Re: [dmarc-ietf] IETF Mailing Lists and DMARC
Hector Santos <hsantos@isdg.net> Wed, 02 November 2016 20:05 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA37912989F for <ietf@ietfa.amsl.com>; Wed, 2 Nov 2016 13:05:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.002
X-Spam-Level:
X-Spam-Status: No, score=-102.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=U6FXnjIV; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=gD4hCEoV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDyWxAihXhtY for <ietf@ietfa.amsl.com>; Wed, 2 Nov 2016 13:05:22 -0700 (PDT)
Received: from news.winserver.com (groups.winserver.com [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id C7F4F1298A6 for <ietf@ietf.org>; Wed, 2 Nov 2016 13:05:21 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=4544; t=1478117116; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=JXoLz/0xu0NsWppzZKJiMXi3/hU=; b=U6FXnjIV7aYZA5iXVb6CeJUHaNlLVm+M0QqN8e8qTS6KOcuFPmx0QJPLx+xKnZ CpOP70jvLHx2K/4TZMEiK35SyTCpzfLo88IhwJ7au+hy/DPkQ1GrlxNGKRTaYWBR l1+bWmOq0iKCl/gxNYbplRo0Frx20GY+9OwRFl3APUXtA=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.5) for ietf@ietf.org; Wed, 02 Nov 2016 15:05:16 -0500
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from beta.winserver.com ([208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.5) with ESMTP id 605626432.1.2900; Wed, 02 Nov 2016 15:05:14 -0500
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4544; t=1478117106; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=dZ8Y/ii 8f+pxOyQEvKXtGP000Xe6mUijDmH6wG80J6I=; b=gD4hCEoVMGRwKeii1KtmoSh SFmXA4wh6Ym4tdbQZNQ3iaTuIbOz7ZqgsoZWN+vu1xCPWaoLig6yGPqB+sHB7lyk 6Vep8bEd4G1QggCwn+W0J/3kmH2uwFknwwuMzhHZOclnjV3d9qHxLOvn2PvY5G/N XCYRQIBuTVurdVJW6VjI=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.5) for ietf@ietf.org; Wed, 02 Nov 2016 16:05:06 -0400
Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.5) with ESMTP id 61185937.9.16276; Wed, 02 Nov 2016 16:05:05 -0400
Message-ID: <581A46FA.6040001@isdg.net>
Date: Wed, 02 Nov 2016 16:05:14 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: Cullen Jennings <fluffy@iii.ca>, ietf@ietf.org, dmarc@ietf.org
Subject: Re: [dmarc-ietf] IETF Mailing Lists and DMARC
References: <678C2FBA-A661-4556-A300-5C08562B5F8A@iii.ca>
In-Reply-To: <678C2FBA-A661-4556-A300-5C08562B5F8A@iii.ca>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/iPQld85aewe6gWW_Daefkv0iFyg>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 20:05:25 -0000
Since its inception, this has been the "Achilles' heel" of DKIM without a Signature Policy Authorization framework. i.e. authorizing 3rd party mail processors, such as a list manager/server or could bring the integrity and/or resign the mail as a 3rd party. The IETF abandoned the proposed standard ADSP RFC (and hence any add-on extension work like ATPS) and replaced it with an informative DMARC RFC described as a "Super ADSP" without resolving the 3rd party authorization problem. ATPS was the original proposed standard to authorize the first party signature and combined with ADSP extension ATPS, it covered the Third Party Signature authorization. ADSP/ATPS actually works very well. Its been in production for a number of years. I have "ietf.org" as a 3rd party signer assigned to my ATPS records in DNS. Supportive receivers can then see that I authorize ietf.org to sign my IETF submissions as my receivers do when I get a copy. My ADSP record for isdg.net is: dkim=all; atps=y; asl=ietf.org,beta.winserver.com,santronics.com,isdg.net,winserver.com,megabytecof fee.com,mapurdy.com.au,mipassoc.org,gmail.com,googlegroups.com;" The asl list contains my small list of authorized list servers plus other 3rd party associates. For the larger "registered" list, the "atps=" says to lookup the ATPS record the signer domain in the author's zone. It works very well. This wizards helps illustrates how records are created updated for the DMARC record: http://www.winserver.com/public/wcdmarc/default.wct However, this solution requires a "Registration Of 3rd party Domains" solution, i.e. you have to learn/teach your personal network of email domains and registered them somehow for others to lookup query and many feel this won't scale. It won't for some, it will for others. Now there is the ARC effort that could help resolve the problem, iff everyone supports it. IMO, it appears complex (doc is very verbose). I believe it has RFC5222 overhead related code changes. If you have an API ready for it, it should help. While receivers still need to support it, not all receivers use the same API base code. I was not happy when a big investment was lost when the IETF abandoned (incorrect in my opinion) the ADSP work in particular when DMARC effectively replaced ADSP, literally described as a "Super ADSP" and it didn't offer any 3rd party policy support whatsoever. So I am not too eager to jump on more IETF DKIM, including ARC, related work. DMARC is not complete. Its not even a proposed standard. Lots of work still needs to be done but I'm sure that RFC status can change when desired by the key cogs. All I would like to see is for DMARC to begin offering 3rd party policy models with known solutions that include simple DNS lookup like ADSP/ATPS offered. It shouldn't be limited to just ARC. That said, the only other current way to resolve this with DMARC is to relax your policy to "p=none" By making it "p=reject" all DMARC compatible receivers are designed to reject it when its signed by 3rd party signers and/or the original mail integrity, hence 1st party signature, is broken. -- HLS On 11/2/2016 12:00 PM, Cullen Jennings wrote: > > So if someone send a email with a bad signature to an IETF list from a domain that has a reject policy, and the IETF server forwards it to my email email provider, my email provider rejects it. Now the IETF email server counts that as a bounce. Too many bounces in a row and the IETF server unsubscribes me from the list. > > This does not seem OK that anyone can trivially send some SPAM and get me unsubscribed. > > What's the right advice on how the IETF server should be run? > > Now to a more detailed problem - Jana sends lots of email to the quic list. I don't get any of them. It appears that my email server (run by rackspace) rejects them with an > > Diagnostic-Code: smtp; 550 5.7.1 Email rejected per DMARC policy for google.com (G15) > > If Jana sends the email directly to me, it works. This seems to point at the IETF server is doing something that breaks signature in Jana email. > > I realize this is not the "debug your email" list, but I have no idea where is the right place to ask about this so I sent it here. Sorry. > > Can anyone tell me how their DMARC system views the emails from Jana to the quic@ietf.org list ? > > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > >
- Re: IETF Mailing Lists and DMARC Dave Crocker
- IETF Mailing Lists and DMARC Cullen Jennings
- Re: IETF Mailing Lists and DMARC John Levine
- Re: IETF Mailing Lists and DMARC Ted Lemon
- Re: IETF Mailing Lists and DMARC John Levine
- RE: IETF Mailing Lists and DMARC MH Michael Hammer (5304)
- RE: IETF Mailing Lists and DMARC John R Levine
- Re: IETF Mailing Lists and DMARC Ted Lemon
- Re: IETF Mailing Lists and DMARC John Levine
- Re: IETF Mailing Lists and DMARC Dave Crocker
- Re: IETF Mailing Lists and DMARC Ted Lemon
- Re: IETF Mailing Lists and DMARC Paul Hoffman
- Re: IETF Mailing Lists and DMARC John C Klensin
- Re: IETF Mailing Lists and DMARC Ted Lemon
- Re: IETF Mailing Lists and DMARC Michael Richardson
- Re: IETF Mailing Lists and DMARC Yoav Nir
- Re: IETF Mailing Lists and DMARC Ted Lemon
- Re: IETF Mailing Lists and DMARC Yoav Nir
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Hector Santos
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Dave Crocker
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Brandon Long
- Re: IETF Mailing Lists and DMARC Cullen Jennings
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Cullen Jennings
- Re: IETF Mailing Lists and DMARC S Moonesamy
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Brian E Carpenter
- Re: IETF Mailing Lists and DMARC John Levine
- Re: IETF Mailing Lists and DMARC John Levine
- Identification of an email author (was - Re: [dma… Dave Crocker
- Re: IETF Mailing Lists and DMARC Ted Lemon
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Theodore Ts'o
- RE: [dmarc-ietf] IETF Mailing Lists and DMARC Terry Zink
- Re: IETF Mailing Lists and DMARC John Levine
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Theodore Ts'o
- Next step on IETF Mailing Lists and DMARC Alexey Melnikov
- Re: IETF Mailing Lists and DMARC Bob Hinden
- RE: IETF Mailing Lists and DMARC MH Michael Hammer (5304)
- Re: IETF Mailing Lists and DMARC Ted Lemon
- RE: [dmarc-ietf] IETF Mailing Lists and DMARC Terry Zink
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Andrew G. Malis
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Steve Atkins
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Andrew G. Malis
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Theodore Ts'o
- Options for temporary operational solution to DMA… Ted Lemon
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Brandon Long
- Re: [dmarc-ietf] Identification of an email autho… Brandon Long
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Franck Martin
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Hector Santos
- Re: Options for temporary operational solution to… Andrew G. Malis
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC John C Klensin
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Ted Lemon
- Re: IETF Mailing Lists and DMARC Michael Richardson
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Michael Richardson
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Michael Richardson
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC John C Klensin
- Re: Options for temporary operational solution to… John Leslie
- RE: [dmarc-ietf] Identification of an email autho… Terry Zink
- Re: Options for temporary operational solution to… Toerless Eckert
- Re: [dmarc-ietf] Identification of an email autho… Ted Lemon
- Re: Options for temporary operational solution to… John Levine
- RE: [dmarc-ietf] Identification of an email autho… Terry Zink
- Re: Options for temporary operational solution to… Ted Lemon
- RE: [dmarc-ietf] IETF Mailing Lists and DMARC Christian Huitema
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Brian E Carpenter
- Re: Options for temporary operational solution to… Michael Richardson
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Michael Richardson
- Re: Options for temporary operational solution to… Dave Crocker
- Re: [dmarc-ietf] Identification of an email autho… Franck Martin
- Re: [dmarc-ietf] Identification of an email autho… Khaled Omar
- Re: [dmarc-ietf] Identification of an email autho… S Moonesamy
- Re: [dmarc-ietf] IETF Mailing Lists and DMARC Brandon Long
- Re: [dmarc-ietf] Identification of an email autho… Dave Crocker
- Re: [dmarc-ietf] Identification of an email autho… Dave Crocker
- Re: [dmarc-ietf] Identification of an email autho… ned+ietf
- Re: [dmarc-ietf] Identification of an email autho… Franck Martin
- Re: [dmarc-ietf] Identification of an email autho… Dave Crocker
- Re: [dmarc-ietf] Identification of an email autho… John C Klensin
- Re: [dmarc-ietf] Identification of an email autho… Brandon Long