IETF Logo Mail Archive

Re: [dmarc-ietf] p=quarantine

Douglas Foster <dougfoster.emailstandards@gmail.com> Mon, 14 December 2020 15:12 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41A613A12E7 for <dmarc@ietfa.amsl.com>; Mon, 14 Dec 2020 07:12:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.803
X-Spam-Level:
X-Spam-Status: No, score=0.803 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEAHrglYUODh for <dmarc@ietfa.amsl.com>; Mon, 14 Dec 2020 07:12:02 -0800 (PST)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CDEA3A12E3 for <dmarc@ietf.org>; Mon, 14 Dec 2020 07:12:02 -0800 (PST)
Received: by mail-vs1-xe36.google.com with SMTP id q10so9108715vsr.13 for <dmarc@ietf.org>; Mon, 14 Dec 2020 07:12:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=skoBLoJt0GkHexFmpym3hywoB/0sC9nLGbDlKhWpNWY=; b=Lar06MxzLiloMiSn4yJJWi3g+QevWHHSwkvHIUnAVtF2J0Z5thC7AWs8H14Jnhgo6p 50gAes5J3p/K+70bPmNzEBdNh7rHodvaFNdl1gJzorWeUyyaf/GNsC+U8eUwcCQWjhyy 3ZIewKsA3CUGFFEaa+khX5f4giIyqFRC5EXQbSg9zrbW506gSHhfQZFffk9tZhs8kouN kiYxMWgR+PFFyv0dFRnTMb5a7VBIzYHcVRU5woA28Ns6c6Ka8BPNcxF1I9ETH5RBGVTG 7uhC1fVRU45sf+dUAP0swSNm7UytqkhBf0aYD1Z536zu2xzpTOL6Nd4AdFTnZdT4AjYo Glzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=skoBLoJt0GkHexFmpym3hywoB/0sC9nLGbDlKhWpNWY=; b=oE5eqmV6OHApbCRg09jEZVKVQMNlSlVmvc/IHiBiIaZ8K9FgRJ8vmPR4L6Colb71Ld pRgPLxDfAaHQJZkJzPnFruLD1x61HZcT+TTDaEeK/3ThRQVZVIaRZ0bqXBmBgsiM2HH5 j0BOsw9V+RazkhIBOGHc+rMT/VP99Q6S0U4x3luOcXueBe07i5IPAfMzug8b2j4FGlYx tOVt1k3xrcjqYKR84yojyqZFiFzjP4AGMSo7IYflL64U+SDstIttWOTjxB7vOK+4igCk 0fqFKCLUJFPXo04wy87Xg19OROa08ZMplzpJ3l1Ddwaq3w5xs9DF5mrPkcT4qIHX1wcY S+/w==
X-Gm-Message-State: AOAM532D0E0VKnlmnZkNyA9V69gYXiWlZL1wUn+izxLOaXRbht121kzH ky5C1cunW2ewskWPMdp+BTCGBqQM1NTePlSliXN0NAgY
X-Google-Smtp-Source: ABdhPJzyTQonLnbyWTpDV7JlJcqYw8B13BrG6rY+xOT/w+ckEEG8CF1oP4zFeixjtbcC4RgZiYMfGy17cyNmpil9Z+A=
X-Received: by 2002:a67:c983:: with SMTP id y3mr1647029vsk.59.1607958719698; Mon, 14 Dec 2020 07:11:59 -0800 (PST)
MIME-Version: 1.0
References: <20201211173722.6B4DF29782C7@ary.qy> <ea074aad-971b-abc6-d557-ea2f433b3cc7@gmail.com> <CAH48ZfxEjGHv99z3RGj+Z+KJaFVPvm6RG4UzkKuOoDQDVCmb3g@mail.gmail.com> <A5E108DC-2692-4927-B2C1-AE3FED6DA8AA@wordtothewise.com>
In-Reply-To: <A5E108DC-2692-4927-B2C1-AE3FED6DA8AA@wordtothewise.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Mon, 14 Dec 2020 10:11:48 -0500
Message-ID: <CAH48ZfwkPEgexwGvyMT_PevMM5ngBT_XRfHYi7Wy1yxMw1LP1A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d18a205b66e10bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/znGrc60S1VwTKeJXVVKj2zxZu5w>
Subject: Re: [dmarc-ietf] p=quarantine
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Dec 2020 15:12:04 -0000

I called that a third-party message, since the RFC5321.MailFrom domain is
different from the RFC5322.From domain.

I am open to revisions of how the boundaries should be defined, but as I
said in my reply just now to Michael Hammer, we need to define those
boundaries in a way that both sender and receiver understand.  This is the
full problem description:

We have these three types of senders:
- first-party senders
- third-party senders
- spoofers

We have these four verification states at initial transmission:
- none
- spf only
- dkim only
- spf and dkim

We have these 9 routing scenarios:
- direct (1)
- indirect (8)
    with and without SMTP rewrite
    with and without FROM rewrite
    with and without content modifications

Upon receipt, we have these verification states:
- Not verified
- SPF only
- DKIM only
- SPF and DKIM

For messages that do not verify, the evaluator uses sender policy (none,
quarantine, reject) to categorize the message as either "verifiably
spoofed" or "uncertain".   What is the algorithm for doing so?

DF


On Mon, Dec 14, 2020 at 5:05 AM Laura Atkins <laura@wordtothewise.com>
wrote:

>
>
> On 13 Dec 2020, at 21:44, Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
> Based on this discussion, it seems evident that p=reject should include
> language about in-transit modifications which are outside the control of
> the source domain, and consequently outside the ability of DMARC to guide
> recipients.    Extending from that, I thought it would be helpful to
> specify some shared assumptions between sender and evaluator to make the
> interpretation of the settings less subjective.   I call this the "Minimum
> expected implementation at pct=100".
>
>
> What about messages which do not have SPF verification but do have DKIM
> verification? A significant number of email platforms use their own domains
> in the 5321.from address but have the customer sign with DKIM. In many
> cases, DKIM signing is actually free, whereas making the SPF align is a
> paid service.
>
> p=none
> Minimum expected implementation at pct=100:
> All first-party direct messages (RFC5321.MailFrom domain = RFC5322.From
> domain) are verifiable using SPF, but may not have a DKIM signature.
> Third-party direct messages ( RFC5321.MailFrom domain = RFC5322.From
> domain ) may or may not have DKIM signatures.
> Consequently, indirect messages are often not verifiable using DMARC.
>
>
> p=quarantine
> Minimum expected implementation at pct=100:
> All first-party direct messages (RFC5321.MailFrom domain = RFC5322.From
> domain) are verifiable using SPF, but may not have a DKIM signature.
> Third-party direct messages ( RFC5321.MailFrom domain = RFC5322.From
> domain ) are verifiable using DKIM signatures.
> Consequently, indirect messages may or may not be verifiable, depending
> whether the forwarded message included a signature.
>
> p=reject
> Minimum expected implementation at pct=100:
> All first-party direct messages (RFC5321.MailFrom domain matches
> RFC5322.From domain) are verifiable using SPF and DKIM.
> Third-party direct messages ( RFC5321.MailFrom domain does not match
> RFC5322.From domain ) are verifiable using DKIM signatures.
> Indirect messages which are not modified in transit are verifiable using
> DKIM signatures.
> Indirect messages which are modified in transit are outside the scope of
> DMARC and must be evaluated by other criteria available to the recipient
> system.
>
> Having defined the policies/categories in these terms, the logical next
> step would be a best practices document which discusses how an evaluator
> might distinguish between direct messages, indirect unmodified messages,
> and indirect modified messages.   ARC obviously plays a role in making
> these distinctions easier to determine and less error-prone.
>
> Doug Foster
>
>
> On Sat, Dec 12, 2020 at 1:42 PM Dave Crocker <dcrocker@gmail.com> wrote:
>
>> On 12/11/2020 9:37 AM, John Levine wrote:
>> > In article <1AC986FF-507B-4917-9C6D-D84E9337FC7A@wordtothewise.com>
>> you write:
>> > aligned is not authorized by the domain owner and may be discarded or
>> rejected by the recipient.
>> > Naah.
>> >
>> > p=reject: all mail sent from this domain should be aligned in a DMARC
>> > compliant way. We believe that unaligned mail is from unauthorized
>> > senders so we ask receivers to reject it, even though that might mean
>> > some of our authorized senders' mail is rejected too.
>>
>>
>> As soon as this specification text, here, contains language about how
>> this information is to be used, should be used, or could be used, it
>> crosses over into creating confusion about expectations of receiver
>> handling.
>>
>> It encourages misguided language such as the receiver 'overriding'
>> sender policy.  The sender has no policies about receiver behavior,
>> because there is no relationship between them. Using milder language
>> here doesn't help, because readers typically do not read like legal or
>> technical scholars.
>>
>> DMARC provides information, not direction.
>>
>> The spec already contains misguided perspective by talking about
>> 'policy' records and, even worse, "policy enforcement considerations".
>>
>> If the document must contain language about receiver choices in message
>> disposition, move it to an overtly non-normative discussion section that
>> legitimately covers a wide range of things that receivers do or don't do
>> (cast as things they might or might not do.)  And make sure none of the
>> language hints at sender 'policy', overrides, or the like.
>>
>>
>> d/
>>
>> --
>> Dave Crocker
>> dcrocker@gmail.com
>> 408.329.0791
>>
>> Volunteer, Silicon Valley Chapter
>> American Red Cross
>> dave.crocker2@redcross.org
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>
> --
> Having an Email Crisis?  We can help! 800 823-9674
>
> Laura Atkins
> Word to the Wise
> laura@wordtothewise.com
> (650) 437-0741
>
> Email Delivery Blog: https://wordtothewise.com/blog
>
>
>
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email