On Fri, Jul 16, 2021 at 5:32 AM Alessandro Vesely <ves...@tana.it> wrote:
> On Tue 13/Jul/2021 20:09:45 +0200 Todd Herr wrote: > > On Tue, Jul 13, 2021 at 7:03 AM Douglas Foster wrote: > > > > > > draft-ietf-dmarc-dmarcbis-02 instead starts with this text: > > > > pct: (plain-text integer between 0 and 100, inclusive; OPTIONAL; > > default is 100). For the RFC5322.From domain to which the DMARC > > record applies, the "pct" tag is the percentage of messages > > producing a DMARC result of "fail" to which the Domain Owner > > wishes its preferred handling policy be applied. > > > > Since the concept of applying DMARC policy to messages that produce a > DMARC > > result of "pass" doesn't exist, it doesn't make sense to claim that "pct" > > applies to the entire mailstream. > > > Why not? I'd say that a DMARC filter takes no action when dmarc=pass > (except > for setting Authentication-Results: and feedback data). The policy > requests > noop on pass, and it is applied indeed. > > I will continue to maintain that it makes no sense to talk about the concept of applying DMARC policy to messages which pass DMARC validation checks, especially in the context of the 'pct' tag. In RFC 7489, the definitions of "quarantine" and "reject" both speak of their application in terms of "email that fails the DMARC mechanism check". So, for a DMARC record such as this: _dmarc.foo.com IN TXT "v=DMARC1; p=quarantine; pct=X; rua=...." I assert that the domain owner is requesting that X percent of the messages that fail the DMARC mechanism check be subjected to the "quarantine" policy. To assert that the domain owner is instead asking only that DMARC validation checks be performed on X percent of the messages runs the very real risk of the pct mechanism being even less useful as a ratchet, especially when X is small, because that X% of the total mailstream might not contain any DMARC failures. It occurs to me now that something like the following is considered a valid DMARC record, and we should probably fix that: _dmarc.foo.com IN TXT "v=DMARC1; p=none; pct=25; rua=...." The fix would be to describe the 'pct' tag as only valid with p= quarantine or reject, because "p=none, pct=X" is just a nonsensical way of writing "p=none; pct=100", because you're going to get "none" on all failures regardless. > > Next, draft-ietf-dmarc-dmarcbis-02 contains a substantial rewrite of the > > Message Sampling section (now section 6.7.4) that goes to great lengths > to > > attempt to show that the desired pct value really can't be counted on to > be > > applied as asked for, and what might actually happen could vary widely > from > > what's desired. > > > I find that section excessively long and difficult. It doesn't mention > the key > point that the percentage is more and more exact as the number of (failed) > messages grows. Indeed, pct=20 doesn't say that the policy should apply > to one > of /the first five/ messages. > > Please suggest alternate text. > > > The last paragraph of Section 6.7.4.2 seems to say that pct affects > reporting: > > * "0" - A request that zero percent of messages producing a DMARC > "fail" result have the specified policy applied. While this is > seemingly a non-sensical request, this value has been given > special meaning by some mailbox providers when combined with > certain "p=" values to alter DMARC processing and/or reporting for > the domain publishing such a policy. > > I'd remove "and/or reporting". > > This section is an attempt to discuss the need for one to have a policy of "p=quarantine; pct=0" to get accurate reporting from Google in the past, and was mentioned during the last interim - https://datatracker.ietf.org/doc/minutes-interim-2021-dmarc-01-202105270900/ Please suggest alternate text. -- *Todd Herr* | Technical Director, Standards and Ecosystem *e:* todd.h...@valimail.com *m:* 703.220.4153 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
