IETF Logo Mail Archive

Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows

Scott Kitterman <sklist@kitterman.com> Tue, 28 March 2023 20:01 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB954C151B3B for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 13:01:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="71KqibBW"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="RAkU7e+n"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vPzgIj7z4IhV for <dmarc@ietfa.amsl.com>; Tue, 28 Mar 2023 13:01:16 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAD1EC1516E9 for <dmarc@ietf.org>; Tue, 28 Mar 2023 13:01:16 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 65592F802F1 for <dmarc@ietf.org>; Tue, 28 Mar 2023 16:01:06 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1680033651; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=Pji5Vx6NW+FuNYLXK5oJVSrlqvRHh6S3ceZs2Ej0/RE=; b=71KqibBWB60gSoMOT+EMcqnIrDniuIGA0Oi1HZXgtfoL7aGuZpE/haS4TyYaGbBz2Vk40 yD/B4adtOBRJm5PDw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1680033651; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=Pji5Vx6NW+FuNYLXK5oJVSrlqvRHh6S3ceZs2Ej0/RE=; b=RAkU7e+nyJOiidXUTyn+nMiYhwBwMhgnmX4osKRSd8akcDi9qGNvSV/+Pv8DzKDdiHI1k Z13OhdHoZQeIlKdzPqaZusJEYIwxAdxS+/DtsiX7SVyD/1wcPJcL+WfW8UFEliMOFHEmMWh fHdOvJmWhbsr3kw7HuMVXH4zTFLiF4ZW7TkhQlRXd2PBpdjlhqjzxws1NEujpHf3uk6tXnq gLdTkdh/yAGG7TSs5D8SxrkmyRPHQF9pxZTAwTi1BSOJcxH+inQ2lkY01e+wsQ9TmX6LjoO 1m5GIKKfsw12DE0oF5+tKhT6DjRr+zm1ErlSeJfBTHLCwuUnrChBz8KT2Q7A==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 1CE88F801D5 for <dmarc@ietf.org>; Tue, 28 Mar 2023 16:00:51 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Tue, 28 Mar 2023 16:00:44 -0400
Message-ID: <13145172.pEV04Z3DvM@localhost>
In-Reply-To: <CAHej_8nd1xyAgwASLJbuJHyXEAfHbjqxNH1XtJxKFyfyOneyug@mail.gmail.com>
References: <CALaySJ+NBg9vzqa0_t-sBf7EKXQ3A=DTyy-Vc7M-ZK9-vfJxmw@mail.gmail.com> <6319292.vCqnBZbX7o@localhost> <CAHej_8nd1xyAgwASLJbuJHyXEAfHbjqxNH1XtJxKFyfyOneyug@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/z_9Kmrxri0RSuLdfX0oferlfzwA>
Subject: Re: [dmarc-ietf] Proposed text for p=reject and indirect mail flows
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 20:01:20 -0000

On Tuesday, March 28, 2023 3:14:38 PM EDT Todd Herr wrote:
> On Tue, Mar 28, 2023 at 1:41 PM Scott Kitterman <sklist@kitterman.com>
> 
> wrote:
> > On Tuesday, March 28, 2023 4:15:04 AM EDT Barry Leiba wrote:
> > > NEW
> > > 
> > >    5.5.6.  Decide If and When to Update DMARC Policy
> > >    
> > >    Once the Domain Owner is satisfied that it is properly authenticating
> > >    all of its mail, then it is time to decide if it is appropriate to
> > >    change the p= value in its DMARC record to p=quarantine or p=reject.
> > >    Depending on its cadence for sending mail, it may take many months of
> > >    consuming DMARC aggregate reports before a Domain Owner reaches the
> > >    point where it is sure that it is properly authenticating all of its
> > >    mail, and the decision on which p= value to use will depend on its
> > >    needs.
> > >    
> > >    It is important to understand that many domains may never use
> > >    policies of “quarantine” or “reject”, and that these policies are
> > >    intended not as goals, but as policies available for use when they
> > >    are appropriate.  In particular, “reject” is not intended for
> > >    deployment in domains with users who send routine email, and its
> > >    deployment in such domains can disrupt indirect mail flows and cause
> > >    damage to operation of mailing lists and other forwarding services.
> > >    This is discussed in [RFC7960] and in Section 5.8, below.  The
> > >    “reject” policy is best reserved for domains that send only
> > >    transactional email that is not intended to be posted to mailing
> > >    lists.
> > >    
> > >    To be explicitly clear: domains used for general-purpose email MUST
> > >    NOT deploy a DMARC policy of p=reject.
> > > 
> > > END
> > 
> > [snip]
> > 
> > How about, "... MUST NOT deploy a DMARC policy other than p=none because
> > improper used of p=reject or (to a slightly lesser exent) p=quarantine is
> > extremely harmful to email interoperability."
> 
> Or, "...MUST NOT deploy a DMARC policy other than p=none because
> improper use of p=reject or (to a slightly lesser extent) p=quarantine is
> extremely harmful to email interoperability. Such improper use includes,
> but is not limited to, cases where the mitigation strategies discussed in
> RFCs 7960 and 8617 and elsewhere are not deployed for the mail flows
> in question and cases where the domain owner deems the collateral damage
> as acceptable loss in service of protecting its domain from unauthorized
> usage."
> 
> I suspect that my text above won't go over well, but the use of the term
> "improper use" smacks, to me, of the IETF being the protocol police, and
> I've been led to believe that's not what we do here.
> 
> There are many things I believe, and two of them are these:
> 
>    1. Any domain is a target to be spoofed
>    2. The custodian of a thing has the autonomy to do with that thing what
>    they please, so long as it's within the limits of the law. "My network,
> my rules" as it were (or "Your network, your rules")
> 
> DMARC is a tool in the fight against exact-domain spoofing, but some
> methods of its deployment can cause interoperability issues. I believe that
> as long as the risks are well understood and fully documented (to include
> references to mitigation strategies) then a domain owner will have all the
> information they need to make their choice as to what policy to deploy. To
> mandate that certain classes of domains not do something (and just how do
> we define "general-purpose" email anyway?) seems a bridge too far for me.

I agree with your items 1 and 2.  I'm not a particular fan of improper use 
either.  Maybe instead of improper use.  Maybe just "use with such domains".

Your characterization reads more like SHOULD NOT unless ....  I don't think 
that unless [list of things that are only true in very limited circumstances 
and can't really be verified reliably] is very useful.  How about this instead 
(I am attempting to split the difference between assuming p=reject is okay is 
normal or exceptional):

"...MUST NOT deploy a DMARC policy other than p=none because use of p=reject 
or (to a slightly lesser extent) p=quarantine for such domains is extremely 
harmful to email interoperability.  Mitigation strategies are discussed in
[RFC 7960] and [RFC 8617]."

I don't think we need to reiterate what p=reject does here, that's extensively 
addressed elsewhere in the document.  I don't think we have enough data to 
opine either way about the effectiveness of such strategies, so it's enough to 
point at them here.  We don't currently list RFC 8617 as a reference.  I think 
introducing an informative reference here is useful.  It's experimental, so we 
definitely don't want to put any normative language around it.

I suspect that's probably not what you would find ideal (it's not what I would 
find ideal either, but I can live with it).  Can you live with it?  What do 
others think?

Scott K

v2.23.0 | Report a Bug | By Email