Re: [dmarc-ietf] draft-levine-dkim-conditional-02
Steve Atkins writes: > How much of a barrier to entry to new or small mailing list providers > (or new domains being used there) does this cause? That depends on how badly a missing conditional signature "deprecates" a list. There are three ways deprecation can happen: 1. By reducing the risk of false positives, recipients may be encouraged to lower the threshold at which a message is considered spam. I think that is unlikely to be a strong effect. 2. Some recipient domains may be tempted to *add* "spamminess" to indirect messages without conditional signature, rather than *subtract* (or in addition to subtracting) spamminess in the presence of a valid conditional signature. I don't know how likely that is to be a significant effect, but it seems unlikely to me at the current p=reject domains. 3. Some recipient domains may be encourage to specify p=reject DMARC policies. I think this unlikely. So yes, there is obviously a competitive advantage to lists that are already on the "conditional signature" list of providers that specify p=reject. But I don't think it raises a new barrier to entry for small/new lists. Steve ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
> On Sep 30, 2015, at 5:39 PM, John Levine wrote: > >>> The local signer here must know this message goes to dmarc@ietf.org >>> an add a signature including "!fs=ietg.org" >> >> An average email author cannot be relied on to cause this setting to be >> made. > > Quite correct. I would expect conditional signatures to be applied by > large mail systems, using their private list of domains that look like > mailing lists to decide who gets them. How much of a barrier to entry to new or small mailing list providers (or new domains being used there) does this cause? > From the past couple of years of discussion, it is clear that all of > the large mail systems already have such a list of domains, so the > implementation should be straightforward. > > Small domains may not, in which case there's a variety of ways they > could approximate it, e.g., sniff incoming mail for stuff that looks > like list mail to create a list, cooperate on a shared database of > mailing list domains, or most likely admit that they are too small to > be phish targets so publishing a DMARC policy is counterproductive. Cheers, Steve ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
I would expect conditional signatures to be applied by large mail systems, using their private list of domains that look like mailing lists to decide who gets them. From the past couple of years of discussion, it is clear that all of the large mail systems already have such a list of domains, so the implementation should be straightforward. Some degree of documenting this requirement and its plausible solution(s) is called for, in order to establish that the model being pursued here has a reasonable chance of being viable. I'll try and collect some data at MAAWG next month and rev the draft. Regards, John Levine, jo...@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
On 9/30/2015 5:39 PM, John Levine wrote: > I would expect conditional signatures to be applied by > large mail systems, using their private list of domains that look like > mailing lists to decide who gets them. > >>From the past couple of years of discussion, it is clear that all of > the large mail systems already have such a list of domains, so the > implementation should be straightforward. Some degree of documenting this requirement and its plausible solution(s) is called for, in order to establish that the model being pursued here has a reasonable chance of being viable. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
>> The local signer here must know this message goes to dmarc@ietf.org >> an add a signature including "!fs=ietg.org" > >An average email author cannot be relied on to cause this setting to be >made. Quite correct. I would expect conditional signatures to be applied by large mail systems, using their private list of domains that look like mailing lists to decide who gets them. >From the past couple of years of discussion, it is clear that all of the large mail systems already have such a list of domains, so the implementation should be straightforward. Small domains may not, in which case there's a variety of ways they could approximate it, e.g., sniff incoming mail for stuff that looks like list mail to create a list, cooperate on a shared database of mailing list domains, or most likely admit that they are too small to be phish targets so publishing a DMARC policy is counterproductive. R's, John ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Last call for WG comments on "Interoperability Issues Between DMARC and Indirect Email Flows"
- Original Message - > From: "Rolf E. Sonneveld" > To: "Tim Draegen" > Cc: "dmarc" > Sent: Wednesday, September 30, 2015 7:48:03 AM > Subject: Re: [dmarc-ietf] Last call for WG comments on "Interoperability > Issues Between DMARC and Indirect Email > Flows" > > Hi, Tim, > > on Sep 7th, I sent a short review of -05, see > https://www.ietf.org/mail-archive/web/dmarc/current/msg02942.html. I didn't > see any response, the paragraph I suggested to remove (par. 3.2.5) is still > present in -07. Can anyone comment on the suggestion to move section 3.2.5 > to some (future) BCP document? > I don't like to remove stuff that is still useful, and as I did not see any support for the removal to an hypothetical future BCP... But I'm happy to do a revision. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
