Re: [dmarc-ietf] Signaling MLMs

["Murray S. Kucherawy" <superuser@gmail.com>]

On Fri, Apr 14, 2023 at 10:20 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Fri 14/Apr/2023 15:47:12 +0200 Scott Kitterman wrote:
> > On April 14, 2023 1:29:58 PM UTC, "Murray S. Kucherawy" <
> superuser@gmail.com> wrote:
> >> On Fri, Apr 14, 2023 at 4:31 AM Alessandro Vesely <vesely@tana.it>
> wrote:
> >>
> >>> Heck, MLMs should start rejecting messages sent from domains that
> publish a
> >>> blocking policy *when they fail authentication on entry*!!
> >>
> >> That's not enough to avoid the damage we're talking about.
>
> Agreed.  Yet, it is a sane half-way between crazy rejecting always and
> completely ignoring ABUSE.
>

Both DKIM (certainly) and SPF (I'm pretty sure) advocate against rejection
of messages merely because they fail authentication on ingress.  They both
acknowledge that there are perfectly legitimate mail flows where that can
happen.  Since DMARC is built on those foundations, I think your assertion
strains reason.  That is, it's weird to say "If you observe DKIM and SPF,
don't reject; but if you observe DMARC, do."

>>> From: rewriting is the de-facto standard.  In DMARCbis we can only
> >>> substitute "de-facto" with "proposed".  Better methods, implying
> >>> different, possibly experimental, protocols are to be defined in
> >>> separate documents. >>
> >> Are you suggesting we put that forward as our Proposed Standard way of
> >> dealing with this problem?  It's been my impression that this is not a
> >> solution that's been well received.
>
> I agree there are better solutions, but they're not yet developed.  As
> ugly as
> it may be, From: munging is the emerged solution.  It is a _fact_.  Now
> repeat
> again that the IETF standardized facts, not theories...
>

Let's put the challenge back on you: Where's your evidence that From
munging is the emerged consensus solution that this working group should
standardize?  Where is this _fact_?  If we advance that as a Proposed
Standard, the community will quite reasonably ask why we think this is
true, and we're going to need to be able to answer them.  If working group
consensus agrees, then away we go.

Laura, I believe, enumerated a few reasons why it doesn't work all that
well.  We'll need to explain why that's all fine.


> >> What you describe as "cannibalizing" is actually a matter of presenting
> the
> >> correct normative advice about interoperability.
>
> It is nonsensical.  It means DMARC is only useful for looking at the
> reports.
> If that's really what we think, we'd be better off deprecating p=
> completely.
> Otherwise, let's wait until next April 1st and publish it as such.  It's
> ridiculous.
>

I think that's rather hyperbolic, but ignoring that for the moment, there
is some validity to the idea that the reports part of DMARC is the only
part of DMARC that does not disrupt interoperability.

>>  So I don't agree at all with that characterization.
> >
> > Agreed.  If people can't get over saying some domains will have
> > interoperability problems when that's demonstrably a technically
> accurate
> > statement (and I don't see anyone claiming it isn't), I don't see how
> > progress is possible.
>
> I agree that we have to say that some domains have interoperability
> problems as
> a consequence of DMARC.  Let's say that MLMs MUST do From: munging unless
> (or
> until) better solutions arise, or unless they don't alter messages.
>
> We're proposing email authentication, not anything less.
>

Sure, but that proposal is -- clearly by now -- fraught with disruption.
We can't ignore it because it's inconvenient to DMARC's goal.

This is the first time I've ever heard someone push the idea that From
munging deserves Proposed Standard status.  I'd be happy to hear what
others think.  If that's actually a sleeper consensus of some kind, then
out with it.

-MSK, participating