Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
"mhammer@americangreetings.com" <mhammer@americangreetings.com> Thu, 17 August 2017 14:18 UTC
Return-Path: <mhammer@americangreetings.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE3E8132196 for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 07:18:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=americangreetings.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6JenBDJP2ZE for <dmarc@ietfa.amsl.com>; Thu, 17 Aug 2017 07:18:28 -0700 (PDT)
Received: from mailer1.americangreetings.com (mailer1.americangreetings.com [66.119.43.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05C2513244F for <dmarc@ietf.org>; Thu, 17 Aug 2017 07:18:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=americangreetings.com; s=q42010; c=relaxed/relaxed; q=dns/txt; i=@americangreetings.com; t=1502979506; x=1534515506; h=From:Subject:Date:To:Cc:Reply-To:Message-ID:MIME-Version:Content-Type; bh=pSNSrFCkkIYCL+auNNPCkWLlg9zNyJPhjsvaJrXI2dc=; b=EEhVDLuG95pyf1M4fVJslguT/Rq+L35WmL5EuSdaEyq72auFsWzx7Of3gzAc6E2R Zz8LSLwxGTVq3vpMYLXlbv5J0N2ki+KTKVbicBu1NqdFePEN5wMuTfbsGDAZNjH1 H/Z5o/ZlvdrtHY9qm5yqj1iAKviijNrJsAGTzbffAw8=;
Received: from [66.119.43.83] ([66.119.43.83:2695] helo=dc3-mbox.ops.ag.com) by momentum7 (envelope-from <mhammer@americangreetings.com>) (ecelerity 3.6.18.52357 r(Core:3.6.18.0)) with ESMTP id 5C/AC-11320-2B5A5995; Thu, 17 Aug 2017 10:18:26 -0400
Received: from [10.210.42.24] ([10.210.42.24]) by dc3-mbox.ops.ag.com (8.14.4/8.14.4) with ESMTP id v7HEIQkt019519 for <dmarc@ietf.org>; Thu, 17 Aug 2017 10:18:26 -0400
To: dmarc@ietf.org
References: <1502957343.3548792.1076152832.1FEB1A8C@webmail.messagingengine.com>
From: "mhammer@americangreetings.com" <mhammer@americangreetings.com>
Message-ID: <a62e1229-a1a3-47ec-ad36-c95e2b7025d9@americangreetings.com>
Date: Thu, 17 Aug 2017 10:18:25 -0400
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <1502957343.3548792.1076152832.1FEB1A8C@webmail.messagingengine.com>
Content-Type: multipart/alternative; boundary="------------2392CA09522D04071A7642CA"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/xkHV7E0sCfJrGdr0KwmXZgco4t0>
Subject: Re: [dmarc-ietf] ARC-Seal is meaningless security theatre
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 14:18:31 -0000
On 8/17/2017 4:09 AM, Bron Gondwana wrote: > On Thu, 17 Aug 2017, at 15:28, Murray S. Kucherawy wrote: >> On Wed, Aug 16, 2017 at 5:47 PM, Bron Gondwana >> <brong@fastmailteam.com <mailto:brong@fastmailteam.com>> wrote: >> >> While there exists A SINGLE SITE which is ARC-unaware and DMARC >> p=reject aware, you can't use ARC on a DMARC p=reject domain >> without rewriting the sender. Otherwise that site will bounce the >> email. >> >> >> Goodness, it's a wonder that we've ever successfully deployed >> anything incremental around here. ;-) >> -MSK > > I laugh as well, but it's more than p=reject isn't enough in the ARC > world, because it doesn't distinguish between: > a) I'm OK with email from my domain being sent via mailing lists; and > b) no, this domain is only ever used for direct messages, it should > never appear in ARC chains that don't also pass DKIM. > You assume that mailing lists are the only corner case that ARC might address. It’s quite possible that this is not true. It's also not clear what you mean by "direct messages". When an agent does an MX lookup, it has no way of knowing whether the indicated MX host is the final destination or whether there are additional internal (to the administrative domain) or external hops beyond the initially indicated MX host. That's one of the things that makes the wonderful wacky world of email so interesting. While mailing lists are important to many, they are the tail and not the dog in the email world. > The existing behaviour of p=reject is (b) for receivers that don't > support ARC - so the question becomes: are we defining ARC to > changing the behaviour of p=reject to (a)? If so, will we define a > different (b) later, when we could instead have > defined a different p= for (a). > This is absolutely an incorrect statement. Policy within DMARC, as expressed by p=, is a request by the sending domain and can always be ignored or overridden by local policy. Using ARC as an input is no different than any other input that a mailbox provider/validator considers in making delivery decisions. > The interesting question is what happens at non-updated sites in each > case, because the answer is either "valid emails that should have been > accepted are rejected by old policy engine" or "spoofed emails that > should have been rejected are accepted by old policy engine" > In the DMARC world, emails are only valid in the sense that they pass either SPF or DKIM validation. A decision to accept or reject any given email involves many choices beyond simply passing DMARC validation for a given from domain. Spoofing may involve emails which pass DMARC validation but contain spoofing in the From display name, or any number of other ways. Mike
- [dmarc-ietf] ARC-Seal is meaningless security the… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Tim Draegen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… John Levine
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Scott Kitterman
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… MH Michael Hammer (5304)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen (b)
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… mhammer@americangreetings.com
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Kurt Andersen
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Seth Blank
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Brandon Long
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Dave Crocker
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Murray S. Kucherawy
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Bron Gondwana
- Re: [dmarc-ietf] ARC-Seal is meaningless security… Hector Santos