Re: [dmarc-ietf] ARC questions

In article you write: >What I'm struggling to understand is what having authenticated auth-res >from a previous hop helps. this is what i found: See some of the previous messages. My usual example is a mailing list message that fails DMARC at the final recipient but passed DMARC (as recorded in

Re: [dmarc-ietf] ARC questions

On 11/23/2020 4:13 PM, Brandon Long wrote: On Mon, Nov 23, 2020 at 12:48 PM Dave Crocker > wrote: On 11/23/2020 12:15 PM, Brandon Long wrote: On Mon, Nov 23, 2020 at 11:53 AM Dave Crocker mailto:dcroc...@gmail.com>> wrote: DKIM often ties a domain to re

Re: [dmarc-ietf] ARC questions

On 11/23/20 3:00 PM, Dave Crocker wrote: On 11/23/2020 2:58 PM, John R Levine wrote: And, again, when ARC work was pursued, I don't recall anyone claiming that mailing lists were (significant) sources of misbehavior. Well, OK.  Please feel free to provide footnoted documentation of what the ac

Re: [dmarc-ietf] ARC questions

On 11/23/2020 2:58 PM, John R Levine wrote: And, again, when ARC work was pursued, I don't recall anyone claiming that mailing lists were (significant) sources of misbehavior. Well, OK.  Please feel free to provide footnoted documentation of what the actual motivation for ARC was if you believe

Re: [dmarc-ietf] ARC questions

I believe that Brandon has specifically said that Gmail sees this problem and that is why whitelisting mail from mailing lists isn't adequate. And that constitute "meaningfully document[ing]"? Works for me. I doubt I was the only person wondering why it needed all that mechanism when whitel

Re: [dmarc-ietf] ARC questions

On 11/23/2020 2:42 PM, John R Levine wrote: Forgive me but I believe misbehavior by mailing lists has never been meaningfully documented for this work.  Quite the contrary. I believe that Brandon has specifically said that Gmail sees this problem and that is why whitelisting mail from mailing

Re: [dmarc-ietf] ARC questions

You know that a message came from a mailing list because you have your list of IPs or DKIM signatures of lists you trust. Except that was not stated or, really, even implied in the text of the message I was replying to.  Rather, something like that seemed to be taken as an assumption, but with

Re: [dmarc-ietf] ARC questions

On 11/23/2020 1:27 PM, John Levine wrote: In article , Dave Crocker wrote: I believe, though, that the intent of ARC is that it be scalable in ways that manual enumeration of known legit mailing lists and forwarders is not. "if you know which hosts are legit" buries an assumption that is prob

Re: [dmarc-ietf] ARC questions

On 11/23/20 12:48 PM, Dave Crocker wrote: This recent article also goes into things that DKIM signatures imply: https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

Re: [dmarc-ietf] ARC questions

In article you write: >I suppose that an approach to building up an ARC reputation might be one >where over time a receiving site can compare indirect mail flow that is >purported to have X as an authenticated identifier with mail that comes >direct to the receiving site with X as an authenticate

Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

In article <9f388e33-c15d-9fcc-e9d3-d7719288f...@gmail.com> you write: >On 11/23/2020 1:04 PM, Jesse Thompson wrote: >> I meant to suggest that the requirement for a tree walk would be that the >> Organizational Domain would need to have that in its policy. >It seems like a decent compromise for

Re: [dmarc-ietf] ARC questions

In article , Dave Crocker wrote: >> I believe, though, that the intent of ARC is that it be scalable in >> ways that manual enumeration of known legit mailing lists and >> forwarders is not. > >"if you know which hosts are legit" buries an assumption that is >problematic, namely that you know

Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

On 11/23/2020 1:04 PM, Jesse Thompson wrote: I meant to suggest that the requirement for a tree walk would be that the Organizational Domain would need to have that in its policy. It seems like a decent compromise for the people worried about unnecessary DNS lookup overhead. Except that it c

Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

In article <553d43c8d961c14bb27c614ac48fc0312811f...@umechpa7d.easf.csd.disa.mil> you write: >-=-=-=-=-=- > >Even for .mil, the vast majority of email domains are fairly short with four >or fewer labels. Most of the other ones tend to be >individual servers that send automatic performance emails

Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

On 11/23/20 1:00 PM, Dave Crocker wrote: > On 11/23/2020 10:50 AM, Jesse Thompson wrote: >> Would it help if there was a new DMARC policy tag to trigger the tree walk? > > > policy tags are useful when one has a dmarc record that might contain it.  > the challenge here is to find that record. I

Re: [dmarc-ietf] ARC questions

On 11/23/20 12:15 PM, Brandon Long wrote: This recent article also goes into things that DKIM signatures imply: https://blog.cryptographyengineering.com/2020/11/16/ok-google-please-publish-your-dkim-secret-keys/

