IETF Logo Mail Archive

Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 20 October 2022 22:54 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6548C14F741 for <dmarc@ietfa.amsl.com>; Thu, 20 Oct 2022 15:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.006
X-Spam-Level:
X-Spam-Status: No, score=-7.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sRHX1eEK2cXo for <dmarc@ietfa.amsl.com>; Thu, 20 Oct 2022 15:54:09 -0700 (PDT)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9234C14F740 for <dmarc@ietf.org>; Thu, 20 Oct 2022 15:54:09 -0700 (PDT)
Received: by mail-lf1-x12b.google.com with SMTP id a29so2124225lfo.1 for <dmarc@ietf.org>; Thu, 20 Oct 2022 15:54:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Vt1LO/5ckYL5Grfo/qMcJ3/t1YcLCkQgyqL7nYZjSmk=; b=PF+mDJX0vIkhRdsQ9pc+08NlSgLleHWthitNX7pu+m3oLEl6zkX0jFsz0fBbYjd5BF k7dj+qeD4HHQi89s/ijp6cFzOMWjlcQoF0h765wC2JOL9a3bL6N0h2MVGh870vc1fXo5 dbPdHVRKIuuLcu0g9URx2Qox6NzpwRFnCLHwWx1cVuUamaGKqIPhu1sv/BuipdH9/8dd 3QbYJsLeC2dplu40/ecA1+eg0EWCIwRrDVZv3Um7nHgNAOZkNjfhlTy89prakpzCCRxz djGnAXpsDjTqGh3iMZX6FGJLh3fq2KCEKFG+Qcrl2O0Loh+GA30KsO5ZVJNvOqW3vF6s 5OHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Vt1LO/5ckYL5Grfo/qMcJ3/t1YcLCkQgyqL7nYZjSmk=; b=QVJBw+LkUzMWt2zQkKwS6pkslD2QYOBEUw1C8Pw+fxTRCyNCvMUgMW/0SVlTTY7Ae5 1jM5824s/uiuc9OSKVdxcVhYGdq13/bEtyRvh5WTx7PTwQO58llJVdsSULUlfO8V94ng v2o+0pyLtF/jlUMZU/FVp0oJsd2wrtSo0m9FZEljSc084dH5eXTAR3DnB9FsBXf3aAt6 KwuV6OCYTR4GAqwtIvfmqtyIha6Db224s+6UeQxiohIegErWAcpWlBBC9LFqxHziMiib 9QMZUkuN/WtbXZbD6sLI8O5Sqtt8qv8cxqQgoP3eB1DatlyaQHSLvKWUl/fKiOKrRC+i +vLw==
X-Gm-Message-State: ACrzQf2V1kvB0/8DRv5pxxW5Or038golUkj5I2nc5yclBysa7ibOAwZH GfGCRee7dTikBustiteKEnxVekFYvb9w2NWOpi5K7Aad
X-Google-Smtp-Source: AMsMyM7YYKyApcNNZDYqDhYzoyI01FunOwdhgjE7me6rMsGisN0lIBYKkwWdRxyXqFqeTQRaLKtDK+lIEavZp+OO9w4=
X-Received: by 2002:a05:6512:252b:b0:4a0:5642:dbc5 with SMTP id be43-20020a056512252b00b004a05642dbc5mr6152641lfb.436.1666306447169; Thu, 20 Oct 2022 15:54:07 -0700 (PDT)
MIME-Version: 1.0
References: <9D6D6E80-B0B0-4CAD-B301-B0A17F9C6663@marmot-tech.com> <04FF4BB2-F8F3-4610-B33E-D4004C757E3B@marmot-tech.com> <CAH48Zfx+JPeoaFA4Z2zw982-+BkJcReyjK07u8w69KMSWx8vYQ@mail.gmail.com> <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB4351C32D2621D2024B39802BF72A9@MN2PR11MB4351.namprd11.prod.outlook.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 20 Oct 2022 18:53:56 -0400
Message-ID: <CAH48Zfx0B5nvz9B2WJ-uUEeszyaoHbPoc1oubmjnrqo_H3x3Sw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dedb8f05eb7f33a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/xeHv6KswbC9XB1E1m2RdPks7yrU>
Subject: Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Oct 2022 22:54:11 -0000

Although I said an evaluator could stop after SPF PASS, I don't think this
is a significant concern.   Savvy evaluators will understand that DKIM PASS
is a higher-certainty result than SPF.  I support requiring a compliant
implementation to always evaluate DKIM signatures, regardless of SPF result.

