On Wed 29/Jul/2020 19:34:48 +0200 Hector Santos wrote:
On 7/28/2020 1:19 PM, Doug Foster wrote:
Hector, I do not understand this comment:
"The DKIM Policy Model since ADSP lacked the ability to authorize 3rd party
domains. DMARC did not address the problem and reason ADSP was abandoned.
Hence the on-going dilemma."
[...]
We have DKIM Policy extension proposals like ATPS (RFC6541) that offers a
deterministic method to associate the author domain with 3rd party signer
domains. This authorization is defined by the Originating, Author Domain.
Look at my DMARC record for my isdg.net domain:
v=DMARC1; p=reject; atps=y; rua=mailto:dmarc-...@isdg.net;
ruf=mailto:dmarc-...@isdg.net;
The atps=y tells an ATPS compliant receiver that if it sees a 3rd party domain
signature:
Author Domain IS NOT EQUAL TO Signer Domain
Then it can do a ATPS look:
base32(sha1(SIGNER-DOMAIN))._atps.isdg.net
So if I wanted to authorized bayviewphysicians.com to be able to sign for me, I
would go to the wizard https://secure.winserver.com/public/wcdmarc, enter your
domain in the list of authorized signers, click Zone Record and I get a record
I can add to my isdg.net zone:
e25dhs2vmyjf2tc2df4efpeu7js7hbik._atps TXT ("v=atps01;
d=bayviewphysicians.com;")
So anyone out there can see that I authorized bayviewphysicians.com to sign for
isdg.net
Isn't that overly complicated? Why SHA1? An alternative method to authorize
3rd parties is RHSWLs, see my previous post[*]. By comparison with the above
quote, assume we have:
From: some...@example.com
Sender: a...@example.net
The DMARC record at example.com:
v=DMARC1; p=reject; snd=lst.rhswl.example; rua=mailto:r...@example.com;
The snd=lst.rhswl.example tells a compliant receiver that if it sees a 3rd
party authentication (either SPF or DKIM) of the Sender domain:, where:
From: domain IS NOT EQUAL TO Sender: domain
Then it can do a right-hand side whitelist lookup:
example.net.lst.rhswl.example
If the record exists, then example.net is authorized to send on behalf of
example.com.
Features:
* Absence of cryptographic stuff (sha1) makes it simpler.
* A multi-domain bank (Autumn's example) can easily build its own RHSWL
containing all and only their domains, e.g.:
firstbrand.com.lst.mainbrand.com IN A 127.0.0.2
secondbrand.com.lst.mainbrand.com IN A 127.0.0.2
* Large free-email domains can build their own RHSWL so as to avoid the MLM
problem.
* Lazy mail domains can easily point to a public RHSWL which lists almost all
the legitimate Internet.
* Strictly transactional domains can still keep snd=none (the default).
* Experimenting domains can have p=none; snd=lst.in-progress.example; while
they monitor aggregate reports to see how their list is doing.
Best
Ale
--
[*] https://mailarchive.ietf.org/arch/msg/dmarc/jQlUhE-ijiWeb1CybKy6367eVn8
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
