com,
- named resource records, including www.nomail.example.com
- the wildcard resource record, *.example.com.