[dmarc-ietf] Proposed text to close out Ticket 96
Seth Blank <seth@valimail.com> Wed, 05 April 2023 21:35 UTC
Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69271C15152B for <dmarc@ietfa.amsl.com>; Wed, 5 Apr 2023 14:35:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rc1EII2iCk0S for <dmarc@ietfa.amsl.com>; Wed, 5 Apr 2023 14:35:05 -0700 (PDT)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1D36C14CE53 for <dmarc@ietf.org>; Wed, 5 Apr 2023 14:35:05 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id h25so48458387lfv.6 for <dmarc@ietf.org>; Wed, 05 Apr 2023 14:35:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1680730503; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=oQty1r/vUyHQBdQ/YZ9RLD9V7+aZd81Atz0v3Fbj0Xw=; b=HPURiYvDO/zRkCyVhpcEJwtFc8BoQmSJROyyIBadvtA8qAVqoGRS1J6FNgtGj/5qDF CxaNDcvD+vTNLUh5sAAOlIWpl8TV2wEHTkaPRS7Fevq8WO07dtn0w1Gk5kVZv3Nagvxf msw65snjWYntGm3+ooKVHF8FXqec0LIyV6MIlGFTciwJ9imPlnJRa7mF/IYM9j0ZtQUC aFfxpB5rJqWT+8HetudYtgb4PCAXteo/uXXSulVAsiSNR0oVH1mdRfaOsFNC9UAvKdsc vfadz5izb+0gXaC6kHI2SHakDq4xqHWqyLtrsVhQBzD0p5JHrwgdqVjUCDPGZ6wRWxBJ /e4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680730503; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=oQty1r/vUyHQBdQ/YZ9RLD9V7+aZd81Atz0v3Fbj0Xw=; b=dwolr9HvmH/giGtAdi+XR7eu6cL8qomsqKat+GPVn31U91T0V2TDaI0Wcpkhtk040+ sebQhBbx+8C6/brWNQhawm2Lo7x8dVClL2WyJjvUNbmMNDrHO8SixI7+x9wUE8olQMuE tbE9U/KAdJc1izjIbYPqv2ReXHkl+T/LECO4+aaTPcn7evhwcgB7MOIyBLLP0u1haAM3 8x/SfWN4ykyleCLD7qlr0fg3a8ye3n6FAB31Ez3L2ZMIXLmt+fOL40FW7mAndMUthFo5 vs8NR37eXTCwAugoDHvsWEJjk233tte3CvhnygFMLIAFNgKlUSRwizljlqqGktWEHnOV v2+w==
X-Gm-Message-State: AAQBX9fUo+u4AjCaXwU7Hdao2i1xgLy1rn0TiWfV70FZdvyHukhy558I YPL0Wb9g5VCL5GyjU1V1Xsjr7ROFBE/okl136ixxgdgz/GW+ThWSUKY=
X-Google-Smtp-Source: AKy350ZU8CW7HDy5jsEb4y8RDo3VcPEY9mvugTNpeGI6lvvXQ/gUgnQrmboamAiLrd/6gqwQDzRtjmG7FY3gknxwTjA=
X-Received: by 2002:ac2:5291:0:b0:4e9:22ff:948d with SMTP id q17-20020ac25291000000b004e922ff948dmr2297916lfm.7.1680730503263; Wed, 05 Apr 2023 14:35:03 -0700 (PDT)
MIME-Version: 1.0
From: Seth Blank <seth@valimail.com>
Date: Wed, 05 Apr 2023 14:34:51 -0700
Message-ID: <CAOZAAfPOA19CGgyL_O98U++rkZLdHmzscS+_WM1HYgXWi2Qp3A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009c53e505f89d90c8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ul61P7B0Rlb2zdUGK4-TBPE8dcc>
Subject: [dmarc-ietf] Proposed text to close out Ticket 96
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2023 21:35:09 -0000
https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/96 I tried to write up an INFORMATIONAL paragraph, for ticket #96, and it kept on coming out strangely and did not feel appropriate in the document as a section unto itself. However, I think we can meet the intent of this ticket by condensing it into two definitions for section 3.2, an added sentence to 5.5.4 and a new paragraph in 5.5.6 (that stands regardless of the output of the other thread in process on 5.5.6), as follows: 3.2. Monitoring Mode: At p=none with a valid reporting address, the domain owner receives reports that showcase authorized and unauthorized mail streams, as well as gaps pertaining to authentication information pertaining to both streams. Enforcement: When the Organizational Domain and all subdomains below it are covered by a policy that is not none. This means that the domain and its subdomains can only be used to send mail that is properly authenticated, and mail using the domain name that is unauthenticated will not reach the inbox of a mail receiver that validates DMARC. 5.5.4 OLD Once SPF, DKIM, and the aggregate reports mailbox are all in place, it's time to publish a DMARC record. For best results, Domain Owners usually start with "p=none", (see Section 5.5.5) with the rua tag containing a URI that references the mailbox created in the previous step. If the Organizational Domain is different from the Author Domain, a record also needs to be published for the Organizational Domain. 5.5.4 NEW Once SPF, DKIM, and the aggregate reports mailbox are all in place, it's time to publish a DMARC record. For best results, Domain Owners usually start with "p=none", (see Section 5.5.5) with the rua tag containing a URI that references the mailbox created in the previous step. This is commonly referred to as putting the Author Domain into Monitoring Mode. If the Organizational Domain is different from the Author Domain, a record also needs to be published for the Organizational Domain. 5.5.6 OLD Once the Domain Owner is satisfied that it is properly authenticating all of its mail, then it is time to decide if it is appropriate to change the p= value in its DMARC record to p=quarantine or p=reject. Depending on its cadence for sending mail, it may take many months of consuming DMARC aggregate reports before a Domain Owner reaches the point where it is sure that it is properly authenticating all of its mail, and the decision on which p= value to use will depend on its needs. 5.5.6 NEW Once the Domain Owner is satisfied that it is properly authenticating all of its mail, then it is time to decide if it is appropriate to change the p= value in its DMARC record to p=quarantine or p=reject. Depending on its cadence for sending mail, it may take many months of consuming DMARC aggregate reports before a Domain Owner reaches the point where it is sure that it is properly authenticating all of its mail, and the decision on which p= value to use will depend on its needs. Some Domain Owners may wish to ensure a policy exists for the Organizational Domain and all its subdomains, which is known as the Organizational Domain being at Enforcement. This prevents the entire Organizational domain's hierarchy from exact-domain spoofing. This is difficult for many Domain Owners to achieve, as they must repeat the above process to ensure mail is properly authenticated for each subdomain. Being at Enforcement means an Organizational Domain has no recourse if Mediators modify authentication information as outlined in section 8.5. -- *Seth Blank * | Chief Technology Officer *e:* seth@valimail.com *p:* 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
- [dmarc-ietf] Proposed text to close out Ticket 96 Seth Blank
- Re: [dmarc-ietf] Proposed text to close out Ticke… Scott Kitterman
- Re: [dmarc-ietf] Proposed text to close out Ticke… Seth Blank
- Re: [dmarc-ietf] Proposed text to close out Ticke… Scott Kitterman
- Re: [dmarc-ietf] Proposed text to close out Ticke… Jesse Thompson
- Re: [dmarc-ietf] Proposed text to close out Ticke… John Levine