Re: [dmarc-ietf] Discussion: Removal of validation for external destinations (Ticket #76)

"Brotman, Alex" <Alex_Brotman@comcast.com> Mon, 01 February 2021 15:12 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4044B3A1203 for <dmarc@ietfa.amsl.com>; Mon, 1 Feb 2021 07:12:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, SPOOF_COM2OTH=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctyAz1o2yoW6 for <dmarc@ietfa.amsl.com>; Mon, 1 Feb 2021 07:12:09 -0800 (PST)
Received: from mx0a-00143702.pphosted.com (mx0a-00143702.pphosted.com [148.163.145.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46A6E3A11FE for <dmarc@ietf.org>; Mon, 1 Feb 2021 07:12:09 -0800 (PST)
Received: from pps.filterd (m0156892.ppops.net [127.0.0.1]) by mx0a-00143702.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 111EuJ1Z020270 for <dmarc@ietf.org>; Mon, 1 Feb 2021 10:12:08 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20190412; bh=spSEp/3vYT0oGO8ifyQCdexYTFgYek8fVIEKAy044mM=; b=fye7/igOknCrGa5CzVKHpLGp4g2ImH/DSUuKgLUtKMAGUa6ZxFxitSC/n4vNOT1m6BGD S5DQtcY8AaTocGWpZxEIKhayFPcrJrZhPJ7gOG1V7Kfv83Gfkk8GIj/ywRDaluCq/Ri/ XXmKl51SLXcgs1VBHLU/EB7inrUMAxwuVsu89pKPP2iA0FHOhkh+uj3zVcEI6BrVV5D3 y1u44Ntn6+Yc/KVYP/BqqmbG8V1mFj9C/UeeHocSba8fCP+PjICq5ylEeJSSxFPsT7P0 ySuA7pDP8TKANyvJieCM4nFyRiC9QHp5tcgSZnuSyn4efK8bDHNr+DoI5wtVLbB/lUTH +Q==
Received: from pacdcex56.cable.comcast.com (dlppfpt-wc-1p.slb.comcast.com [96.99.226.136]) by mx0a-00143702.pphosted.com with ESMTP id 36d3nqawy4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Mon, 01 Feb 2021 10:12:07 -0500
Received: from PACDCEX49.cable.comcast.com (24.40.2.148) by PACDCEX56.cable.comcast.com (24.40.2.155) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 1 Feb 2021 10:12:05 -0500
Received: from PACDCEXEDGE01.cable.comcast.com (76.96.78.71) by PACDCEX49.cable.comcast.com (24.40.2.148) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 1 Feb 2021 10:12:05 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (104.47.66.47) by webmail.comcast.com (76.96.78.71) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 1 Feb 2021 10:11:55 -0500
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by MN2PR11MB4224.namprd11.prod.outlook.com (2603:10b6:208:18f::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3805.24; Mon, 1 Feb 2021 15:11:51 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::2495:cfaf:88ca:6b2d]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::2495:cfaf:88ca:6b2d%7]) with mapi id 15.20.3805.027; Mon, 1 Feb 2021 15:11:51 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: DMARC IETF <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Discussion: Removal of validation for external destinations (Ticket #76)
