IETF Logo Mail Archive

[dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows

Scott Kitterman <sklist@kitterman.com> Tue, 25 April 2023 18:27 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72991C151B31 for <dmarc@ietfa.amsl.com>; Tue, 25 Apr 2023 11:27:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="wg789ZK5"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="N+NNUIrA"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wn_wJtCv4dYU for <dmarc@ietfa.amsl.com>; Tue, 25 Apr 2023 11:27:47 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28728C14CF1F for <dmarc@ietf.org>; Tue, 25 Apr 2023 11:27:47 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id D6D85F80239 for <dmarc@ietf.org>; Tue, 25 Apr 2023 14:27:36 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1682447241; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=dQPCyNVtm7k52FRO2sZggHHAcdGCEB8YEHo4JNzafr0=; b=wg789ZK5LbhZpsJHvj4WxHF8baFev7U5BXS5Te2Aji98nA487LPZh08dnT+kw5Zp4HMMu IntoyBM275l8qDsCA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1682447241; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=dQPCyNVtm7k52FRO2sZggHHAcdGCEB8YEHo4JNzafr0=; b=N+NNUIrAJLJW3vA3sK8dadoWRVqeCOWA9JutRhDIqkXwtSqxArjG6jevNFsZj9BI4dtDF 0tzrVDS9aoKsS73BMMU3JIZRnnJ8JWiN35tXIWTVIK6OorQF9hFi0bhAMVVvkeVw4KU7/d4 kolIVtbNaoF44bM7wQpdrji48Z11cMIanzuJ/skhKUZwH8k8U5eblZVQRA9GZZkhLiuNLLx GjiQqzlQl6+bTMytc5747E0edJHyR+ODhEcXFAIfQqNwhAZcGjRaYNG2pedN4QQxMuO2PSP MBfhrVMxpnXrG4KXUuI5rSgma/eKLQBbTVFSy6GrSxtFRQMuTU89V6dTLMnQ==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id D6B57F8014A for <dmarc@ietf.org>; Tue, 25 Apr 2023 14:27:21 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 25 Apr 2023 14:27:18 -0400
Message-ID: <29216533.CRhL9lMF2B@localhost>
In-Reply-To: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com>
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/wvuuggXnpT-8sMU49q3Xn9_BjHs>
Subject: [dmarc-ietf] Search for some consensus, was: Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Apr 2023 18:27:51 -0000

On Tuesday, March 28, 2023 4:15:04 AM EDT Barry Leiba wrote:
> I raised this issue in the DMARC session in Vienna, and have let it
> sit for a while so as not to derail other discussion.  As we're pretty
> close to finished with the DMARCbis document, I'd like to raise it
> again, this time with specific proposed text for us to discuss.
> 
> And so:
> 
> OLD
> 
>    5.5.6.  Decide If and When to Update DMARC Policy
> 
>    Once the Domain Owner is satisfied that it is properly authenticating
>    all of its mail, then it is time to decide if it is appropriate to
>    change the p= value in its DMARC record to p=quarantine or p=reject.
>    Depending on its cadence for sending mail, it may take many months of
>    consuming DMARC aggregate reports before a Domain Owner reaches the
>    point where it is sure that it is properly authenticating all of its
>    mail, and the decision on which p= value to use will depend on its
>    needs.
> 
> NEW
> 
>    5.5.6.  Decide If and When to Update DMARC Policy
> 
>    Once the Domain Owner is satisfied that it is properly authenticating
>    all of its mail, then it is time to decide if it is appropriate to
>    change the p= value in its DMARC record to p=quarantine or p=reject.
>    Depending on its cadence for sending mail, it may take many months of
>    consuming DMARC aggregate reports before a Domain Owner reaches the
>    point where it is sure that it is properly authenticating all of its
>    mail, and the decision on which p= value to use will depend on its
>    needs.
> 
>    It is important to understand that many domains may never use
>    policies of “quarantine” or “reject”, and that these policies are
>    intended not as goals, but as policies available for use when they
>    are appropriate.  In particular, “reject” is not intended for
>    deployment in domains with users who send routine email, and its
>    deployment in such domains can disrupt indirect mail flows and cause
>    damage to operation of mailing lists and other forwarding services.
>    This is discussed in [RFC7960] and in Section 5.8, below.  The
>    “reject” policy is best reserved for domains that send only
>    transactional email that is not intended to be posted to mailing
>    lists.
> 
>    To be explicitly clear: domains used for general-purpose email MUST
>    NOT deploy a DMARC policy of p=reject.
> 
> END
> 
> I'm well aware that the MUST will *not* be followed by everyone, and
> that some domain owners will feel that they need to use p=reject,
> regardless.  I think that's fine: the standard should specify what's
> right for interoperability, and I believe that improper use of
> p=reject is extremely harmful to interoperability... so "MUST" is
> correct here.  And no one will be arrested or fined for choosing not
> to follow it.  We should still say it, nonetheless.
> 
> OK, have at it.

I'm going to take another stab at this, starting back at the top of the thread 
since things went off the rails.

This is an attempt to see if we can focus in on getting some agreement on a 
path forward on this question.  If I may generalize for a moment, it seemed to 
me that there are roughly two sets of perspectives on this (with considerable 
variation within each set, of course).  One set is from people primarily 
focused on the security benefits associated with use of restrictive DMARC 
policies such as p=reject.  The other set is from people primarily focused on 
the interoperability impacts associated with some domains using such 
restrictive policies.

For many, the security benefit is the primary purpose of DMARC.  Without it, 
it's relatively pointless.  On the other hand, interoperability is a 
significant reason the IETF exists.  Without interoperability, the IETF is 
relatively pointless.  I am starting from the assumption that people are 
prioritizing different things differently in good faith.  Disagreement is normal 
for something like this.

For those of you that are new or perhaps relatively new to the IETF, I would 
comment RFC 7282 to you for background, particularly paragraph 3 [1] as I 
think it is a great discussion of the IETF way to work through a path forward.

The TLDR version is trying to find something we can live with, not something we 
would prefer.  There's clearly no overlap between the preferences of the 
people in the two groups I described above.  If anyone doubts that, I 
encourage you to consult the list archive for the last month.  The question 
is, can we get to something that people from both groups can live with and 
adequately address any technical points that are raised.

My recollection is that a general formulation that I proposed had at least 
some traction out of both groups:

> [some appropriate description] domains MUST NOT publish restrictive DMARC
> policies due to interoperability issues

Leaving aside (for now) the question of what goes into [some appropriate 
description] and with the assumption that there will be some non-normative 
discussion to amplify whatever that is and probably give some indication about 
what domains might do to not be one of those domains, is there anyone who just 
can't live with that formulation of the situation?

If you can't, please also make a suggestion of an alternative that you can 
live with and why you think people in the group you are not a member of should 
be able to accept it.

Scott K

[1] https://www.rfc-editor.org/rfc/rfc7282#page-7

v2.23.0 | Report a Bug | By Email