IETF Logo Mail Archive

Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt

Scott Kitterman <sklist@kitterman.com> Mon, 25 April 2022 03:33 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F30A33A1C8B for <dmarc@ietfa.amsl.com>; Sun, 24 Apr 2022 20:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=BXfNKJmR; dkim=pass (2048-bit key) header.d=kitterman.com header.b=ZrGnY1FB
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1Ij-pUcI_w0 for <dmarc@ietfa.amsl.com>; Sun, 24 Apr 2022 20:33:10 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B933A1C87 for <dmarc@ietf.org>; Sun, 24 Apr 2022 20:33:09 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 19DB3F8023A for <dmarc@ietf.org>; Sun, 24 Apr 2022 23:33:04 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1650857583; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding : from; bh=UQMEunBn7f08qmHLdyqaWYcoHu7Ec7Lz9SwDX9MbPyQ=; b=BXfNKJmRk1fT2eErJL0HmU5b84mNGWrnXx3gBF869mN+Z3l+UHpWz6tEhoydijQyvolJB FkBN0RNLsH6AmDsCQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1650857583; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding : from; bh=UQMEunBn7f08qmHLdyqaWYcoHu7Ec7Lz9SwDX9MbPyQ=; b=ZrGnY1FBs2XPmwkmcTN4otsJBdT/qnwZDtN82u/0Etb+BksMFzPeqoEVaIzq8HhzBVl+q AF67cNb01j1bohMbPVkBbX5+pUCNyYkFI5yA/nUieuZmJ9e5c7+WiaTymcNxrSsZV6e6DgX XaByIo3AVzo6oO5v/0Duth+XVEIulh0eLzkY+rKCCYs2SSi4A+DajgQcyjxs7pQgwBbwbNW gJBNHVAzlNbg1GhkQv/fjygs985KcZ+8rAO/uL5i2Z8b6OWJ0um03PRuA8XEju+ujBNQuIm weczyYrHb8FJOdwbyrxDx/DaSmCT6yCMTsBg+r3CP+44dT3lYGTmKjO9zySA==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id D4056F8009F for <dmarc@ietf.org>; Sun, 24 Apr 2022 23:33:03 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sun, 24 Apr 2022 23:33:03 -0400
Message-ID: <8511537.A12uD9ORHo@zini-1880>
In-Reply-To: <CAHej_8=9JsLyXRTXCdh1h918o8ZUPVEMfZB0W760c51s2SWKSA@mail.gmail.com>
References: <164925666278.4445.13789431014958416691@ietfa.amsl.com> <30789809-B1ED-4757-86CC-0E3C571B1299@kitterman.com> <CAHej_8=9JsLyXRTXCdh1h918o8ZUPVEMfZB0W760c51s2SWKSA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="nextPart4537285.JEN02GvCa8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/u1ojngiYyT7vsjx05WHGIVruKT0>
Subject: Re: [dmarc-ietf] I-D Action: draft-ietf-dmarc-dmarcbis-07.txt
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 03:33:15 -0000

On Friday, April 22, 2022 10:57:21 AM EDT Todd Herr wrote:
> On Fri, Apr 22, 2022 at 9:15 AM Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > On April 22, 2022 7:35:29 AM UTC, Robert <aradesh@gmail.com> wrote:
> > >In section 4.8. Organizational Domain Discovery, we have:
> > >   Note: There is no need to perform Tree Walk searches for
> > >
> > >   Organizational Domains under any of the following conditions:
> > >...
> > >
> > >   *  There is no SPF pass result and no DKIM pass result for the
> > >   
> > >      message.  In this case, there can be no DMARC pass result, and so
> > >      the Organizational Domain of any domain is not required to be
> > >      discovered.
> > >
> > >---
> > >We would still want to find a record to know who to send failure
> > >reports to no? And this would involve some sort of tree walk if the
> > >MAIL FROM doesn't have a record. Should it be changed to something it
> > >
> > >like:
> > >   *  There is a DMARC record at the RFC5321.MailFrom domain and there
> > >   
> > >      is no SPF pass result and no DKIM pass result for the
> > >      message.  In this case, there can be no DMARC pass result, and so
> > >      the Organizational Domain of any domain is not required to be
> > >      discovered.
> > 
> > I agree the current text is a problem.
> > 
> > This case is guaranteed not to pass, so you would need to know what policy
> > to apply.  There's another item in the note that addresses the portion of
> > this case where the 5322.From domain has a DMARC record.  If the 5322.From
> > domain doesn't have a DMARC record then we do need to find the org domain
> > to determine the policy to apply.  I think this should be deleted, not
> > modified.
> 
> I believe when I wrote what's current section 4.8 that I was operating from
> the assumption that tree walks would be performed sequentially, not
> simultaneously, and in the following order:
> 
>    1. DMARC Policy Discovery
>    2. Organizational Domain Discovery
> 
> Note that the second bullet in this section, which is elided in the thread,
> reads:
> 
> 
>    - No applicable DMARC policy is discovered for the RFC5322.From domain
>    during the *first* tree walk. In this case, the DMARC mechanism does not
>    apply to the message in question.
> 
> Further, the thinking here was that the Organizational Domain is only
> necessary to discover when relaxed alignment must be determined between the
> RFC53222.From domain and either the SPF or DKIM domain (or both) don't
> match the RFC5322.From domain, and we've already determined that DMARC is
> in play because we found the applicable DMARC policy during the first tree
> walk.
> 
> All that aside, I'll happily update the text for the next rev once there is
> text proposed.

I've looked at it again and I think the paragraph can simply be deleted (see 
attached for rfcdiff).  It looks to me like this is addressed adequately in the 
main text of the section, which now includes:

>    *  The RFC5321.MailFrom domain if there is an SPF pass result for the
>       message.
>    
>    *  Any DKIM d= domain if there is a DKIM pass result for the message
>       for that domain.

That adequately covers the question of if a tree walk is needed to find an SPF/
DKIM related org domain.

Scott K

v2.23.0 | Report a Bug | By Email