IETF Logo Mail Archive

Re: [dmarc-ietf] WGLC editorial review of draft-ietf-dmarc-dmarcbis-30

Seth Blank <seth@valimail.com> Sun, 31 March 2024 12:26 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 534B3C14F700 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 05:26:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J5P0Bj-23DGk for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 05:26:07 -0700 (PDT)
Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83560C14F6F5 for <dmarc@ietf.org>; Sun, 31 Mar 2024 05:26:07 -0700 (PDT)
Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1e252f2bf23so807975ad.2 for <dmarc@ietf.org>; Sun, 31 Mar 2024 05:26:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1711887966; x=1712492766; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=61Yo9miWJIpt4z7lg5wFrHTDvH/zPQQ87W2Mft+2wnw=; b=clokXfEPMRH+f9sCqh1o/koFMXkyVrmPcaa0B73b//CcoWBjkLmQXAVhTr2k5eZ3PW DjAkMpxS6r6rk6OC9KoloulQfjttJfgjLA4MaA/g034q5/O3B2DhfD2DQ64MqvHcaFHm EvTdBeAEzmAST25BeimHIp/qmSlf51EBuWDkD7zDe5A1JAQ36a95sRdj5V8nlU7R0iQD 2oY2PE2yY29JR+4EU5ehFdywROV7FXbo8hoy3eU/5JiMAMVcEXHK6ecGr0k8ELCc8n3v CEE5KFEeHysTfmdl1FB6HFsXRMynV7T8uAznkpyUOzyjBqsv6kw71iRwwCu7VCNrnvVm SCww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711887966; x=1712492766; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=61Yo9miWJIpt4z7lg5wFrHTDvH/zPQQ87W2Mft+2wnw=; b=pS5Wui++nLSvsM8RCnLcNfo/8RjLcsI9QIWJSn3MTZF5tf2mUP6cjlCRhIE47mWV62 GCfzrrAbq0+VVHG0ZdJ6ykTe3s9n+SBVt+sLhU+DVBY0ZbGdpE7WyplIDq+MkTqJNwXD P0Cw8MIZ2mUUAFsLaaxCZxcuyJw112Kt/B8GhKTOJfDPXRhSqIZ7yNpoPhaQluda+j+5 Bf9eh5Z3cUq/DBBFvQouksL2SSBJ3YQGQeGtPiOcmzQat1HP60IpvyNTPJCPzVPAXPGD VbPVYlZ6Z/uLXgC0chB2Btxl3NT2/gtnYKCZ9aJdhoPwpTHXsZPNwtPC/We+3El3OK5f VkFg==
X-Forwarded-Encrypted: i=1; AJvYcCXVfhxctvXYLdEOODfam1Ys92gPDNdkB9BsVD+PPdviFbTiVOvb/a1ZBcb/9SKafwB2lAJH6IfD+EyspRJnmA==
X-Gm-Message-State: AOJu0YwBgW4axcMCkciLGDIC18qUxOmmW9aMPswe9hRlD3P04OIZSjJo DxadOkNXfJeR+7LAA7XgPrJ9ufRoK9Z1+9qf81jKyd8uAMUD+rUuqAS6ZhbjpRr7XKEHN3SYgv/ qX7BYtxqebnwcq+PtYaVSiCr3JWzpnYcM8N1ciJ2M4gu9/KtK
X-Google-Smtp-Source: AGHT+IH7bqbrAnutHsdOB7cbP9CtM9hKjNRHujlFWSV7fQuvuvOu7LvJZfok4lwDfy8xpblt3KtwWyjvlhS/skt2ZAg=
X-Received: by 2002:a17:903:290:b0:1e0:1eff:66f7 with SMTP id j16-20020a170903029000b001e01eff66f7mr7838656plr.47.1711887966395; Sun, 31 Mar 2024 05:26:06 -0700 (PDT)
MIME-Version: 1.0
References: <CAOZAAfPwJHKGyLjTkdGDqkMeK4RQX4Fj0rw-Upn0cLZ+cE74aA@mail.gmail.com> <2cdd13ec-9d7f-4732-91ea-9c8983d7a28c@tana.it> <CAH48ZfzaNR2A6zUWVeeoay+UHLHTzja9f5RGfAt5htXd21C0KQ@mail.gmail.com>
In-Reply-To: <CAH48ZfzaNR2A6zUWVeeoay+UHLHTzja9f5RGfAt5htXd21C0KQ@mail.gmail.com>
From: Seth Blank <seth@valimail.com>
Date: Sun, 31 Mar 2024 08:25:55 -0400
Message-ID: <CAOZAAfPAaZ5=yroK4hPRxFhBM5Q5hpzBLN_KMJL+2-vj+OiHnw@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: Alessandro Vesely <vesely@tana.it>, IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000022036c0614f3fa10"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/vx217bFGN4oSUqfzy9Zjsolo1j0>
Subject: Re: [dmarc-ietf] WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 12:26:11 -0000

What do you mean “stop authenticating?” — a soft fail is still a fail, not
a lack of auth, and this has been published best practice for a decade

S -mobile

Seth Blank | Chief Technology Officer
Email: seth@valimail.com


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.



On Sun, Mar 31, 2024 at 08:22 Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> On SPF, our document should say simply,
> " a DMARC-compliant evaluator MUST NOT reject a message, based on SPF
> result, prior to receiving the Data section and checking for aligned and
> verifiable signatures."
>
> Of course, evaluators may still reject early base on known-bad server or
> known-bad Mail From domain, but not based on SPF alone.
>
> I weary of the notion that the solution to all authentication problems is
> to stop authenticating.
>
> DF
>
>
> On Sun, Mar 31, 2024, 6:41 AM Alessandro Vesely <vesely@tana.it> wrote:
>
>> On Sat 30/Mar/2024 21:05:17 +0100 Seth Blank wrote:
>> > This is a real operational problem, so I wanted to expand guidance. The
>> note
>> > about best practice may or may not be appropriate here, but I think it
>> works.
>> > There are multiple M3AAWG documents which cover this use case, and we
>> can also
>> > link them if valuable.
>> >
>> > [...]
>> >
>> > Since DMARC only relies on an SPF pass, all failures are treated
>> equally.
>> > Therefore, it is considered best practice when using SPF in a DMARC
>> context
>> > for domains that send email to end records with a soft fail ("~" /
>> "~all").
>>
>> The last phrase is overly strict.  To /consider using/ soft fail ("~") or
>> neutral ("?") should be enough.  For example, I use an SPF record
>> terminating
>> like so:
>>
>>     ?exists:%{ir}.list.dnswl.org -all
>>
>> It can be criticized for imposing DNS usage, but it works too.  One could
>> also
>> use ~include:vast.whitelist.example before -all; it would work as well.
>>
>> Using ~all is akin to use p=none.  Be armed but only load blanks.  Its
>> being
>> best practice bears witness to the weakness of domain based
>> authentication.
>> Currently we are in the mid of a swamp, but if we hope to ever get out we
>> can
>> start by softening these kind of requirements.
>>
>>
>> Best
>> Ale
>> --
>>
>>
>>
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email