Thread-Index: AdbLDJ36lgBe/Aa+SKaTRhc/gVa6SQAu5JsAAEfomQAK8RXdIA==
Date: Mon, 1 Feb 2021 15:11:51 +0000
Message-ID: <MN2PR11MB4351895D112A3C903F9A5271F7B69@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <MN2PR11MB4351D62302C7357DE653F8B4F7F00@MN2PR11MB4351.namprd11.prod.outlook.com> <fc1d9d7c-4e14-78af-0416-b6cfb0873468@tana.it> <0359b009-5b18-46f8-85a5-959ad337dd49@beta.fastmail.com>
In-Reply-To: <0359b009-5b18-46f8-85a5-959ad337dd49@beta.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=comcast.com;
x-originating-ip: [2601:43:101:380:6089:8838:a37e:a0bc]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4fcab91e-9ae7-4467-8602-08d8c6c3b410
x-ms-traffictypediagnostic: MN2PR11MB4224:
x-microsoft-antispam-prvs: <MN2PR11MB422469E06E1AAA4239FFF74FF7B69@MN2PR11MB4224.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dDlrDuGFRUdO/36MK66oYmpD6/wC9qfmSjVEGWj8OMrcJ8DcmC8NTXq04XTGuMQo+xvKQVWei+kTz6R/Yw4LlcsmAs6VdfH59q5dZe+Hm3HJcMxmqzIadlggSHKfpwGpl8aJ8AxPWhAqci5VzmVUIPCHQzCSOQ3XY5JXKd1UDSN6BzEBl5aLYAi/V6FhxaHbdVWe1KLxpxZIfoa2QCCO7SwyoWl2WWB2NDV3kMi7F3cTwFsyljwLejPsNfDdbGsEojAuz+XyjNol8gPNznzvv8Wx1P1G0H7ckr6Z5x+iQmJ6YcRU8JNVyk9lghAqZo7rwevqaIHn/g6KLgrBoHVhNhxDpG61yAPRPpNybcr6yaNcIQ6//0FY13zmPIRwr8/O9JBHQu+fESTAyAt6gJ1DyEnKeq9Iia6WAJZjIn+rccK0Hpodn+ZopDHm+FwMvFHoBaUMTeMhYcFPZqW7U+SsY1f3/TzsPiqFhFh1CZ3OnKWvl5SMlrgv9fPMWLV2uTObDAtjN2lSE7+8tuavYAEP/2ee78pMzqCCA8T69WJ1si15FLqGAOKSvHmRDtdVmcJI9CeRdiqYMNmqBIjQJ2Lvyd3AIhw6oq/crtJVA+2q51I=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(39860400002)(396003)(376002)(136003)(366004)(52536014)(66476007)(66446008)(66556008)(66946007)(64756008)(76116006)(55016002)(966005)(5660300002)(2906002)(316002)(478600001)(7696005)(8936002)(33656002)(53546011)(71200400001)(6506007)(9686003)(8676002)(166002)(6916009)(186003)(86362001)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?us-ascii?Q?evyrsutflNFx3eJMQis1YD1q/i7EF2EsEwbl3ucIJTdFXMHEbl8/xTlnSiPK?= =?us-ascii?Q?4IEYjscqrWNHsuHOOOMtPrI0fKUnSnz+obM6yciL8fn1eu+aB465quI97lvZ?= =?us-ascii?Q?Ueyehq+AiTqExoEA9PTuM693msTgacRh54wZAEMSepZpJPCeF4OBoA1ZvH62?= =?us-ascii?Q?rjvV+TjI2e9x05sllVq4R0QcyxE/j7u7JUqX94RTcNzsGWQLWk2/wimW53gs?= =?us-ascii?Q?PtyKvdIckC/V1yxVOrajvf259KXmJ42+q/Lbgy78JfdTXT/bv0EiCfXLlEAt?= =?us-ascii?Q?NECcxANnrRMmR/4n0yhU54lUbn0+kBTLeMjX3wyaCg/Wy65cX0ScljXVPJcK?= =?us-ascii?Q?5nwG6GH3CzOD8r3slB7ldWPzpYqEBMzb0YJkrnP/miIbllaajePx3J8a/wCP?= =?us-ascii?Q?dnuki3XLbcZr5gHvnkBq902cavElh4iglZL1LJMASbcQ2dokz0Wttljx0h/v?= =?us-ascii?Q?RKtGENZxBWloR+vnnL9tc2YLB7gAnA9K5NpaLfNiN6zRaL+U4ic7MBd4U59N?= =?us-ascii?Q?ZUBlLSpyNe6O3+l7h0rVrpjPgTtnO7oKX6EGMNIyjFY6o0eIKHKAAI6k+Vu8?= =?us-ascii?Q?aapTI+xLCXErsss/kKkuO0t6buAQ1BczTEDcK7ua+0ldHrPFOc392Mgvg/p3?= =?us-ascii?Q?6Ohu4lHAaTg+dzz72k2t8NjccNZuk60Dt7bl0Vi79TX3LKMvcyPM2EaBZ1oE?= =?us-ascii?Q?XE2+/fh7zFm0WZ7dt6nE9q96nxObSsQiwnoCYeqcQJnAEMGfLmVyYYmVaodH?= =?us-ascii?Q?6WDqiU9OFWCN8KTXMPX+ry2CLx4LISHyAcESwt9P4cVrzz64fZUed8Lnv0Wr?= =?us-ascii?Q?h9AsT5lXBu86MY93acVlUSKfNFr5lfcsSFsHGccBKcLhd6ALgv7LlauDGR/J?= =?us-ascii?Q?rF3UPP/UPUnYGrZoznz1I97QEJqhX0mv3hGYXOwXcbsyhekSaVMqoglKc+Jz?= =?us-ascii?Q?LKsZDRNU3z6I0+qsb9bHbxhb6fvpqNaRZNV6mBDJrOONum1LWLdfyHT1Vm9C?= =?us-ascii?Q?LhrSrXY17N63+ubNTdQHpe9JSTyogTPhrM2ftLGNtt00O72oskw5RNUAwgrk?= =?us-ascii?Q?v8OP5ccZsKfNx3rdj9YbFq5xQysyMKATTj9bbk0IHtJE2AJ5G0A=3D?=
x-ms-exchange-transport-forked: True
arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TRzd8ggZNWrpJr3qxBGWmOHTuCNB9AiyS9zUuVG/btwlKvtJjIWDRQp+uXsGFe3nTKKQRHsPT1AISbhIf0TIl2zBJZJRS7iSyqPf2hd8fU3Mzcw5KBD0IV8L/btNyC8s7mGV3jT1WoBaFRz3r6JJu/YbLTxkbdPT8wXuJu4VJLCevGNNdh4QV0J+1C7dQktI+MAL/Zw/RfL8jelvm1/lDHnj6mBsOsMjpyIPvilmBD8idyKei9440nSXTYVzHyIJakIN1yQx+AZnQvnO8mD6YysW1mygYe1jBWzRLTpYkDTPYOCi9+6vFd79San2dCh1+ceTctXGEK6g/Ibtc1AboA==
arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VRbS1xVE423MctPPEDpq5z4aEUUWqt7SYjg9z7YQC0g=; b=gM6L3j/asD8nZI7yWqX7LqjoRct7+ii2YZsZHyr7V2pKsjF4CEu8cPm93RpfRET8eYZX+Zlxe/H8cGFlmhSbZmpbNJmK0O15njcZ2E2NoRDsRFzX3iiPheHO0JbOBSZ6pB7Udv2nOoyCF5ZJZKYrB3uT2kD0eM8BG9Zpiwp2cAPX+2J/sTkR56LOQvoTDFlL5vWlaRoBFk2hgdaDHwtwO74iaXVBK27KH/QY8UN2DX5xeeQpo1yewM9BrD26kwWI70yTP+29SHbABs4zVfJZ9uJ1WKQlgTzhKP1KNBBLIH3ZHV2BUI1O3Vk3Jn3ZA+Q2BPVOvdsJ58S54keIpN6ukg==
arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
x-ms-exchange-crosstenant-authas: Internal
x-ms-exchange-crosstenant-authsource: MN2PR11MB4351.namprd11.prod.outlook.com
x-ms-exchange-crosstenant-network-message-id: 4fcab91e-9ae7-4467-8602-08d8c6c3b410
x-ms-exchange-crosstenant-originalarrivaltime: 01 Feb 2021 15:11:51.2580 (UTC)
x-ms-exchange-crosstenant-fromentityheader: Hosted
x-ms-exchange-crosstenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
x-ms-exchange-crosstenant-mailboxtype: HOSTED
x-ms-exchange-crosstenant-userprincipalname: wy+oLfzV867rVb+OicEYHW9Wn2zkERpXOuuJuZvx0seJ4kpbpf8E3XvyBIXHxFsY9IeyoaeJaZE/4EveJ/UL/nkPKlCF3F5vr1xdxsGojdQ=
x-ms-exchange-transport-crosstenantheadersstamped: MN2PR11MB4224
x-originatororg: comcast.com
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB4351895D112A3C903F9A5271F7B69MN2PR11MB4351namp_"
MIME-Version: 1.0
X-CFilter-Loop: Forward AAETWZ
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.737 definitions=2021-02-01_06:2021-01-29, 2021-02-01 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/zIuiCuIvUcKgudJZH2NS2IqEp2w>
Subject: Re: [dmarc-ietf] Discussion: Removal of validation for external destinations (Ticket #76)
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Feb 2021 15:12:11 -0000

This came up in another thread elsewhere, and wanted to see if there was any more input before closing this as "wontfix".  The only feedback I got during this thread was that this external check should remain as it may prevent abuse and it appears that many have already implemented this.

The original thread is here: https://mailarchive.ietf.org/arch/msg/dmarc/pL7dsXjXn9BmADxly0yO2cDC_ro/

Thanks

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Marc Bradshaw
Sent: Monday, December 7, 2020 5:25 PM
To: DMARC IETF <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Discussion: Removal of validation for external destinations (Ticket #76)

Removing this opens up the potential for abuse, I don't see the value in removing it.

On Sun, 6 Dec 2020, at 11:06 PM, Alessandro Vesely wrote:
On Sat 05/Dec/2020 14:51:52 +0100 Brotman, Alex wrote:
>
> There's currently a ticket that suggests that the requirement for external validation be removed.  Today, if example.com has an RUA that points at example.net, the latter must create a record as such:
>
> example.com._report._dmarc.example.net TXT "v=DMARC1"


Actually, the record can also be:

example.com._report._dmarc.example.net TXT "v=DMARC1; rua=updated-address@example.net<mailto:updated-address@example.net>"

or even, considering a parallel thread:

example.com._report._dmarc.example.net TXT "v=DMARC1; rua=report@example.net<mailto:report@example.net>, /https://www.example.net/report/<https://urldefense.com/v3/__https:/www.example.net/report/__;!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivpAiHzHx$>"


That way, external services have the ability to control or suspend  their service.  I think this is an essential requirement.  Let's keep it.


> The original thought was that a bad actor could overwhelm a target with unrequested reports.  It seems in reality, most report generators only send once per day.


Once-per-day has to be amended.  See ticket #71.


> Additionally, there appear to be some generators who ignore the absence of these records.


Aggregate reports are often tagged as spam anyway, but when sent in violation of the spec such tagging is certainly deserved.


> https://tools.ietf.org/html/rfc7489#section-7.1<https://urldefense.com/v3/__https:/tools.ietf.org/html/rfc7489*section-7.1__;Iw!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivpuaI_16$>


Why don't you refer to either of the drafts we're editing:
https://tools.ietf.org/html/draft-ietf-dmarc-aggregate-reporting-00#section-2.1<https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-dmarc-aggregate-reporting-00*section-2.1__;Iw!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivpqSIEHa$>
https://tools.ietf.org/html/draft-ietf-dmarc-failure-reporting-00#section-3.2<https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-ietf-dmarc-failure-reporting-00*section-3.2__;Iw!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivqDi6FH6$>

BTW, this duplication is worth yet another ticket.


Best
Ale
--


















_______________________________________________
dmarc mailing list
dmarc@ietf.org<mailto:dmarc@ietf.org>
https://www.ietf.org/mailman/listinfo/dmarc<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/dmarc__;!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivrqoGdKN$>


--
[https://secure.gravatar.com/avatar/b214a020f4eb135ce2a6901d7540bdb1?s=44&d=404]

  Marc Bradshaw
  marcbradshaw.net<https://urldefense.com/v3/__http:/marcbradshaw.net/__;!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivmARoKHF$> | @marcbradshaw<https://urldefense.com/v3/__https:/twitter.com/marcbradshaw__;!!CQl3mcHX2A!TJoHWx6S1NRchnwhQ0ijzD46MbakofNi7Vpmyu0BaBaZslL1pTcbvwKcBEHivu6ug4qh$>