Part of the purpose of this topic is to reconcile a report owners' desire
for "complete" data with the algorithm that I proposed in Issue 2.  That
algorithm has multiple exit points, so either the algorithm has to
eliminate early exit or the reporting expectations need to change.   Here
is my justification for preserving the early exit logic:

Aligned DKIM PASS
When an aligned DKIM result is PASS, I don't see that the domain owner
needs any more data collection performed.   The verifiable DKIM scope ID
should tell him where the message originated, and the source IP and HELO
name tell the last place it landed before delivery.    I cannot see why a
domain owner would spend a lot of time trying to analyze success results,
unless his interests have transitioned from assuring identity to analyzing
marketing impacts.   We are not trying to provide marketing data, and any
successful use of DMARC for that purpose seems like an encroachment on the
privacy concerns that we want to minimize.

Duplicates:
If an aligned domain has multiple DKIM signatures and one passes, I suggest
that the PASS is the only one that needs to be reported.  If an aligned
domain has multiple DKIM signatures and none pass, I suggest that the first
one found (from the top) is the most important, because it is the last one
applied.   If duplicates are reported, disaggregation is increased, so why
report data that is not useful?

Failure
If no signature produces PASS, then all of the available signatures have
reportable results, which is the scenario that seems most important domain
owner interests.

Doug Foster




On Thu, Oct 20, 2022 at 9:17 AM Brotman, Alex <Alex_Brotman=
40comcast.com@dmarc.ietf.org> wrote:

> I’ve been going back and forth on this a bit.  On one side, I understand
> that we’d like to know when a receiving site does not evaluate both SPF and
> DKIM.  I also am not sure I know of any (sizable?) site which
> short-circuits evaluation after SPF.  Given how much time receivers talk
> about separation of streams and so on, I’d be surprised to see them
> knowingly discard data which could be used for data science-y things.
>
>
>
> I receive a report without DKIM data from a specific site.  Today, I can’t
> know if that is a signing problem at the sender, a reporting
> failure/decision, a conscious choice for evaluation, a bug at the receiver,
> was stripped in transit, or something else.  I’m also not sure introducing
> a new “Not Evaluated” state solves/explains why it didn’t show in the
> reports.
>
>
>
> --
>
> Alex Brotman
>
> Sr. Engineer, Anti-Abuse & Messaging Policy
>
> Comcast
>
>
>
> *From:* dmarc <dmarc-bounces@ietf.org> *On Behalf Of * Douglas Foster
> *Sent:* Thursday, October 20, 2022 7:04 AM
> *To:* IETF DMARC WG <dmarc@ietf.org>
> *Subject:* Re: [dmarc-ietf] Aggregate Reporting - "Not Evaluated" result
>
>
>
> My thinking has evolved during this discussion:
>
>
>
> We should reject Incomplete Results
>
> If an evaluator has decided to do incomplete evaluation, we have to
> consider the possibility that he may or may not collect enough information
> to enumerate what signatures were not evaluated.   So a signature result of
> "not evaluated" does not solve the whole problem, but does cause
> disaggregation.    A bit field indicating "incomplete results" could cover
> all types of incompleteness, and report recipients could decide whether to
> use the data or not.   But since we have aversion to incomplete results,
> the "must not report" approach both encourages complete results and
> provides upward compatibility for report receivers.
>
>
>
> Scope
>
> I am skeptical that our request for data about non-aligned signatures can
> justify the cost.   I have seen no defined strategy for integrating
> non-aligned signatures into the message evaluation process, so computing
> those results are pure waste to the evaluator.   Waste has real money costs
> and real opportunity costs.    Given that billions or trillions of messages
> are transmitted every day, the global cost of extra signature evaluations
> is really quite significant.    I am not freaking out about global warming,
> but it is on my radar.  The environmental impact of our decisions, when
> played out to Internet scale, are not trivial.   I would like some
> convincing that knowledge about non-aligned signatures is worth the
> non-trivial cost that we are asking evaluators, and the planet, to absorb.
>
>
>
> Doug Foster
>
>
>
> On Wed, Oct 19, 2022 at 8:48 PM Neil Anuskiewicz <neil@marmot-tech.com>
> wrote:
>
>
>
> > On Oct 19, 2022, at 5:42 PM, Neil Anuskiewicz <neil@marmot-tech.com>
> wrote:
> >
> > 
> >
> >> On Oct 19, 2022, at 6:59 AM, Scott Kitterman <sklist@kitterman.com>
> wrote:
> >>
> >> 
> >>
> >>>> On October 19, 2022 12:44:16 PM UTC, Dotzero <dotzero@gmail.com>
> wrote:
> >>> On Tue, Oct 18, 2022 at 11:18 PM Scott Kitterman <sklist@kitterman.com
> >
> >>> wrote:
> >>>
> >>>>
> >>>>
> >>>> On October 18, 2022 10:16:44 PM UTC, Neil Anuskiewicz <
> >>>> neil@marmot-tech.com> wrote:
> >>>>>
> >>>>>
> >>>>>> On Oct 2, 2022, at 11:01 AM, Douglas Foster <
> >>>> dougfoster.emailstandards@gmail.com> wrote:
> >>>>>>
> >>>>>> 
> >>>>>> In many cases, an evaluator can determine a DMARC PASS result
> without
> >>>> evaluating every available identifier.
> >>>>>> If a message has SPF PASS with acceptable alignment, the evaluator
> has
> >>>> no need to evaluate any DKIM signatures to know that the message
> produces
> >>>> DMARC PASS.
> >>>>> I think it’s critical to DMARC that receivers do things like
> evaluate and
> >>>> report on DKIM whether or not SPF passes and is alignment. Without
> this, it
> >>>> would make it harder for senders to notice and remediate gaps in their
> >>>> authentication. Since there’s not a downside (that I know of), I’d
> say this
> >>>> should be a MUST if at all possible.
> >>>>
> >>>>
> >>>> What is the interoperability problem that happens if evaluators don't
> do
> >>>> that?
> >>>>
> >>>> Scott K
> >>>>
> >>>
> >>> Scott, What is the interoperability problem is evaluators didn't
> provide
> >>> reports at all? Reporting isn't a "must" for interoperability but it
> >>> certainly helps improve outcomes instead of senders flying blind.
> >>
> >> I read the email as suggesting a MUST for reporting both SPF and DKIM
> results if you report results at all, which would, I think lead to exactly
> the situation you're concerned about.  I'm skeptical of any kind of MUST
> around reporting since that's generally reserved for things that impact
> interoperability.  I do agree it should be encouraged.
> >>
> >> Mostly, at the moment, I'm trying to understand the proposed change and
> the rationale.
> >
> > I think the reactions were to the tone that that seemed to suggest that
> the importance of reporting was being downplayed. MUST is too strong and
> strongly encouraged is sufficient. The standards system relies on people
> making a good faith effort. To me, Doug’s comments came off as wanting to
> weaken the language which concerned me.
> >
> > Reporting is key for DMARC to work as a system so any hint of weakening
> that language or even could be interpreted as such caught my attention. I
> think Doug clarified his position as addressing specific cases not a
> weakening of the reporting language.
> >
> > DMARC is about the interests of the system but following the standard
> strengthens the system within which the sender or receiver operates. Even
> if one wasn’t interested in the health of system in and of itself,
> reporting benefits the admin as it increases security and reduces broken
> authentication. A *LOT* of Senders use reporting data as part of the
> process of fixing their own and third party senders they wish to allow or
> spoof, discovering errant shadow IT, etc.
> >
> > Reporting is or core importance for everyone if for no other reason than
> to avoid headaches. Thanks.
>
> s/allow or spoof/allow to spoof/
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
> <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dmarc__;!!CQl3mcHX2A!EsdF1EeMbORwM6q1BxYm9IsETTRVXfH8E62GtWR7mJvZ9jX2cB43dVfFr0WtGJmWfJuFPez7PgePL2wmqspAD63TEGtEypY$>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email