OAUTH vs. More careful forwarding -------------------------------------------- Pursuing both techniques makes the most sense. Some users may be unwilling (or not allowed) to store credentials in the target server, while being unwilling to do a manual operation to obtain their new messages.
Since OAUTH is a pull operation instead of a push, it provides several benefits: - Certainty that the forwarding target actually wants the message. - Near-certainty that the message will be accepted by the client system, since the pull bypasses the SMTP filtering process. This includes both sender authentication issues like DMARC as well as other content filtering applied by the forwarding target's domain. You point out the organizational politics will affect the process: - For consumer-focused services like Gmail and Hotmail, the user owns the data and has primary control over its disposition. - For centralized organizations (most large companies), the organization owns the data and can control its disposition. - For decentralized organizations like your university, control is effectively shared and negotiated. Forwarding Control Mechanism -------------------------------------- With any of the above political structures, I argue that the user should not have sole control over the forwarding process. Assume that UserA@DomainA wants to forward to UserB@DomainB: DomainA interests include: - If DomainB objects to the messages for any reason, it may blacklist DomainA and cause disruption to traffic other than this one user's messages. - The forwarding action may violate company confidentiality or organizational obligations to protect privacy of others (GDPR, PCI DSS, HIPPA, etc.) - DnmainA may want to assess whether the forwarding request is in good faith, and that it is not a mule account for exfiltration of data. DomainB and UserB@DomainB interests include: - Does UserB actually want these messages? - What if UserB is the victim of a typo? - What if the auto-forward is being implemented as an attack vector on UserB? - What if the auto-forward is going to a non-existent account because of a typo? DomainA would benefit from registering the forwarding configuration with DomainB: - So that if DomainB has more aggressive spam filtering, the blocked traffic will be blamed on the source and not on DomainA. - So that DMARC verification failures can be overlooked. - More generally, so that DomainB does not perceive UserA@DomainA as an open relay or other threat vector. - If the account is overquota or closed, DomainA has an interest in receiving notification of this event. Consequently, I think the protocol should be: - UserA@DomainA requests forwarding from his domain owner. - DomainA requires a confirming email from UserB@DomainB, which should be a trivial effort for UserA@DomainA to make happen. - DomainA decides how much to engage the domain owner of DomainB for purposes of registration and whitelisting. - Assuming that no veto is received, DomainA activates the forward. Outbound gateways can / should be used to enforce a domain's controls on the forwarding process. This is very different from what I have seen implemented in mail store products. Many systems allow any user to forward anywhere. Some systems allow the domain administrator to disable all forwarding from any account. I do not think I have seen admin-controlled selective forwarding, but others have more product experience than I do. Doug Foster -----Original Message----- From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Jesse Thompson Sent: Thursday, September 03, 2020 8:42 AM To: dmarc@ietf.org Subject: Re: [dmarc-ietf] AutoForward problems On 9/2/20 6:33 AM, Douglas E. Foster wrote: > For mailing lists, we have pushed the limits of authorization. But there is another class of problems where sender authorization is not feasible: mail which is auto-forwarded after a spam-filter has made content-altering changes. Yes, this is an increasing problem, as exemplified by the number of enterprises that have started tagging subjects and bodies with [External] warnings. Coupled with DMARC adoption, the ability for users to auto-forward successfully is shrinking. I realize that John's message in the other thread probably wasn't referencing auto-forwarding, but I think his point dovetails to the auto-forwarding issue: > As always, as I hope we all remember DMARC alignment doesn't mean not > spam, and you still do all of the stuff you do to sort your mail. > This scheme depends on the forwarders you authorize being > well-behaved. That's why I am concerned that senders need to be > selective about who they allow to forward. I am concerned with: a) It assumes that the domain owner has the ability and desire to authorize every potential forwarder, even though auto-forwarding is a user-level decision. b) It assumes that all potential forwarders check for authorization before forwarding -- essentially the same problem with the way most ESPs will use a domain in the From header without checking for authorization via DMARC. c) Selectively allowing forwarding at the user level is difficult because users are gonna do what they wanna do (you try telling faculty they can't forward). It's not the case that all enterprises want to prohibit all of their users from auto-forwarding (even though that's the answer you may get if you survey the CISO community) d) Selectively forwarding based on the knowledge of whether the forwarded message will reach the destination is challenging because the intermediary doesn't really know if it will succeed, and selectively forwarding in this way will lead to the user only seeing a subset of their messages being forwarded. This is essentially what's happening today (see my first sentence in this message), and I know users who are still bound and determined to auto-forward and they have just resigned themselves to the fact that they have to periodically check the intermediary mailbox for all of the messages that didn't survive the forward. > In the absence of such techniques, the forwarding system (or the outbound gateway) needs to be aware that a message has been forwarded after content-altering changes. When this is the case, the message either requires a known exception at the receiving system or a From address rewrite so the message will pass DMARC. At minimum, our DMARC specification should make this clear. I agree with this, however, I'm increasingly of the mindset that since this is a user-level issue, we should be thinking about solving it via OAuth mechanisms. Modern email services do support the ability to fetch from a mailbox, authorized via OAuth, so it might be easier to convince the downstream mailbox providers to enhance their fetching mechanisms to support the features that people expect of inbound mail (i.e. apply inbound filtering rules). The mailbox provider would still need a way to determine the original DMARC results, spam analysis, etc, but wouldn't that be easier to implement since the message is "frozen in time" and wasn't subjected to the altering changes implied by forwarding? Jesse _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
