Re: [dmarc-ietf] Reporting rewrites

[Alessandro Vesely <vesely@tana.it>]

On Thu 05/Aug/2021 13:34:59 +0200 Todd Herr wrote:
> On Thu, Aug 5, 2021 at 3:02 AM Alessandro Vesely <vesely@tana.it> wrote:
>> On Wed 04/Aug/2021 19:40:31 +0200 Todd Herr wrote:
>>> On Wed, Aug 4, 2021 at 5:32 AM Alessandro Vesely <vesely@tana.it> wrote:
>>>> On Tue 03/Aug/2021 22:42:07 +0200 Todd Herr wrote:
>>>>>
>>>>> [...]
>>>>> I can then examine the differences in the reports, suss out
>>>>> which intermediaries aren't rewriting the From: header, and
>>>>> decide if I care enough about the volume I'm sending to those
>>>>> intermediaries to have it affect my decision to move to a
>>>>> stronger assessment policy.
>>>>
>>>> Examining the difference in the reports sounds hard, especially if the
>>>> mail flows and remote operators' settings changed since p=none.  As a
>>>> matter of fact, p=none lets a domain learn more about its mail flows,
>>>> since aggregate reports contain DKIM and SPF identifiers of mediators.
>>>
>>> This is only true if the From: header is not munged. If it's munged to use
>>> the domain of the intermediary, the originator will not see data about the
>>> hop from the intermediary to the reporting destination in its aggregate
>>> reports.
>>
>> If the final receiver sent such data to the originator, then the
>> originator would see it.
> 
> Why or how could the final receiver send a report to the originator, though?
> 
> DMARC record lookup is based on the From: domain.


MLM transformations are not meant to conceal it.


> If the From: domain is munged so that it's now one that belongs to the
> intermediary, there's no way to know what the originating domain was,
> because there's no standard for munging.
> 
> Perhaps at a future date, if draft-vesely-dmarc-mlm-transform or similar
> becomes a widely adopted and implemented standard, then receivers might be
> able to easily send reports to originators.


Since munging is not a standard, I don't think unmunging could be. 
However, as we're granting citizenship to the former by describing 
pct=0, we could as well admit that the latter is possible.  Is it a 
desirable feature to restore the original From:?

Some say ARC will help overcoming From: rewrites.  How?  Certainly not 
because MLMs will stop rewriting all of a sudden.  If all what is 
wanted is to restore From:, it seems more likely that either the 
originator or the MLM will set up the header so as to allow doing so.

Now, it has been said, and perhaps will make its way to the spec, that 
p=quarantine; pct=0 will remove from reports the information about 
indirect mail flows.  Since we know that such information can be sent 
nevertheless, to ask how to deal with such cases is a legitimate question.


> Remember though that MLMs are only one special case of
> intermediary; auto-forwards, such as alumni.foo.edu or even
> joe@mailboxProvider1.com that just forwards everything to 
> jsmith@mailboxProvider2.com are other cases that can cause
> authentication failures and to the best of my knowledge there is no
> standard for header munging for those cases, and frankly those
> hosts operating as intermediaries in those flows may be less
> inclined to change their systems than some MLMs have been.

Forwarding without rewriting From: is a different problem.  It usually 
works, except for some cases that can be cured by strengthening 
signing practices.  Auto-conversions seem to have been eliminated 
already.  Further refinements to preserve DKIM signatures may be needed.


> The IETF and you are perhaps outliers in regards to the amount of
> effort expended to accommodate DMARC, and I applaud both of your
> efforts, but I think we're a long way away from anything 
> approaching universal receivers reporting to every hop that handles
> a given message.

Actually, reporting at every hop where just the recipient changes is 
the normal practice.


Best
Ale
--