Re: [dmarc-ietf] ARC questions

On 11/23/2020 12:15 PM, Brandon Long wrote: On Mon, Nov 23, 2020 at 11:53 AM Dave Crocker > wrote: > Yes, of course, a handling agent can do it, but there are plenty of reasons > why they shouldn't. Please enumerate and explain.  If it's that dangerous

Re: [dmarc-ietf] ARC questions

On 11/23/20 12:29 PM, John R Levine wrote: 1) A mailing list creates an auth-res on the incoming mail to the list 2) It modified the message 3) It resigns the message with DKIM 4) It is then delivered to the subscriber's mail server 5) The destination mail server can look at the incoming mes

Re: [dmarc-ietf] ARC questions

1) A mailing list creates an auth-res on the incoming mail to the list 2) It modified the message 3) It resigns the message with DKIM 4) It is then delivered to the subscriber's mail server 5) The destination mail server can look at the incoming message including the mailing list's auth-res a

Re: [dmarc-ietf] ARC questions

On 11/23/20 12:09 PM, John R Levine wrote: Since this is an experiment, do we have an idea of what the rest of the problem is after the typical mailing list-like signature breakers are excluded? Sorry, this question makes no sense. The point of ARC is to deal with the kind of breakage that

Re: [dmarc-ietf] ARC questions

On Mon, Nov 23, 2020 at 11:53 AM Dave Crocker wrote: > On 11/23/2020 11:42 AM, Brandon Long wrote: > > > > > > On Mon, Nov 23, 2020 at 11:34 AM Dave Crocker > > wrote: > > > > On 11/23/2020 11:29 AM, Brandon Long wrote: > > > The DKIM-Signature is an "ownership

Re: [dmarc-ietf] ARC questions

If auth-res is sometimes deleted, why wouldn't we expect the arc auth-res to not be deleted too? Please see RFC 7001, section 5. Since this is an experiment, do we have an idea of what the rest of the problem is after the typical mailing list-like signature breakers are excluded? Sorry, thi

Re: [dmarc-ietf] ARC questions

On 11/23/20 11:34 AM, Brandon Long wrote: From the other direction, one could say that ARC is a superset of A-R and DKIM with different purpose, and you might be able to subsume them into ARC, but you couldn't build ARC out of the originals. It's seems to me that the superset involves exp

Re: [dmarc-ietf] ARC questions

On 11/23/20 11:49 AM, Brandon Long wrote: I imagine that the vast majority of intermediaries that break signatures number exactly one extra domain, so it's not very hard to reconstruct the chain of custody from origin to destination. Assuming the intermediary resigns with th

Re: [dmarc-ietf] ARC questions

On 11/23/2020 11:42 AM, Brandon Long wrote: On Mon, Nov 23, 2020 at 11:34 AM Dave Crocker > wrote: On 11/23/2020 11:29 AM, Brandon Long wrote: > The DKIM-Signature is an "ownership" thing, it's a message originator > that is saying > "associate

Re: [dmarc-ietf] ARC questions

On 11/23/20 11:42 AM, Brandon Long wrote: Yes, responsibility is the proper word.  My point survives the word change. DKIM says the domain takes responsibility for the message, while ARC says the domain takes responsibility for evaluating the status of the message when they received and fo

Re: [dmarc-ietf] ARC questions

On 11/23/20 11:28 AM, John R Levine wrote: From what I can tell, the main thing that ARC is doing is binding an auth-res to a dkim signature-like thing. But as I recall -- it's been a long time -- there were ordering requirements ala received headers for where new dkim-signatures and auth-res

Re: [dmarc-ietf] ARC questions

On 11/23/2020 11:29 AM, Brandon Long wrote: The DKIM-Signature is an "ownership" thing, it's a message originator that is saying "associate this message to me". That is not DKIM's semantics: "DomainKeys Identified Mail (DKIM) permits a person, role, or organization to claim some respons

Re: [dmarc-ietf] ARC questions

From what I can tell, the main thing that ARC is doing is binding an auth-res to a dkim signature-like thing. But as I recall -- it's been a long time -- there were ordering requirements ala received headers for where new dkim-signatures and auth-res go in the header. Assuming my memory is corre

Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

On 11/23/2020 10:50 AM, Jesse Thompson wrote: Would it help if there was a new DMARC policy tag to trigger the tree walk? policy tags are useful when one has a dmarc record that might contain it. the challenge here is to find that record. d/ -- Dave Crocker Brandenburg InternetWorking bbi

Re: [dmarc-ietf] Doing a tree walk rather than PSL lookup

On 11/20/20 6:02 PM, John R Levine wrote: > Here's a draft about how DMARC might do a tree walk rather than look up an > organizational domain in the PSL. > > https://datatracker.ietf.org/doc/draft-levine-dmarcwalk/ Would it help if there was a new DMARC policy tag to trigger the tree walk? It

