IETF Logo Mail Archive

Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed language

Dotzero <dotzero@gmail.com> Sat, 12 June 2021 15:09 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 300803A166B for <dmarc@ietfa.amsl.com>; Sat, 12 Jun 2021 08:09:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZ7CduBc-k0Z for <dmarc@ietfa.amsl.com>; Sat, 12 Jun 2021 08:09:24 -0700 (PDT)
Received: from mail-qk1-x736.google.com (mail-qk1-x736.google.com [IPv6:2607:f8b0:4864:20::736]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5351F3A166D for <dmarc@ietf.org>; Sat, 12 Jun 2021 08:09:24 -0700 (PDT)
Received: by mail-qk1-x736.google.com with SMTP id c124so34169700qkd.8 for <dmarc@ietf.org>; Sat, 12 Jun 2021 08:09:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=tGs3MD0zuHmPz9ThTo08Vv9ssM9LVmwYIcPQTCJZFhg=; b=rQvDEdytNTUhJLSFk9/+XJ5BUTPlRbFTc6T8keR2Pdil/+nBnlZAMzECSgYJUHb/Oc I5LZ4aACHK61r4t/wY/wpfUOccKqzSowAbjWziPOYvSDfImfSd4qlGVVLECOinBmXf4z +l/8bTpT50Pt7nQJodCyPyzNVgI4O6Qt58v9ssA90Ssyq4kx0LGgq/wJ9XH6i8JhYNXM fuVja5Ipce0c8ihjK9evmP3LXueFOw3BxWQlaUB+ZRIriHl5SJrWgTeqnPdui69HNrot htrCmAwlELq9qOBXZicbweGqDXJdB9HX5eKceC5F9/qruwJibDWBjMbDsr3ffffcpRwl InSw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=tGs3MD0zuHmPz9ThTo08Vv9ssM9LVmwYIcPQTCJZFhg=; b=nAZQV6XEMGvyHEt+kGVUklaMTOCEAI4YghUsvKF8zu6AwwJciA5VS8niL3DLBXs9JX 0838OmzLm1XHQVsmvUVUqWPXWoBpeo3Ertzgf+EUf643QENaOCirB6d6DnoaYuqzp8rN dvsTT2SbRUyjyGijoiN7AFN8m8ztSwgvJSL1b85vBYXyyDKxUei8j5Sz9NH18Z3Yf5U9 0uKm/manEmPbqBm0Pv6orJnRL8SJoY7xRBVnEOSBkVFI5acUuHjKofSluJfPWVk6xwv5 L/v5xYVcMrkwG/35qO6UqjUhUwdlD4odrsMGG4OcxwKGGd1Gk6wHFFHQiwihqDUYICtk Lleg==
X-Gm-Message-State: AOAM5306pTT9N5+lUdaPXktJlJcKErO9VQWJBFG9/72TMNd5KP+ZKUZ/ X/2Tco4OrvBLUdJNom6p4ZhlKm9gP6jVLARZ5J4=
X-Google-Smtp-Source: ABdhPJxcOU7fMm+eXABp5Mz4ympsFg/kQttUMJe6X+YDmajoUWrZrfc9QdsrL+zAqY1831nO3ET8zPvfxW0rJcf66m0=
X-Received: by 2002:a37:9381:: with SMTP id v123mr8958199qkd.64.1623510562343; Sat, 12 Jun 2021 08:09:22 -0700 (PDT)
MIME-Version: 1.0
References: <CAH48ZfzuM298fkmhoZtH1ZbK=9Ne9EYtyTYNV27PSsPBW=Gq-w@mail.gmail.com>
In-Reply-To: <CAH48ZfzuM298fkmhoZtH1ZbK=9Ne9EYtyTYNV27PSsPBW=Gq-w@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Sat, 12 Jun 2021 11:09:11 -0400
Message-ID: <CAJ4XoYcs6iAVOPWAyFvf_iwKCVooUFxC=SbT406o1NvQ_RJxPA@mail.gmail.com>
To: Douglas Foster <dougfoster.emailstandards@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005b904405c49302f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/wEfxMlX06GXhTTASGX1ZqmIpbHk>
Subject: Re: [dmarc-ietf] Ticket #11 (and #112) - Proposed language
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Jun 2021 15:09:27 -0000

On Sat, Jun 12, 2021 at 8:56 AM Douglas Foster <
dougfoster.emailstandards@gmail.com> wrote:

> Below is my proposed language for dealing with the problems that NP is
> intended to address:
> - unused DNS names
> - non-existent DNS names
>
> It provides supporting rationale, and provides a more complete solution
> than anything suggested previously, and ties the design directly to the
> mailing list problem.
>
> I have labelled the sections starting with "X," because I am not sure of
> the best way to position this text into the flow of the current draft.
>
> Doug Foster
>
> x. Reducing the scope of the SP policy
>
> DMARC introduces a method for the domain owner to state "at time of
> transmission, authorized emails will always authenticate using DMARC
> criteria".
>

The portion of the above statement is an incorrect assertion and is
meaningless to validators and mailbox receivers. It is well known (at least
to validators and receivers) that there is a significant subset of senders
who publish incorrect SPF records or improperly DKIM sign messages or
improperly publish DKIM in DNS or improperly publish DMARC in DNS. Further,
a validator or mailbox provider can only go by what they see and know at
the time they attempt to determine whether a given message validates or not.


