IETF Logo Mail Archive

[dmarc-ietf] Proposed text to close out Ticket 96

Seth Blank <seth@valimail.com> Wed, 05 April 2023 21:35 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69271C15152B for <dmarc@ietfa.amsl.com>; Wed, 5 Apr 2023 14:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rc1EII2iCk0S for <dmarc@ietfa.amsl.com>; Wed, 5 Apr 2023 14:35:05 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1D36C14CE53 for <dmarc@ietf.org>; Wed, 5 Apr 2023 14:35:05 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id h25so48458387lfv.6 for <dmarc@ietf.org>; Wed, 05 Apr 2023 14:35:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1680730503; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=oQty1r/vUyHQBdQ/YZ9RLD9V7+aZd81Atz0v3Fbj0Xw=; b=HPURiYvDO/zRkCyVhpcEJwtFc8BoQmSJROyyIBadvtA8qAVqoGRS1J6FNgtGj/5qDF CxaNDcvD+vTNLUh5sAAOlIWpl8TV2wEHTkaPRS7Fevq8WO07dtn0w1Gk5kVZv3Nagvxf msw65snjWYntGm3+ooKVHF8FXqec0LIyV6MIlGFTciwJ9imPlnJRa7mF/IYM9j0ZtQUC aFfxpB5rJqWT+8HetudYtgb4PCAXteo/uXXSulVAsiSNR0oVH1mdRfaOsFNC9UAvKdsc vfadz5izb+0gXaC6kHI2SHakDq4xqHWqyLtrsVhQBzD0p5JHrwgdqVjUCDPGZ6wRWxBJ /e4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680730503; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=oQty1r/vUyHQBdQ/YZ9RLD9V7+aZd81Atz0v3Fbj0Xw=; b=dwolr9HvmH/giGtAdi+XR7eu6cL8qomsqKat+GPVn31U91T0V2TDaI0Wcpkhtk040+ sebQhBbx+8C6/brWNQhawm2Lo7x8dVClL2WyJjvUNbmMNDrHO8SixI7+x9wUE8olQMuE tbE9U/KAdJc1izjIbYPqv2ReXHkl+T/LECO4+aaTPcn7evhwcgB7MOIyBLLP0u1haAM3 8x/SfWN4ykyleCLD7qlr0fg3a8ye3n6FAB31Ez3L2ZMIXLmt+fOL40FW7mAndMUthFo5 vs8NR37eXTCwAugoDHvsWEJjk233tte3CvhnygFMLIAFNgKlUSRwizljlqqGktWEHnOV v2+w==
X-Gm-Message-State: AAQBX9fUo+u4AjCaXwU7Hdao2i1xgLy1rn0TiWfV70FZdvyHukhy558I YPL0Wb9g5VCL5GyjU1V1Xsjr7ROFBE/okl136ixxgdgz/GW+ThWSUKY=
X-Google-Smtp-Source: AKy350ZU8CW7HDy5jsEb4y8RDo3VcPEY9mvugTNpeGI6lvvXQ/gUgnQrmboamAiLrd/6gqwQDzRtjmG7FY3gknxwTjA=
X-Received: by 2002:ac2:5291:0:b0:4e9:22ff:948d with SMTP id q17-20020ac25291000000b004e922ff948dmr2297916lfm.7.1680730503263; Wed, 05 Apr 2023 14:35:03 -0700 (PDT)
MIME-Version: 1.0
From: Seth Blank <seth@valimail.com>
Date: Wed, 05 Apr 2023 14:34:51 -0700
Message-ID: <CAOZAAfPOA19CGgyL_O98U++rkZLdHmzscS+_WM1HYgXWi2Qp3A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009c53e505f89d90c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ul61P7B0Rlb2zdUGK4-TBPE8dcc>
Subject: [dmarc-ietf] Proposed text to close out Ticket 96
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 21:35:09 -0000

https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/96

I tried to write up an INFORMATIONAL paragraph, for ticket #96, and it kept
on coming out strangely and did not feel appropriate in the document as a
section unto itself.

However, I think we can meet the intent of this ticket by condensing it
into two definitions for section 3.2, an added sentence to 5.5.4 and a new
paragraph in 5.5.6 (that stands regardless of the output of the other
thread in process on 5.5.6), as follows:

3.2.

Monitoring Mode: At p=none with a valid reporting address, the domain owner
receives reports that showcase authorized and unauthorized mail streams, as
well as gaps pertaining to authentication information pertaining to both
streams.

Enforcement: When the Organizational Domain and all subdomains below it are
covered by a policy that is not none. This means that the domain and its
subdomains can only be used to send mail that is properly authenticated,
and mail using the domain name that is unauthenticated will not reach the
inbox of a mail receiver that validates DMARC.

5.5.4 OLD

Once SPF, DKIM, and the aggregate reports mailbox are all in place, it's
time to publish a DMARC record. For best results, Domain Owners usually
start with "p=none", (see Section 5.5.5) with the rua tag containing a URI
that references the mailbox created in the previous step. If the
Organizational Domain is different from the Author Domain, a record also
needs to be published for the Organizational Domain.

5.5.4 NEW

Once SPF, DKIM, and the aggregate reports mailbox are all in place, it's
time to publish a DMARC record. For best results, Domain Owners usually
start with "p=none", (see Section 5.5.5) with the rua tag containing a URI
that references the mailbox created in the previous step. This is commonly
referred to as putting the Author Domain into Monitoring Mode. If the
Organizational Domain is different from the Author Domain, a record also
needs to be published for the Organizational Domain.

5.5.6 OLD

Once the Domain Owner is satisfied that it is properly authenticating all
of its mail, then it is time to decide if it is appropriate to change the
p= value in its DMARC record to p=quarantine or p=reject. Depending on its
cadence for sending mail, it may take many months of consuming DMARC
aggregate reports before a Domain Owner reaches the point where it is sure
that it is properly authenticating all of its mail, and the decision on
which p= value to use will depend on its needs.

5.5.6 NEW

Once the Domain Owner is satisfied that it is properly authenticating all
of its mail, then it is time to decide if it is appropriate to change the
p= value in its DMARC record to p=quarantine or p=reject. Depending on its
cadence for sending mail, it may take many months of consuming DMARC
aggregate reports before a Domain Owner reaches the point where it is sure
that it is properly authenticating all of its mail, and the decision on
which p= value to use will depend on its needs.

Some Domain Owners may wish to ensure a policy exists for the
Organizational Domain and all its subdomains, which is known as the
Organizational Domain being at Enforcement. This prevents the entire
Organizational domain's hierarchy from exact-domain spoofing. This is
difficult for many Domain Owners to achieve, as they must repeat the above
process to ensure mail is properly authenticated for each subdomain. Being
at Enforcement means an Organizational Domain has no recourse if Mediators
modify authentication information as outlined in section 8.5.

-- 

*Seth Blank * | Chief Technology Officer
*e:* seth@valimail.com
*p:* 415.273.8818

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email