IETF Logo Mail Archive

Re: [dmarc-ietf] Suggestion: can we test DEMARC deployment with a mailing list?

"Doyle, John" <john.doyle@fmr.com> Fri, 06 June 2014 22:33 UTC

Return-Path: <john.doyle@fmr.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8821A02AA for <ietf@ietfa.amsl.com>; Fri, 6 Jun 2014 15:33:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.402
X-Spam-Level:
X-Spam-Status: No, score=-6.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M-S6DMD_A86B for <ietf@ietfa.amsl.com>; Fri, 6 Jun 2014 15:33:09 -0700 (PDT)
Received: from msginmsm10vapp.fmr.com (ltm-fwus409m-410m.fidelity.com [155.199.16.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C3A51A0273 for <ietf@ietf.org>; Fri, 6 Jun 2014 15:33:08 -0700 (PDT)
Received: from msgrtphc05win.DMN1.FMR.COM (MSGRTPHC05WIN.dmn1.fmr.com [10.95.11.185]) by msginmsm10vapp.fmr.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.1) with ESMTP id s56MWtAt017381 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL); Fri, 6 Jun 2014 22:32:56 GMT
X-DKIM: OpenDKIM Filter v2.1.3 msginmsm10vapp.fmr.com s56MWtAt017381
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fmr.com; s=2012-05-26; t=1402093977; bh=90Bna/5gkJ7ZodZjCdwkaX4CUuSo477C0ikicN3rFUw=; h=From:To:CC:Date:Subject:Message-ID:In-Reply-To:Content-Type: Content-Transfer-Encoding:MIME-Version; b=YLxc/QSMlPkw0z99s7PqUHYLApCjhUrNFEXw2erpe80gc5zwS0XJlt/ZCmB+NmnR7 1dZ0anyDxcAZrDlPrw7cm7t4dVhdHUFbFXJjipsEktfz5Km5/M5AYj4pbrRwtyex/3 6amM66b5EkJsUGSaue9P5/aQixQwF2eM9H6+D6rY=
Received: from MSGRTPCCRD2WIN.DMN1.FMR.COM ([10.95.12.21]) by msgrtphc05win.DMN1.FMR.COM ([10.95.11.185]) with mapi; Fri, 6 Jun 2014 18:32:54 -0400
From: "Doyle, John" <john.doyle@fmr.com>
To: "'ned+ietf@mauve.mrochek.com'" <ned+ietf@mauve.mrochek.com>, "'dhc@dcrocker.net'" <dhc@dcrocker.net>
Date: Fri, 06 Jun 2014 18:32:53 -0400
Subject: Re: [dmarc-ietf] Suggestion: can we test DEMARC deployment with a mailing list?
Thread-Topic: [dmarc-ietf] Suggestion: can we test DEMARC deployment with a mailing list?
Thread-Index: Ac9ptLbD/EHVqF3wRq+CiAFhikt9+gYIor8x
Message-ID: <53A1885CA322CB498E17F4E1242556E101E560EFEF1D@MSGRTPCCRD2WIN.DMN1.FMR.COM>
In-Reply-To: <01P7I8FAW2JY000052@mauve.mrochek.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/ZU8kxCZROr6DyAVKdmS1g4QeMeY
Cc: "'ietf@ietf.org'" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jun 2014 22:33:11 -0000


----- Original Message -----
From: ned+ietf@mauve.mrochek.com [mailto:ned+ietf@mauve.mrochek.com]
Sent: Wednesday, May 07, 2014 01:01 AM
To: Dave Crocker <dhc@dcrocker.net>
Cc: IETF <ietf@ietf.org>
Subject: Re: [dmarc-ietf] Suggestion: can we test DEMARC deployment with a mailing list?

> On 5/5/2014 5:37 PM, Fred Baker (fred) wrote:
> >>> I guess we’re running it. I was hoping to avoid the “everything
> >>> around broke” part.
> >>
> >> Well.. I can certainly tell you that, as someone who supports a
> >> couple of dozen email lists, an awful lot broke
> ...
> > And what comes quickly to mind is the comment, earlier in this
> > thread, that “we have been running it for nine years.”
> >
> > Running it, perhaps, but not learning from it. Kind of “Really Not
> > The Point”.


> I might be a bit confused about the 'it' being referenced, so it's worth
> ensuring some clarity:

>      1.  DKIM and SPF have been fielded for perhaps 12 years.  DKIM in
> its original-but-similar form, DomainKeys, and then its initial
> 'consortium' form, preceded the 2006 published DKIM RFC by several
> years.  SPF appeared around that time too.  So the reference to 6 years
> of operational experience is really on the very low side.

The relationship of time to operational experience is far from obvious, even
for specifications we view as successfully deployed.

>      2.  Use of DKIM and SPF is reasonably well understood and does not
> cause interesting email operations problems.  I'm starting to hear some
> unfortunate stories about DKIM signature breakage in scenarios that I'd
> have hope would not have it, but the breakage of the signature is not
> breaking legitimate email scenarios.

That's incorrect. The obvious counterexample is MIME downgrading, which was a
core MIME capability from the start.

I note in passing that DKIM could have been engineered to accomodate
this by canonicalizing to binary and removed CTEs, but wasn't.

>      3.  DMARC's functions and limitations have been reasonably well
> understood since it's inception.  It works comfortably in specific
> scenarios and causes problems in others.  Again, there are no surprises
> about these now.  They've been clearly understood by those working on
> the spec.

I can't speak to what was in the minds of the developers, but I view the fact
that the specification is noticeably lacking in describing these limitations 
as problematic.

I haven't had time to do a careful review of the DMARC specification, but I do
note one obvious omission: Wouldn't it have been helpful to define an enhanced
status code for a p=reject failure which mailing lists could detect and take
appropriate action, i.e. counting this as a failure of the sender, not the
recipient?

>      4.  SPF actually has the potential for causing similar operational
> problems.  It has a strict mode that will cause receiver-side rejections
> if honored, and they will occur for any multi-hop sequence.  In the case
> of SPF, multi-hop means /any/ sequence that produces a new client smtp
> IP address, presented to the evaluating receiver.

All very true, but SRS and similar schemes provide a reasonable way to address
SPF issues.

> In the case of DMARC,
> given the use of DKIM, the problem is multi-hop for scenarios that break
> DKIM signatures.

And AFAIK no mitigation strategy comparable to SRS is possible with DMARC as it
is presently constituted.

>      5.  The reason SPF's strict mode hasn't been problematic is that
> virtually no one uses it.

The customers we have who have been forced to deploy SRS are just a figment of
my imagination then.

I'll also note that strict mode is sufficient but not necessary to cause
problems to forwarders. A lot of places factor SPF failures into spam scores.
An increase in those scores may result in an overall higher failure rates.

> So what's different now is not technical, its operations policy.

Operations policies aren't technical in nature? They sure seem technical to me.

				Ned

v2.23.0 | Report a Bug | By Email