> However,this authentication can be lost in transit if message modification
> occurs in transit, as discussed in RFC 7960.  This possibility can make
> domain owners reluctant to move beyond sp=none.  This is a significant
> loss, because sp=none opens a vast namespace to domain abuse, including
> - names that are DNS domains but are not protected by a domain-level DMARC
> policy
> - names that are DNS records records rather than DNS names, and cannot be
> protected by a domain-level DMARC policy
> - names that are not in DNS at all, and therefore cannot be protected by a
> domain-level DMARC policy.
>

Senders may be reluctant to implement DMARC for any number of reasons. I've
given email authentication training to thousands of people through OTA when
it was around and to/through the U.S. Federal government. Not once has
anyone raised the above as reasons for reluctance to implement DMARC,
either in total or for implementing policy.

>
> To mitigate these impacts, it is useful to distinguish names used as email
> domains from names that are not used for email.   Names that are never used
> for email are never authorized at time of transmission, and therefore can
> be blocked without concern about in-transit modifications.   Several
> methods are presented for addressing this objective.
>

As pointed out above, you are asserting impacts not in evidence when you
state that these impacts are of concern. A difference, in order to be a
difference, must make a difference. You have presented nothing to show that
this is an issue causing senders not to implement DMARC.

>
>
> x.1 Implement mail domains as DNS domains with domain-level DMARC policies.
>
> Mail domains are often implemented as DNS domains, but this is not
> required.   MX records and SPF policies can be attached to a named resource
> record or a wildcard resource record, while DMARC policies can only be
> attached to a DNS domain.
>
> Any name that is configured as a DNS resource record can be reconfigured
> as a subdomain name supported by resource records which match the subdomain
> name, and names that are not in DNS can be added as DNS domain names.  Once
> all used mail domain names are configured as DNS domains, they can be
> configured with DMARC policies.   Once this is complete, the SP policy will
> only apply to unused and non-existent names.  This will permit use of
> SP=reject because any such messages will have been unauthenticated at
> origin as well as being unauthenticated at reception.   This approach is
> fully compatible with RFC 7489 implementations of DMARC.
>
>
> x.2 Implement an NP policy
>
> The NP policy assumes that names used for mail can be reliably identified,
> so that names not used for mail can be categorized as not authorized.  Two
> approaches are used:
>
> - For mail domain names that are used with SMTP, the name is assumed to
> also be used as an RFC5322.From domain name.   This is indicated by an MX
> record which evaluates to an IP address, or an SPF policy which does not
> begin with an ALL term.  (RFC 7505 indicates that an MX record which does
> not evaluate to an IP address is useful to indicate that a domain does not
> accept incoming mail.  Based on RFC 7208, content after an ALL term is
> ignored, so a policy of "-ALL" indicates that the name is never used as an
> RFC5321.MailFrom domain and an ALL term with any other modifier is a
> meaningless policy.)
>
> - For mail domain names that are not used with SMTP, a new TXT record is
> defined, with content "DMARCFROMv1".   The presence of this TXT record
> indicates that the associated DNS domain, named DNS resource record, or
> wildcard DNS record should be considered as potentially in use as an
> RFC5322.From domain name.
>
> Names which are identified by MX record, SPF policy, or DMARCFROMv1 TXT
> record are considered in use names and are evaluated using the P or SP
> policy.   Names which do not match these criteria are evaluated using the
> NP policy.   This allows unused and non-existent names to be given a
> stricter DMARC policy than used names.
>
> To implement an NP policy, domain owners may need to make DNS changes:
> - For used domain names that are only identified by an A or AAAA record,
> an MX record or DMARCFROMv1 TXT record is needed to explicitly indicate
> that the name is used for mail.
> - For used domain names that are not in DNS at all, a DMARCFROMv1 TXT
> record is needed to indicate that the name is used for mail.
>
> The NP policy does not require that all mail domains become DNS domains,
> but the NP policy will only be understood by evaluators which use this
> specification.  Consequently, it is preferable to ensure that all mail
> domains are implemented as DNS domains.
>
> x,3 Implement SPF -ALL policies on unused names.
>
> Organizations that have configured SPF to protect their valid
> RFC5321.MailFrom domains may not have taken the extra measure of using SPF
> to obstruct names that are not used for mail.  While not directly part of
> DMARC, an authentication result of "DMARC=NONE SPF=FAIL" is a more
> meaningful result than "DMARC=NONE, SPF=NONE".  Consequently, it is
> desirable to  ensure SPF=FAIL for any names that are never used as
> RFC5321.MailFrom domain names.   Since SPF has no inheritance, this
> requires many entries.
>

As you state, it is NOT directly part of DMARC.

>
> To demonstrate, assume that the domain "nomail.example.com" contains only
> a webserver at "www.nomail.example.com".   Multiple SPF records are
> needed to maximize protection of this subdomain from improper use.   An SPF
> policy of "-ALL" is needed on:
> - the domain itself, nomail.example.com,
> - named resource records, including www.nomail.example.com
> - the wildcard resource record, *.example.com.
>

Anyone sophisticated enough to be concerned that this is a problem is
sophisticated enough to publish the appropriate DNS records if they choose.
Your proposal adds unnecessary complexity to address something that is
essentially a non-issue in the real world of DMARC and interoperability.
The more complexity that is added reduces the likelihood of implementation
OR if implementation is attempted, correct implementation.

This proposed change should not be considered by the working group.

Michael Hammer

v2.23.0 | Report a Bug | By Email