One reason transitions are difficult because of implementation and deprecation
ambiguity. If there’s no reason to move other than best practice, then no one
will (or not enough will move).
Maybe we can build timelines into the updates. By Jan 1, 2019, receivers SHOULD
(MUST?) no longer support
As a representative of a large email receiver, here's what I think:
1. This is basically an attempt to solve the capacity problem - a burst of
email can overwhelm a DMARC reporting mechanism, and therefore proposes a way
to tell the DMARC-report generator to "wait a few seconds, minutes, or
> This means ARC will be needed not only for mailing lists which modify the
> header or
> body of an email, but for EVERY mailing list and EVERY forwarded email or
> EVERYTIME
> the recipient has been modified and the email leaves the ADMD boundary. From
> a
> DMARC point of view DKIM will
failures [1], this proposal is not all that
appealing.
:-\
-- Terry
[1] We are working on a fix for this.
-Original Message-
From: Dave Crocker [mailto:dcroc...@gmail.com]
Sent: Tuesday, November 15, 2016 5:53 PM
To: Terry Zink <tz...@exchange.microsoft.com>; dmarc@ietf.org;
This may be a dumb question, but if a DKIM-signature includes the original
recipient, then wouldn’t that break the DKIM signature if the original MTA
forwards it to another receiver even if they don’t modify any parts of the
message?
How would people forward their email?
From: dmarc
with it.
In this email discussion, I hit Reply-All and includes Ted on the To:, and
dmarc@ietf.org<mailto:dmarc@ietf.org> and i...@ietf.org<mailto:i...@ietf.org>
on the cc.
From: Ted Lemon [mailto:mel...@fugue.com]
Sent: Friday, November 4, 2016 2:23 PM
To: Terry Zink <tz...@exchange.microsoft
am. If I were to get an email from someone (or I guess myself)
on this list like this:
From: Terry Zink via IETF-DMARC <dmarc@ietf.org>
This already happens from other lists I am on, I don’t think twice about it. I
sort of even think “Hey, that works better for me!”
And if there were
>> I've seen comments that people who were on Yahoo can fortunately go to
>> Gmail. What happens when Gmail publishes a p=reject like they said they
>> were going to?
> They have said multiple times that they won't do so until ARC is up and
> working. If they're lying, well, we're all schrod.
>> There is a proposed standard, ARC, that would allow mail receivers to
>> do more intelligent whitelisting. It's not ready yet.
> There is a third option --- which is that if you want to participate on
> certain
> mailing lists, you have to use a non-DMARC e-mail address. There are people
> O365 may also have a ton, but again, probably whitelistable as a single entity
We’re trying to get this signed by groups.office.net.
-- Terry
From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Brandon Long
Sent: Tuesday, August 23, 2016 5:20 PM
To: Alessandro Vesely
Cc: dmarc-ietf
> I'm more concerned that the implementation at Microsoft does not
> reject the message when p=reject but move the email to the spam
> folder (with all payloads disabled, etc...)
It’s done this way because it works better for our overall user base than
flat-out rejecting the message in SMTP.
+1 to virtual DMARC, -1 to the arguments against it.
Office 365 already supports something like this for our customers to cut down
on Business Email Compromise. Maybe 5% of our customers have DMARC records, yet
we treat all inbound email destined to them as having p=quarantine and then we
> OTOH, conditional signatures have been discussed for more than five years (my
> dkim-joint-sigs I-D was in 2010), an implementation exists, albeit alpha
> (Murray's OpenDKIM 2.11.0), and we seem to have a candidate WG document
> (John's
> dkim-conditional-02) which would match the charter's
The idea behind ARC is similar to the idea behind John Levine's Conditional
DKIM but it does it in a different way. Suppose the path is like this:
A --> B --> C
C sees that the message comes "from" A originally but can't verify either A's
SPF or DKIM. However, B (who sent the message to C)
I'm not sure what Hotmail does currently, but it won't matter in the long run
because the email infrastructure is moving over to Office 365. The DKIM code
there will interpret a v=2 as an invalid signature.
-- Terry
-Original Message-
From: dmarc [mailto:dmarc-boun...@ietf.org] On
The challenge here is that the second signer may not have anything to do with
the message.
Not sure I follow this comment. The first signer says that there will be a
second signer, and the second signer must be the one the first signer said.
Sounds like the second signer has (almost)
signature
On 5/20/15 10:32 AM, Terry Zink wrote:
If this hack essentially weakens a DKIM signed message so that it can
survive the transport, the MLM changes and the final destination. then
why not just do create this weakness with just one original v1
signature using the i= (AUID) to pass
To: Terry Zink
Cc: Scott Kitterman; dmarc@ietf.org
Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries -
Effort and Policy
On Tue, May 19, 2015 at 9:19 AM, Terry Zink
tz...@exchange.microsoft.commailto:tz...@exchange.microsoft.com wrote:
I would think you'd have to. There's
Yeah, sorry, I confused the t= with x= in the DKIM signature.
