Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
Seth Blank <seth@sethblank.com> Thu, 17 August 2017 01:33 UTC
Return-Path: <seth@sethblank.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2FE7132391 for <dmarc@ietfa.amsl.com>; Wed, 16 Aug 2017 18:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKAVchWV2viq for <dmarc@ietfa.amsl.com>; Wed, 16 Aug 2017 18:33:12 -0700 (PDT)
Received: from mail-vk0-x234.google.com (mail-vk0-x234.google.com [IPv6:2607:f8b0:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D1A13226B for <dmarc@ietf.org>; Wed, 16 Aug 2017 18:33:12 -0700 (PDT)
Received: by mail-vk0-x234.google.com with SMTP id r199so17936130vke.4 for <dmarc@ietf.org>; Wed, 16 Aug 2017 18:33:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=VXg++ur8eJ1jiEWQu8XzzxcWY/C+z8vcz8KxoTd8Gqs=; b=YBovG6GWv1CJAFczCIHZszrBVW6ukm7nIBFOJaaDdek11LaG1z1s3UhYhnR2Psr+BQ uqe7/dt5eE94IxiC2GbxYhzqjlEUjXIt+AgVOs6dXW5kRdnH0KQl/0+Lg9Q9/3cLyT2Y OCqOCTKfIfmCpwlgEbc9AP6rz+PADgK84wVzd7gwFbwifL45+zBXBq17Z9Dkq1kW6HUu JNVmUWU3e7UPii2ADmLeH0vNDsJeGQK0D3QQUA11Eizw2EKxnw+tCafLbiDpj97yYt7x SIrnXwdu8XKR+mmMCm8fAlWX7sk+eLJNbwhp4+qkkQCw9JVE8HnNyBaDsPFPZkkh6x6r 0dTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=VXg++ur8eJ1jiEWQu8XzzxcWY/C+z8vcz8KxoTd8Gqs=; b=M4q9+hky/siczO1KsDDBsdXZjnUD5FFeyC5oBSXkEhsxsSs/E1tB5fEIAQnbwIFrHc ceVE/xqP9WI+MTqTXk9CxYuhHCn4Kt913HlJYxY8vf/otViC0L6sJn4N8J0sAgbN2MVF wDSolgucjT/GLnIgTORSi3VsvgQRY4fEDfpNbU2PqyHIrtWH7+qOWyYC5CqHz5sTm4dh Wi/2cByCYY0t6Bw4FP6URZL56LJcwNcjYSRph0dDYnI/WMlXy8ic5WKP9IcAhhrVKj72 PiEjYWw8ExmoGrwLHXzQvU+WT/i4ufYsQ4Qoo0pw+idwz61bnlAcopGWxijM5EKarTxN Qz0A==
X-Gm-Message-State: AHYfb5jnDd8fiA0ouvdOtQXW8wHX/Gv62FVLm7bYvFdPYi5W5MRkKvmU Nd/Js5Z+Iw4sO4jbBrH0wiB66AtN8yfUlIs=
X-Received: by 10.31.98.65 with SMTP id w62mr2288619vkb.160.1502933591309; Wed, 16 Aug 2017 18:33:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.103.89.22 with HTTP; Wed, 16 Aug 2017 18:32:50 -0700 (PDT)
In-Reply-To: <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com>
References: <1502083287.2191248.1065195288.7CDC7FF3@webmail.messagingengine.com> <CABuGu1oTMbuLd4yTwecu5sKFnsmH+HiwT1FG=JpySYHzpMTx_w@mail.gmail.com> <1502200759.3946686.1066841264.607B4D0B@webmail.messagingengine.com> <2720431.u3G7bbkkxK@kitterma-e6430> <1502317564.1935379.1068588344.040173AF@webmail.messagingengine.com> <a08c7590-ded3-1642-4ffc-07848b3c6cd2@gmail.com> <e14f2130-6f00-4ef1-485b-850a4cc1c48c@gmail.com> <1502495646.4099176.1070896040.2B09B1F8@webmail.messagingengine.com> <166070f0-4ba1-70da-1f73-885b4a7f7640@gmail.com> <1502497178.4103451.1070917304.23DD466D@webmail.messagingengine.com> <598F9484.7020700@isdg.net> <CABuGu1p=oLfLRkuoaDHoz3Cv3_FrURdsFPzkac7jNzBpqBmiSg@mail.gmail.com> <599484FB.9050908@isdg.net> <1502929303.4038704.1075868960.5D80A788@webmail.messagingengine.com> <CAD2i3WN_bmDgmQBw3pnyu7vWJJM2Kzwgru87VhK=NA_H91B+og@mail.gmail.com> <1502930858.4042926.1075890568.5069945B@webmail.messagingengine.com>
From: Seth Blank <seth@sethblank.com>
Date: Wed, 16 Aug 2017 18:32:50 -0700
Message-ID: <CAD2i3WMFpQzX-gGRfnPkKT+XrdiapDcjFpBqsy0CBEb+jwjMRA@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c095a36d4dbd70556e8fe8a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tpJm0TgFhtPsgQFoBCcvFuSSz_w>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 01:33:15 -0000
On Wed, Aug 16, 2017 at 5:47 PM, Bron Gondwana <brong@fastmailteam.com> wrote: > > While there exists A SINGLE SITE which is ARC-unaware and DMARC p=reject > aware, you can't use ARC on a DMARC p=reject domain without rewriting the > sender. Otherwise that site will bounce the email. > > You still have to rewrite the sender until there is either full adoption > or sufficient adoption that you just don't care about the stragglers. > > ARC doesn't solve that unless every receiver is either ARC-aware or > DMARC-unaware. Hence the suggestion that I think Hector is making - to > define a new policy p=rejectnonarc or something, which means that sites > which are ARC-unaware accept rather than reject. > So this is an excellent and crucial point that has been discussed again and again on and off this list. ARC only works if critical mass can be reached - both of intermediaries who break DKIM and receivers who evaluate ARC. Fundamentally, ARC will never reach critical mass if senders now also need to enter into the equation with an additional flag on their DMARC record. This is too high a bar and increases the interoperability problems as opposed to reducing them. For now, there is a clear unanswered question: what coverage of receivers is needed for most mailing lists to achieve stable delivery once ARC is in the mix? Knowing the landscape of receiving domains, I believe this to be a small number. From the above comments, I'm guessing you think this is a large number. We're not going to resolve this difference of opinion in an open forum. However, releasing ARC as an experiment into the wild for major lists like the IETF and M3AAWG will give us very clear data very quickly on what the actual landscape looks like, and what ARC does and does not solve. In its current form, ARC only helps mail flows, it does not harm them. How effective this improvement is remains to be seen, but preliminary information I've been hearing about (which could be totally wrong) makes it seem like the improvements are dramatic. So let's get ARC tied off as an Experiment (thank you, Dave Crocker), collect some data, and see where things stand. Maybe things are great and ARC can move to proposed standard. Maybe it fundamentally needs more receivers in the mix than currently expected, and some fix for that is needed. But we'll know that after the experiment has begun, not before.
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos