Re: [dmarc-ietf] Ticket #1 - SPF alignment

Alessandro Vesely <vesely@tana.it> Thu, 21 January 2021 09:24 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69A973A185A for <dmarc@ietfa.amsl.com>; Thu, 21 Jan 2021 01:24:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.382
X-Spam-Level:
X-Spam-Status: No, score=-2.382 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1152-bit key) header.d=tana.it
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ug9TOiXEb_o3 for <dmarc@ietfa.amsl.com>; Thu, 21 Jan 2021 01:24:28 -0800 (PST)
Received: from wmail.tana.it (wmail.tana.it [62.94.243.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6AE83A0D25 for <dmarc@ietf.org>; Thu, 21 Jan 2021 01:24:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1611221064; bh=gl1SdCn87GoxgJwc0KgvYY/a28dg8vl1nq++e1erN8c=; l=1433; h=To:References:From:Date:In-Reply-To; b=AjKlKQ9M7Q3ZFSO44EEh3kIAvkVCX8u1mOL2tupGV91xv3/dtmMbr0uKCZphF1McP u/KkuvKYzR0b7W6PeSbl6FnFJvhRTIosEnT+sykAaEzHjqs6QI9xXL4xUUNWTt5MFy tIzkDObKg5bdNUivRGR+h5bFlibOEN1CYrNlbJp4wpPZQ/aipsb4TdPwz2JUU
Authentication-Results: tana.it; auth=pass (details omitted)
Original-From: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC056.0000000060094847.000070CD; Thu, 21 Jan 2021 10:24:23 +0100
To: dmarc@ietf.org
References: <bef64e7a-571b-a73f-dc91-aa402ca320c8@taugh.com> <45b3df7-5c6-9744-2ca8-1542e1b33e7b@taugh.com> <478c7b56-f2b4-c7c1-7722-27fdce4bb8e9@tana.it> <CAHej_8=UTfpVBZJnP6anWshO+6ytU7jb4nybru2gmkFDHZwH5w@mail.gmail.com>
From: Alessandro Vesely <vesely@tana.it>
Message-ID: <ebf4303b-88e0-4caa-267c-30c2c7516f24@tana.it>
Date: Thu, 21 Jan 2021 10:24:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0
MIME-Version: 1.0
In-Reply-To: <CAHej_8=UTfpVBZJnP6anWshO+6ytU7jb4nybru2gmkFDHZwH5w@mail.gmail.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/yqIzhKIyBC_8qRQt7CpjzlpzmVo>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2021 09:24:30 -0000

On Tue 19/Jan/2021 22:26:09 +0100 Todd Herr wrote:
> Picking up the thread on another ticket that was brought before the group
> pre-holidays and has lain fallow since the end of 2020...
> 
> John Levine asserted that there wasn't a lot of strong opinion on the
> matter, and therefore we'd be leaving the spec as is, with the MAIL FROM
> SPF check the only one that matters for DMARC.
> 
> Ale replied, but I don't interpret his reply as challenging John's
> assertion.


The thread went off-topic w.r.t. the purpose of ticket #1.


> Can this ticket be closed?


I agree that the spec needs some text somewhere to counter the passage in 
Section 2.3 of RFC 7208.  This, methinks, is the intended semantics of the 
second paragraph of section 3.1.2 of dmarcbis:

OLD:
    Note that the RFC5321.HELO identity is not typically used in the
    context of DMARC (except when required to "fake" an otherwise null
    reverse-path), even though a "pure SPF" implementation according to
    [RFC7208] would check that identifier.

I'd rather replace that paragraph and leave item 4 of Section 6.6.2 as is.  For 
a possibly less confusing wording:

NEW:

    Even tough a "pure SPF" implementation, according to [RFC7208], would
    avoid to check the RFC5321.MailFrom identity if the RFC5321.HELO was
    conclusively determined to pass, DMARC authentication requires the
    authenticated identity to be aligned.


Best
Ale
--