Re: Realistic responses to DMARC

Theodore Ts'o <tytso@mit.edu> Sun, 18 December 2016 06:59 UTC

Return-Path: <tytso@thunk.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BF16129530 for <ietf@ietfa.amsl.com>; Sat, 17 Dec 2016 22:59:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Level:
X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thunk.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wv6SKxIwatYK for <ietf@ietfa.amsl.com>; Sat, 17 Dec 2016 22:59:37 -0800 (PST)
Received: from imap.thunk.org (imap.thunk.org [IPv6:2600:3c02::f03c:91ff:fe96:be03]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C933E129457 for <ietf@ietf.org>; Sat, 17 Dec 2016 22:59:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=D1v6HNCwY2xutzZYDIBzRtv6+0fxqZhUGxsjBmzmLmU=; b=jFn11G6/uE0zRgYG+gG0Yd3K2LItQXe5D/+aABtsMz20+r/V1txaVZLLdnaxKbutMh2ku+TItTBU+mojeLwG7bRdIj/ENrXryye+vJEaC7zYuG3icDE/BflJYOAfxrbx9+VXy9nsNEdhQv7/iwXG6+auTuFciAtJ22kpCk1+QRE=;
Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.84_2) (envelope-from <tytso@thunk.org>) id 1cIVRX-0000jU-UC; Sun, 18 Dec 2016 06:59:35 +0000
Received: by callcc.thunk.org (Postfix, from userid 15806) id 208B0C003E4; Sun, 18 Dec 2016 01:59:05 -0500 (EST)
Date: Sun, 18 Dec 2016 01:59:05 -0500
From: Theodore Ts'o <tytso@mit.edu>
To: John R Levine <johnl@taugh.com>
Subject: Re: Realistic responses to DMARC
Message-ID: <20161218065905.5g66jgkvtckydmry@thunk.org>
References: <9AD6AAD6812D3B9F8379226B@PSB> <20161218022823.8779.qmail@ary.lan> <20161218055834.he6gkupqp5xqlvml@thunk.org> <alpine.OSX.2.11.1612180101460.14297@ary.qy>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <alpine.OSX.2.11.1612180101460.14297@ary.qy>
User-Agent: NeoMutt/20161126 (1.7.1)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: tytso@thunk.org
X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/qLMLIcG6mwUfZPkamLVYqM9jPSU>
Cc: IETF general list <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Dec 2016 06:59:41 -0000

On Sun, Dec 18, 2016 at 01:04:14AM -0500, John R Levine wrote:
> Yes, those are the only choices at this point.
> 
> > I can think of one major open source project (namely, the Linux
> > kernel) which has refused to do either.
> 
> I'm reasonably sure you're mistaken here.  Don't they rewrite From: headers?

Nope, vger.kernel.org doesn't rewrite from headers.  An example of a
recent e-mail I received from the linux-fsdevel maliing list:

    Date: Tue, 6 Dec 2016 23:53:57 +0100
    From: David Gstir <david@sigma-star.at>
    To: linux-mtd@lists.infradead.org
    CC: tytso@mit.edu, dedekind1@gmail.com, ebiggers@google.com,
            mhalcrow@google.com, adrian.hunter@intel.com,
            linux-kernel@vger.kernel.org, hch@infradead.org,
            linux-fsdevel@vger.kernel.org, jaegeuk@kernel.org,
            dengler@linutronix.de, sbabic@denx.de, wd@denx.de,
            richard@nod.at, David Gstir <david@sigma-star.at>
    Subject: [PATCH v2 5/6] fscrypt: Delay bounce page pool allocation until needed
    X-Mailer: git-send-email 2.10.1
		
The fact that the from field is not rewritten is *IMPORTANT* because
rewriting the from field would break the "git am" command[1], since it
uses the From: field to fill in the git commit's from field, and it
would be sad if all of the git commits had an authorship of
linux-ext4@vger.kernel.org or ietf@ietf.org.  :-)

[1] https://www.kernel.org/pub/software/scm/git/docs/git-am.html

This is what allows the above mail headers to result in a git commit
which looks like this when applied using "git am":

commit f32d7ac20a5864483c1f96e4970daa083e18bfd1
Author:     David Gstir <david@sigma-star.at>
AuthorDate: Tue Dec 6 23:53:57 2016 +0100
Commit:     Theodore Ts'o <tytso@mit.edu>
CommitDate: Sun Dec 11 16:33:11 2016 -0500

    fscrypt: Delay bounce page pool allocation until needed

----

I will note that at least some people with foo@google.com addresses
have reported *not* having DMARC problems when using mailing lists at
vger.kernel.org, despite the fact that google.com has a dmarc p=REJECT
policy.  I can only guess (from external observation; I haven't looked
at any of the gmail anti-spam algorithms, nor do I have any interest
in looking at them) that even a DMARC p=reject is probably only
resulting in a very high spam score, but using either machine learning
or a manual setting, mail from vger.kernel.org (with perhaps certain
text features from the body of the e-mail very clearly not offering
the sale of pharmaceuticals or making money fast) is given a
sufficiently high score to offset the p=reject score.  And so
apparently mail sent from foo@google.com via a vger.kernel.org mailing
list, is apparently still reaching torvalds@gmail.com, even though
google.com has a p=reject policy, and even though gmail.com purports
to honor the DMARC spec.

Which brings up something interesting/important about DMARC --- what's
important is not just the DMARC policy of the sender's domain, but
also how the recipient domain is handling the DMARC policy.  It's
pretty clear that some recipient domains are not following the DMARC
specification strictly with respect to rejecting p=reject e-mail addresses.
So while mail sent by a sender who's domain has a p=reject via a
vger.kernel.org mailing list might get accepted by a recipient at
gmail.com, it might not be accepted by a recipient at yahoo.com ---
and that bounce might cause the yahoo.com recipient to get
automatically unsubscribed from the mailing list.

But that's probably fine, because no there are very few developers
using yahoo.com (and probably up to a billion fewer now :-).  And so
as we can see, even honoring DMARC policies can cause mailing list
participants pain; it's not just sending from p=reject domains that
cause pain in terms of possibly unreceived e-mail (and possibly
bumping people in the first category off the list due to
auto-unsubscription policies).

Therefore, a developer-friendly mail service MUST NOT have a p=reject
or p=quarantee DMARC policy, and MUST also ignore DMARC policies on
the receiving end.  Fortunately, these mail services do exist, even if
they aren't the big, free consumer ones.

Cheers,

					- Ted