Re: [dmarc-ietf] p=quarantine

2020-12-13 Thread Dotzero 
On Sun, Dec 13, 2020 at 4:45 PM Douglas Foster <
dougfoster.emailstanda...@gmail.com> wrote:

> Based on this discussion, it seems evident that p=reject should include
> language about in-transit modifications which are outside the control of
> the source domain, and consequently outside the ability of DMARC to guide
> recipients.
>

And the buzzer goes off. Sources and modifications outside the control of
the domain in the RFC 5322 From is exactly what DMARC is addressing. That
is exactly the guidance that is being provided by a domain publishing a
DMARC record.

>
> Extending from that, I thought it would be helpful to specify some shared
> assumptions between sender and evaluator to make the interpretation of the
> settings less subjective.   I call this the "Minimum expected
> implementation at pct=100".
>

"Shared assumptions" is a poor assumption in writing a technical standard
for interoperability.



Having defined the policies/categories in these terms, the logical next
> step would be a best practices document which discusses how an evaluator
> might distinguish between direct messages, indirect unmodified messages,
> and indirect modified messages.   ARC obviously plays a role in making
> these distinctions easier to determine and less error-prone.
>

"Shared assumptions" are not definitions, they are hopes. Again, not a good
basis for a technical standard.

Michael Hammer
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

Re: [dmarc-ietf] p=quarantine

2020-12-13 Thread Douglas Foster 
Based on this discussion, it seems evident that p=reject should include
language about in-transit modifications which are outside the control of
the source domain, and consequently outside the ability of DMARC to guide
recipients.Extending from that, I thought it would be helpful to
specify some shared assumptions between sender and evaluator to make the
interpretation of the settings less subjective.   I call this the "Minimum
expected implementation at pct=100".

p=none
Minimum expected implementation at pct=100:
All first-party direct messages (RFC5321.MailFrom domain = RFC5322.From
domain) are verifiable using SPF, but may not have a DKIM signature.
Third-party direct messages ( RFC5321.MailFrom domain = RFC5322.From domain
) may or may not have DKIM signatures.
Consequently, indirect messages are often not verifiable using DMARC.

p=quarantine
Minimum expected implementation at pct=100:
All first-party direct messages (RFC5321.MailFrom domain = RFC5322.From
domain) are verifiable using SPF, but may not have a DKIM signature.
Third-party direct messages ( RFC5321.MailFrom domain = RFC5322.From domain
) are verifiable using DKIM signatures.
Consequently, indirect messages may or may not be verifiable, depending
whether the forwarded message included a signature.

p=reject
Minimum expected implementation at pct=100:
All first-party direct messages (RFC5321.MailFrom domain matches
RFC5322.From domain) are verifiable using SPF and DKIM.
Third-party direct messages ( RFC5321.MailFrom domain does not match
RFC5322.From domain ) are verifiable using DKIM signatures.
Indirect messages which are not modified in transit are verifiable using
DKIM signatures.
Indirect messages which are modified in transit are outside the scope of
DMARC and must be evaluated by other criteria available to the recipient
system.

Having defined the policies/categories in these terms, the logical next
step would be a best practices document which discusses how an evaluator
might distinguish between direct messages, indirect unmodified messages,
and indirect modified messages.   ARC obviously plays a role in making
these distinctions easier to determine and less error-prone.

Doug Foster


On Sat, Dec 12, 2020 at 1:42 PM Dave Crocker  wrote:

> On 12/11/2020 9:37 AM, John Levine wrote:
> > In article <1ac986ff-507b-4917-9c6d-d84e9337f...@wordtothewise.com> you
> write:
> > aligned is not authorized by the domain owner and may be discarded or
> rejected by the recipient.
> > Naah.
> >
> > p=reject: all mail sent from this domain should be aligned in a DMARC
> > compliant way. We believe that unaligned mail is from unauthorized
> > senders so we ask receivers to reject it, even though that might mean
> > some of our authorized senders' mail is rejected too.
>
>
> As soon as this specification text, here, contains language about how
> this information is to be used, should be used, or could be used, it
> crosses over into creating confusion about expectations of receiver
> handling.
>
> It encourages misguided language such as the receiver 'overriding'
> sender policy.  The sender has no policies about receiver behavior,
> because there is no relationship between them. Using milder language
> here doesn't help, because readers typically do not read like legal or
> technical scholars.
>
> DMARC provides information, not direction.
>
> The spec already contains misguided perspective by talking about
> 'policy' records and, even worse, "policy enforcement considerations".
>
> If the document must contain language about receiver choices in message
> disposition, move it to an overtly non-normative discussion section that
> legitimately covers a wide range of things that receivers do or don't do
> (cast as things they might or might not do.)  And make sure none of the
> language hints at sender 'policy', overrides, or the like.
>
>
> d/
>
> --
> Dave Crocker
> dcroc...@gmail.com
> 408.329.0791
>
> Volunteer, Silicon Valley Chapter
> American Red Cross
> dave.crock...@redcross.org
>
> ___
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

[dmarc-ietf] Messages from the dmarc list for the week ending Sun Dec 13 06:00:05 2020

2020-12-13 Thread John Levine 
   Count|  Bytes |  Who
++---
 35 (18.8%) | 267386 (16.8%) | Michael Thomas 
 29 (15.6%) | 150513 ( 9.5%) | John Levine 
 23 (12.4%) | 120702 ( 7.6%) | Alessandro Vesely 
 22 (11.8%) | 182969 (11.5%) | Dave Crocker 
 16 ( 8.6%) | 123376 ( 7.8%) | Murray S. Kucherawy 
  9 ( 4.8%) |  78677 ( 5.0%) | Dotzero 
  7 ( 3.8%) |  89468 ( 5.6%) | Brandon Long 
  7 ( 3.8%) |  48746 ( 3.1%) | Kurt Andersen (b) 
  6 ( 3.2%) |  79035 ( 5.0%) | Jesse Thompson 
  6 ( 3.2%) |  76614 ( 4.8%) | Seth Blank 
  5 ( 2.7%) |  64064 ( 4.0%) | Douglas Foster 

  4 ( 2.2%) |  38227 ( 2.4%) | Tim Wicinski 
  4 ( 2.2%) |  33903 ( 2.1%) | Hector Santos 
  3 ( 1.6%) |  58087 ( 3.7%) | Brotman, Alex 
  2 ( 1.1%) |  31305 ( 2.0%) | Marc Bradshaw 
  1 ( 0.5%) |  86915 ( 5.5%) | Дилян Палаузов 
  1 ( 0.5%) |  18931 ( 1.2%) | Laura Atkins 
  1 ( 0.5%) |  11186 ( 0.7%) | Alexey Melnikov 
  1 ( 0.5%) |   8929 ( 0.6%) | Rich Kulawiec 
  1 ( 0.5%) |   6568 ( 0.4%) | Dave Warren 
  1 ( 0.5%) |   5134 ( 0.3%) | Jim Fenton 
  1 ( 0.5%) |   3990 ( 0.3%) | Benny Pedersen 
  1 ( 0.5%) |   2333 ( 0.1%) | IETF Meeting Session Request Tool 


___
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc