IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Todd Herr <todd.herr@valimail.com> Wed, 29 March 2023 13:33 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C34C8C13AE58 for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 06:33:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P_pL-Z6ItWba for <dmarc@ietfa.amsl.com>; Wed, 29 Mar 2023 06:33:28 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91079C13AE32 for <dmarc@ietf.org>; Wed, 29 Mar 2023 06:33:28 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id u38so10281643pfg.10 for <dmarc@ietf.org>; Wed, 29 Mar 2023 06:33:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1680096808; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=dDBEPDuYpD8S6DbtvSYgvp6avLIkWqGqYsbkyIKl0Zo=; b=CU3jxcujcAtWpoJFUf7doBCiMpcULT7Y0KSM1XAFHvOZ135JEdmcmdRIt2sUNnjSw3 nVAES4NhxsQH+DRge9jm1zsWLblxsSPWTKaFdVFAwtvHzdgXzXqOZ10FxtkJyi5zFlcH x1YT1ZDzcgAt+HWta/8ZbbgT+ASQDOFbqYmTz16bNco1erMwphB02ZEOkGBr0lr6Qh/g riECZWlLPEt6FrUZeu9GuUnaOk5UfPzRqzWbqyl79PrZNvTrqQgudn/Soy1S7b2SAQGP Q3fLKjQ1mLFTKj63aGPYFPJM0zuvH58vGn+NhNVSiC8wH1iS53C3EDVs/fys69W6nBrs hV+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680096808; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=dDBEPDuYpD8S6DbtvSYgvp6avLIkWqGqYsbkyIKl0Zo=; b=XtBYCReWUz2sLW9XE9Fl2ORrRsgZ/SIOLU9JHQjYwsUk5yMDfzrKjnaMCvEw4owSnM WmmKQlciyErmjkwBzEWfcrRowt2gg1Lr9Oy9zUSVW5QXpICHgr3cOj1z+V3xFzO91++1 HJmdpFmZQiaqG5WMWu2aADDGizThomrfxH6+5D9j1mQsTsTNTATLqdt0Z8MAVSnZV4es a1zyazPlmEUL4C+Mzx5r/S6dBgWa6FHNNzBFG8YzRrKMuae4j4raUxx8Cigu9lkeWrvj n3GHMGBbtf7XOyqtcqofUGV7CgNKzXobt0RLuvge11PNZB3zUdzZi7yRh1NeK0QZ1sZP N2zQ==
X-Gm-Message-State: AAQBX9eO7lxcfkj6ZZFotB7NTq4kZI1uTT/OhroHzU1dnbkqPIFnjVju pM0DpuMWHj+oFyXkxnY3UxKmQGtBsLa+SGQnRfvpE91SLSGMDMZbH3w=
X-Google-Smtp-Source: AKy350YAnn8kHwCCE8FQeIAmAPgIYyb0eYOsZ5KeXQGn+ks3Rv7FQLIKSwicQOJSMRMGbLdUim31JHc4b0lgSfQLQNM=
X-Received: by 2002:a05:6a00:2286:b0:627:e6d5:ba2d with SMTP id f6-20020a056a00228600b00627e6d5ba2dmr10595761pfe.6.1680096807650; Wed, 29 Mar 2023 06:33:27 -0700 (PDT)
MIME-Version: 1.0
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <6319292.vCqnBZbX7o@localhost> <CAHej_8nd1xyAgwASLJbuJHyXEAfHbjqxNH1XtJxKFyfyOneyug@mail.gmail.com> <13145172.pEV04Z3DvM@localhost> <CAHej_8msLJQ0vbZ2jzitjxrQ1wdim5bHJkiD-QrU5F0EJvQp0g@mail.gmail.com> <FCFEB95E-63F9-46C3-A5F4-FA6B02FA8EB5@episteme.net>
In-Reply-To: <FCFEB95E-63F9-46C3-A5F4-FA6B02FA8EB5@episteme.net>
From: Todd Herr <todd.herr@valimail.com>
Date: Wed, 29 Mar 2023 09:33:11 -0400
Message-ID: <CAHej_8=GbmzyXaeEkyLkv6uKc0-owuMC6UspPNq9irT7nF8b7w@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="00000000000068a03205f80a0587"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/u0kw_orqI2yq74P0FX6UN0cl4pA>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2023 13:33:32 -0000

On Tue, Mar 28, 2023 at 9:06 PM Pete Resnick <resnick@episteme.net> wrote:

> If you agree that interoperability is increased, then I'd suggest that you
> actually do agree that the proposed text is appropriate.
>
>
> I don't know that I agree that interoperability is increased...

I'm having trouble squaring proposed language that says "Domain owners MUST
NOT publish p=reject because it breaks interoperability" with the following
language from section 5.8:

Mail Receivers **MAY** choose to accept email that fails the DMARC

mechanism check even if the published Domain Owner Assessment Policy

is "reject". In particular, because of the considerations discussed

in [@!RFC7960], it is important that Mail Receivers **SHOULD NOT** reject

messages solely because of a published policy of "reject", but that

they apply other knowledge and analysis to avoid situations such as

rejection of legitimate messages sent in ways that DMARC cannot
describe, harm to the operation of mailing lists, and similar.


It seems inconsistent to state with certainty that authorized mail will be
rejected due to authentication breakage when there is no requirement that a
reject policy be honored (and we have plenty of evidence that Mail
Receivers are following the 'SHOULD NOT reject messages' guidance).

Language that would be more consistent in guidance to the domain owners
might look something like this:

After careful analysis of the aggregate report data as described in section
5.5.5

(Collect and Analyze Reports), Domain Owners **MAY** choose to change their
policy from 'none' to 'quarantine' or 'reject'. If, in the Domain
Owner's judgement,

unauthorized and deceptive use of its domain name in the RFC5322.From field
puts

at risk the trust it has built with its recipients, then it is
**RECOMMENDED** that

the Domain Owner make use of the p and/or sp tags to set policy to
'quarantine' or

'reject' for those streams most at risk of loss of trust.


If going that route, probably want to consider expanding on 5.5.5, too; I
need to think about it some more.

-- 

*Todd Herr * | Technical Director, Standards and Ecosystem
*e:* todd.herr@valimail.com
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email