On 9/29/2015 1:08 PM, John Levine wrote: > I refreshed this draft so it wouldn't expire. Not very different, > mostly changed the @fs= to !fs= per Murray's suggestion. > > I still think this is the least broken way I've seen to let > mailing lists coexist with DMARC. I am going to look at adding support for this in our Wildcat! List Server package. Seems simple enough via a template system. Lets see how it works. Thanks for keeping it alive. FWIW, I agree that this is technology we should pursue. Ned ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
> The local signer here must know this message goes to dmarc@ietf.org > an add a signature including "!fs=ietg.org" An average email author cannot be relied on to cause this setting to be made. There are multiple levels of knowledge and action this this setting requires and average end-users cannot be relied to know or perform any of them. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
John Levine: I still think this is the least broken way I've seen to let mailing lists coexist with DMARC. reads like a good idea. The local signer here must know this message goes to dmarc@ietf.org an add a signature including "!fs=ietg.org" So opendkim in my case has to be extended to lookup "rcpt domain" -> "!fs value" Did I understand that correct? Andreas ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Last call for WG comments on "Interoperability Issues Between DMARC and Indirect Email Flows"
Hi, Tim, on Sep 7th, I sent a short review of -05, see https://www.ietf.org/mail-archive/web/dmarc/current/msg02942.html. I didn't see any response, the paragraph I suggested to remove (par. 3.2.5) is still present in -07. Can anyone comment on the suggestion to move section 3.2.5 to some (future) BCP document? /rolf - Original Message - > From: "Tim Draegen" > To: "dmarc" > Sent: Tuesday, September 29, 2015 4:34:44 PM > Subject: [dmarc-ietf] Last call for WG comments on "Interoperability Issues > Between DMARC and Indirect Email Flows" > > Hi All, > > The editing team deems this draft as ready for last call review. > Here are the links to the recently posted v07: > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-ietf-dmarc-interoperability/ > > > > There's also a htmlized version available at: > > https://tools.ietf.org/html/draft-ietf-dmarc-interoperability-07 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-interoperability-07 > > > =- Tim > > > ___ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Last call for WG comments on "Interoperability Issues Between DMARC and Indirect Email Flows"
> A sender that expects a message to be forwarded might put both a > conventional DKIM signature and a signature with a !fs tag that > refers to the domain name of the expected forwarder. > > require conventional, full DKIM signatures. Why? It seems to me that any >DMARC authentication method could suffice. That is, the author domain (!fs >signer) could be SPF authenticated by the MLM; and the MLM could be SPF >authenticated by list recipients. No? You're mixing levels here. dkim-conditional describes a new way to create a valid DKIM signature. I wouldn't want to try to describe how a DKIM validator is supposed to stop and take a detour through an SPF validator to decide what to do next. R's, John PS: the draft looks fine to me ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] draft-levine-dkim-conditional-02
On 9/29/2015 1:08 PM, John Levine wrote: I refreshed this draft so it wouldn't expire. Not very different, mostly changed the @fs= to !fs= per Murray's suggestion. I still think this is the least broken way I've seen to let mailing lists coexist with DMARC. I am going to look at adding support for this in our Wildcat! List Server package. Seems simple enough via a template system. Lets see how it works. Thanks for keeping it alive. -- HLS ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Last call for WG comments on "Interoperability Issues Between DMARC and Indirect Email Flows"
On Tue 29/Sep/2015 16:34:44 +0200 Tim Draegen wrote: > > The editing team deems this draft as ready for last call review. Section 4.2 mentions dkim-conditional. (IMHO, the latter should be named draft-dmarc-dkim-conditional.) Both Section 4.2: This DKIM signature would come with the condition that a subsequent known domain fully DKIM sign the message. and Section 4 of dkim-conditional: A sender that expects a message to be forwarded might put both a conventional DKIM signature and a signature with a !fs tag that refers to the domain name of the expected forwarder. require conventional, full DKIM signatures. Why? It seems to me that any DMARC authentication method could suffice. That is, the author domain (!fs signer) could be SPF authenticated by the MLM; and the MLM could be SPF authenticated by list recipients. No? In case the !fs signature is missing, it may be handy to have the resender issue a forensic report. That way, a sender could automatically set up its signing daemon to add a tag "!fs=mlm.example" to mail destined to, say, "list@mlm.example", where the latter address is extracted from that report. jm2c Ale ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc