Re: [dmarc-ietf] Suggestion: can we test DEMARC deployment with a mailing list?
Hector Santos <hsantos@isdg.net> Tue, 06 May 2014 18:25 UTC
Return-Path: <hsantos@isdg.net>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73A821A02A3 for <ietf@ietfa.amsl.com>; Tue, 6 May 2014 11:25:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.938
X-Spam-Level:
X-Spam-Status: No, score=-99.938 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_16=0.6, J_CHICKENPOX_46=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h18kWNvKpCRf for <ietf@ietfa.amsl.com>; Tue, 6 May 2014 11:25:50 -0700 (PDT)
Received: from ntbbs.winserver.com (mail.catinthebox.net [208.247.131.9]) by ietfa.amsl.com (Postfix) with ESMTP id A0B701A0269 for <ietf@ietf.org>; Tue, 6 May 2014 11:25:50 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=3772; t=1399400736; h=Received:Received: Received:Received:Message-ID:Date:From:Organization:Subject:To: List-ID; bh=wl1ufwYI6w/ljkmcZ3rgZAzGTvQ=; b=k504heDgkvBlemO9gYj4 sy7hkYvrENBxBsQ3BWJS5jqUCNR+9kbTdF76Jp4mu0RrVB7HKOpaGVZggy8spDpm i68tg5cjqPqHOhzHXx/oWCjZZzQT1Kr1ih7mCv2Ix1dBoDIGjeJySQ8TIzE37YsF tqujBuGCQJ4tkO43Hy/C+aQ=
Received: by winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 06 May 2014 14:25:36 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com;
Received: from hector.wildcatblog.com (opensite.winserver.com [208.247.131.23]) by winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2509292571.1852.3408; Tue, 06 May 2014 14:25:36 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=3772; t=1399400630; h=Received:Received: Message-ID:Date:From:Organization:Subject:To:List-ID; bh=0feYeKe bl+eKEykWiDUJAc5p054cV8GQn6ClhnGCiMM=; b=uPKrmxe/Vi4t47jgEmvpRFh D54qG+867Pw3jt9SAUlb7m2uvCfZxHO6OuvOzxznCy5hDaxLGVXi9BJrqZdu8fOE A1n1QklJ6rehSQOrLrB3/3xJmNeTpr3Dv56yor0qO4loiLLPoWNLfbjxvEQFKWtr onlhYHKwvpBsB5n4DNDg=
Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.4) for ietf@ietf.org; Tue, 06 May 2014 14:23:50 -0400
Received: from [192.168.1.2] ([99.121.4.27]) by beta.winserver.com (Wildcat! SMTP v7.0.454.4) with ESMTP id 2528806578.9.14836; Tue, 06 May 2014 14:23:49 -0400
Message-ID: <5369291C.5030108@isdg.net>
Date: Tue, 06 May 2014 14:25:32 -0400
From: Hector Santos <hsantos@isdg.net>
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
CC: IETF <ietf@ietf.org>
Subject: Re: [dmarc-ietf] Suggestion: can we test DEMARC deployment with a mailing list?
References: <28671EE8-A8B9-40D1-9268-527A8FFC34AD@cisco.com> <53682B10.2070000@meetinghouse.net> <1BB8A9AB-C7C1-4959-B8C2-C649AB4EA19D@cisco.com> <53682C4B.80301@meetinghouse.net> <C92FEFD4-06B7-48CD-A1F3-CF6F3DB259DE@cisco.com> <536906F2.3060008@dcrocker.net>
In-Reply-To: <536906F2.3060008@dcrocker.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Comment: Missing recipient address appended by wcSMTP router.
To: ietf@ietf.org
Archived-At: http://mailarchive.ietf.org/arch/msg/ietf/mhCCoPvC6m4Seob8CCvXvaFAKJ8
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 18:25:53 -0000
On 5/6/2014 11:59 AM, Dave Crocker wrote: > On 5/5/2014 5:37 PM, Fred Baker (fred) wrote: > 1. DKIM and SPF have been fielded for perhaps 12 years. DKIM in > its original-but-similar form, DomainKeys, and then its initial > 'consortium' form, preceded the 2006 published DKIM RFC by several > years. SPF appeared around that time too. So the reference to 6 years > of operational experience is really on the very low side. 9+ years was the reference, not 6. Yes, the original DKIM+POLICY model was conceived from DomainKeys with its built-in strict policy "o=-" option. DKIM's policy features was called SSP which included support for allowing resigners. The problem was how to large scale authorized resigners. > > 2. Use of DKIM and SPF is reasonably well understood and does not > cause interesting email operations problems. I'm starting to hear some > unfortunate stories about DKIM signature breakage in scenarios that I'd > have hope would not have it, but the breakage of the signature is not > breaking legitimate email scenarios. SPF is a domain policy protocol. DKIM lacks one. DKIM is totally useless and unsecured without a policy layer. The DKIM Threat Analysis RFC4686 touches base with this. https://tools.ietf.org/html/rfc4686 > 3. DMARC's functions and limitations have been reasonably well > understood since it's inception. It works comfortably in specific > scenarios and causes problems in others. Again, there are no surprises > about these now. They've been clearly understood by those working on > the spec. But the problem is that the DKIM resigners didn't support it nor its predecessor ADSP for any use case, large or small. > 4. SPF actually has the potential for causing similar operational > problems. It has a strict mode that will cause receiver-side rejections > if honored, and they will occur for any multi-hop sequence. In the case > of SPF, multi-hop means /any/ sequence that produces a new client smtp > IP address, presented to the evaluating receiver. In the case of DMARC, > given the use of DKIM, the problem is multi-hop for scenarios that break > DKIM signatures. > > 5. The reason SPF's strict mode hasn't been problematic is that > virtually no one uses it. No, it wasn't a problem because the "YAHOOs" didn't do a -ALL policy or those domains that did not have a handle on their network of mail senders. Those that did use -ALL and there are thousands of domains who are, including ietf.org with its string -ALL SPF policy, had very little problems with them. v=spf1 ip4:12.22.58.0/24 ip6:2001:1890:123a::/56 ip4:64.170.98.0/24 ip6:2001:1890:126c::/56 ip4:4.31.198.32/27 ip6:2001:1900:3001:0011::0/64 ip4:209.208.19.192/27 ip6:2607:f170:8000:1500::0/64 ip4:72.167.123.204 -all But in principle, whether it was YAHOO or another domain, the SPF network of SPF receivers did support the -ALL rejection semantics. That wasn't the case with ADSP Discardable and DMARC p=reject until now with the switch turned on. > So what's different now is not technical, its operations policy. A > couple of large providers chose to apply DMARC to scenarios known to > cause problems for some of their users and groups their users work with. Dave, its a technical problem because the DKIM-WG intentionally deemphasized an author domain policy lookup layer seeking to replace it with a 3rd party signer domain trust/reputation lookup service model. The latter hasn't materialized so DKIM was left unprotected without the author domain policy layer. The removal of policy has caused interop problems. The goal now is to give DMARC 3rd party semantics and support within the DKIM framework where the resigners can coexist cooperatively. -- HLS
- Suggestion: can we test DEMARC deployment with a … Fred Baker (fred)
- Re: Suggestion: can we test DEMARC deployment wit… Christopher Morrow
- Re: Suggestion: can we test DEMARC deployment wit… Douglas Otis
- Re: Suggestion: can we test DMARC deployment with… John Levine
- Re: Suggestion: can we test DEMARC deployment wit… Dave Crocker
- Re: Suggestion: can we test DMARC deployment with… Fred Baker (fred)
- Re: Suggestion: can we test DMARC deployment with… John R Levine
- Re: Suggestion: can we test DMARC deployment with… Theodore Ts'o
- Re: Suggestion: can we test DMARC deployment with… Douglas Otis
- Re: Suggestion: can we test DMARC deployment with… John R Levine
- Re: Suggestion: can we test DEMARC deployment wit… Hector Santos
- Re: Suggestion: can we test DMARC deployment with… Theodore Ts'o
- Re: Suggestion: can we test DEMARC deployment wit… Hector Santos
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Miles Fidelman
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Fred Baker (fred)
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Miles Fidelman
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Fred Baker (fred)
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Dave Crocker
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Hector Santos
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Douglas Otis
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Hector Santos
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… ned+ietf
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Hector Santos
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Hector Santos
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… John Levine
- Re: [dmarc-ietf] Suggestion: can we test DEMARC d… Doyle, John