Re: [dmarc-ietf] ARC questions

On 11/22/20 11:56 AM, John R Levine wrote: On Sun, 22 Nov 2020, Michael Thomas wrote: The ARC signature has a sequence number so you can track the chain of custody.  You are right that it is similar to the DKIM signature but the extra ovehead doesn't seem excessive. Did the wg consider just

Re: [dmarc-ietf] Second WGLC for draft-ietf-dmarc-psd: Definition of NP

I was misinterpretation the language to require detection whether any host existed in the zone, rather than checking whether there is a host name which matches the domain name. Thank you to Murray for straightening me out. That aside, we still have a problem. The specification is applying

Re: [dmarc-ietf] ARC questions

On 11/23/2020 10:34 AM, Todd Herr wrote: Yes, but knowing it really was handled by who is saying it was handled by isn't the entirety of the problem. Of course.  But it helps (quite a lot) to be clear about what this specific mechanism does do. d/ -- Dave Crocker dcroc...@gmail.com 408.329

Re: [dmarc-ietf] ARC questions

On Mon, Nov 23, 2020 at 12:02 PM Dave Crocker wrote: > On 11/23/2020 7:38 AM, Todd Herr wrote: > > On Mon, Nov 23, 2020 at 9:50 AM Joseph Brennan > wrote: > On Sat, Nov 21, 2020 at 7:14 PM John Levine wrote: > >> >> >>> This also means that ARC isn't useful if you don't have a reputation s

Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

On 11/23/20 8:28 AM, eric.b.chudow.civ=40mail@dmarc.ietf.org wrote: > Even for .mil, the vast majority of email domains are fairly short with four > or fewer labels. Most of the other ones tend to be individual servers that > send automatic performance emails, and I think should be considered

Re: [dmarc-ietf] ARC questions

On 11/23/2020 9:15 AM, Doug Foster wrote: ARC tells me that somebody changed some data, but it does not tell me which MTA performed the forwarding operation, added content, or performed address rewriting.  If we could get HELO names into the ARC data, then those names could be correlated with t

Re: [dmarc-ietf] ARC questions

My wishlist for ARC: ARC tells me that somebody changed some data, but it does not tell me which MTA performed the forwarding operation, added content, or performed address rewriting. If we could get HELO names into the ARC data, then those names could be correlated with the Received header

Re: [dmarc-ietf] ARC questions

On 11/23/2020 7:38 AM, Todd Herr wrote: On Mon, Nov 23, 2020 at 9:50 AM Joseph Brennan > wrote: On Sat, Nov 21, 2020 at 7:14 PM John Levine > wrote: This also means that ARC isn't useful if you don't have a reputation

Re: [dmarc-ietf] ARC questions

On Mon, Nov 23, 2020 at 9:50 AM Joseph Brennan wrote: > >> On Sat, Nov 21, 2020 at 7:14 PM John Levine wrote: >> >>> >>> > >> This also means that ARC isn't useful if you don't have a reputation >>> system to tell you where the lists and other forwarders that might add >>> legit ARC signatures a

Re: [dmarc-ietf] ARC questions

> > > > > On Sat, Nov 21, 2020 at 7:14 PM John Levine wrote: > >> >> > This also means that ARC isn't useful if you don't have a reputation >> system to tell you where the lists and other forwarders that might add >> legit ARC signatures are. >> > > And if you know which hosts are legit mailing l

Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

Even for .mil, the vast majority of email domains are fairly short with four or fewer labels. Most of the other ones tend to be individual servers that send automatic performance emails, and I think should be considered more of an edge case and less of our concern. Thanks, Eric Chudow DoD

Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

My longest addresses are from SalesForce.com, with 6 segments. Relatively small dataset. From: Laura Atkins Sent: 11/23/20 8:19 AM To: "Murray S. Kucherawy" Cc: IETF DMARC WG Subject: Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ie

Re: [dmarc-ietf] tree walk and Org and PSD, Second WGLC for draft-ietf-dmarc-psd

> On 22 Nov 2020, at 06:06, Murray S. Kucherawy wrote: > > On Sat, Nov 21, 2020 at 6:23 PM John Levine > wrote: > It is my impression that most real From: domains are pretty short. I > don't think I've ever seen one more than four labels long that wasn't > deliberately

Re: [dmarc-ietf] Messages from the dmarc list for the week ending Sun Nov 22 06:02:35 2020

I just checked one message for each author, from my folder. Some domains alternately pass and fail. With a few tweaks, all author signatures on this list would reliably pass. Best Ale On 22/11/2020 12:00, John Levine wrote: > Count| Bytes | Who > +-