I would like to propose updates to the DMARCbis documentation, specifically for Section 4.4.3 and a new Appendix A.8. Please find the suggested revisions below. Your input would be greatly appreciated. It is just a starting point.
Proposed update for Section 4.4.3: 4.4.3. Alignment and Extension Technologies DMARC can be extended to incorporate authentication and authorization mechanisms that aid in the evaluation of DMARC policy. Any new authentication extensions must facilitate domain identifier extraction to enable verification of alignment with the RFC5322.From domain. Authorization extensions address situations where the author domain differs from the signer domain, known as 3rd party signatures. The following Author::Signer domain authorization methods have been explored: DomainKeys Identified Mail (DKIM) Authorized Third-Party Signatures (ATPS) [RFC6541] Third-Party Authorization Label (TPA) [draft-otis-tpa-label-08] Mandatory Tags for DKIM Signatures [draft-levine-dkim-conditional-04] Delegating DKIM Signing Authority [draft-kucherawy-dkim-delegate-02] The first two methods are DNS-based, while the latter two are non-DNS-based. All share the common objective of authorizing the 3rd party signature. The ATPS proposal is the simplest method and has demonstrated success in practice by reducing false positive failure results when a valid and unverified but ATPS authorized 3rd party signer is present in a message. MDA receivers should consider using ATPS to verify 3rd party signatures. Proposed new Appendix A.8: A.8 Mailing List Servers Mailing List Servers (MLS) applications that are compliant with DMARC operations SHOULD adhere to the following guidelines for DMARC integration: Subscription and Submission Controls: MLS subscription processes should perform a DMARC check to determine if the subscribing or submitting email domain's DMARC policy is restrictive regarding mail integrity changes or 3rd party signatures. The MLS SHOULD only allow subscriptions and submissions from original domain policies that permit 3rd party signatures with a p=none policy. Message Content Integrity Change: List Servers that alter the message content SHOULD only do so for original domains with optional DKIM signing practices. If the List Server does not alter the message, it SHOULD NOT remove the signature, if present. Security Tear Down: The MLS SHOULD NOT compromise the author's security by changing the authorship address (From) domain. Instead, it should apply subscription/submission controls. However, if circumstances necessitate a From rewrite, the rewrite with a new address SHOULD maintain the same level of security as the original submission to avoid potential Replay and Display Name Attacks. Please let me know your thoughts on these proposed updates and whether they can be integrated into the DMARCbis documentation. Best regards, Hector Santos
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