-- Terry
From: Murray S. Kucherawy [mailto:superu...@gmail.com]
Sent: Tuesday, May 19, 2015 1:02 PM
To: Terry Zink
Cc: Scott Kitterman; dmarc@ietf.org
Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries
I would think you'd have to. There's a replay risk that's unique to this
type of
signature, so I think treating them the same would be a naive approach.
But is that something that an agent downstream of a verifier needs to know?
A-R for SPF doesn't differentiate between -all and ~all, for
: Murray S. Kucherawy superu...@gmail.com
Sent: Monday, May 18, 2015 6:18 PM
To: Terry Zink
Cc: Dave Crocker; dmarc@ietf.org
Subject: Re: [dmarc-ietf] Looking for degrees of freedom with Intermediaries -
Effort and Policy
On Mon, May 18, 2015 at 5:36 PM, Terry Zink
tz...@exchange.microsoft.commailto:tz
I suppose the tl;dr version of my last reply is:
The registration problem is not a red herring because it doesn't exist, but
because it
is intractable. Thus, any response to the third-party problem that relies on
a solution
to that problem (which includes ATPS, DSAP, and TPA) is
The reliability aspect is realistic to set a high bar. The decision to allow
unregulated users to publish to the zones of
Hotmail.com/outlook.com/msn.com/live.com/Hotmail.ca/outlook.ca/live.ca... etc.
is one that comes with its own security challenges. This now no longer a way to
allow
has millions of years
Er, millions of users.
-- Terry
-Original Message-
From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Terry Zink
Sent: Thursday, May 7, 2015 5:16 PM
To: Scott Kitterman; dmarc@ietf.org
Subject: Re: [dmarc-ietf] OpenDKIM ADSP, DMARC and ATPS support
Roughly
What about some variant of the following using a revised version of John
Levine's conditional DKIM (@fs=) draft?
Here's the scenario. Joe User is an avid birdwatcher and joins the Birdwatchers
in the northeast discussion group,
b...@birdwatchers.orgmailto:b...@birdwatchers.org. He sends a
Hmm, okay. I need to think through what I wrote a little more, then. I think I
misunderstood somewhat your proposal.
-- Terry
-Original Message-
From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of John R Levine
Sent: Tuesday, May 5, 2015 1:24 PM
To: Terry Zink
Cc: dmarc@ietf.org
and compare to the from address); and,
requires some configuration changes to senders in DKIM but no code change
(unless adding a second signature requires a code change).
-- Terry
From: Murray S. Kucherawy [mailto:superu...@gmail.com]
Sent: Tuesday, May 5, 2015 12:39 PM
To: Terry Zink
Cc: John
Who knows? Perhaps Yahoo and AOL would suffer user diaspora if they
kept publishing p=reject and MLMs decided to be DMARC-compliant when
reinjecting messages.
I see a lot of Yahoo and AOL did this, Yahoo and AOL don't care, Yahoo and
AOL pushed their problems onto everyone else, etc. I
:
On 4/21/15 4:20 PM, Terry Zink wrote:
Some quick comments:
- Section 3 is really short. Some examples of how it would work would be nice.
- Regarding this from section 3:
This makes an assumption users employ Mail User Agents that display the
identity contained in the Sender header
, either
(Outlook being an exception).
I don’t understand the flow of things for a Sender: header alignment that you
propose. Is it something like this:
Message 1
5321.MailFrom: tz...@example.com
From: Terry Zink tz...@example.com
Sender: Terry Zink tz...@example.com
To: mailing list mailing-l
Some quick comments:
- Section 3 is really short. Some examples of how it would work would be nice.
- Regarding this from section 3:
This makes an assumption users employ Mail User Agents that display the
identity contained in the Sender header field when used as a basis
for
For the umpteenth time, the issue isn't managing a DNS zone. That's the easy
part. The hard part is knowing what to put in it. Many companies, not even
the really big ones, have thousands of domains. Go publish SPF, DKIM key,
and
DMARC records for 4,000 domains and then tell me it's
On the other hand for other companies, Yes, I believe it is very feasible and
manageable.
So, maybe I'm missing something here on the idea of TPA and registration of
mailing lists (in DNS), and mentioning Google Groups and how they can figure it
out... but not every emailer controls the DNS
What sorts of things do you want to see in an MUA?
- Gmail says, of messages in the spam folder, “This message is here because
others marked it as spam.”
- If you enable it in Gmail, they also put a key beside authenticated messages
- Outlook.com/Hotmail has a Green Shield in the List view next
Based upon the almost complete lack of interest of
bulk email providers at promoting a solution, it seems the path
forward is to define a new non-aligned header field able to retain the
author role information, otherwise the From is likely overwritten as
the only practical means of ensuring
Sender in its present incarnation is not particularly useful,
period.
I don't disagree. I just think Outlook's display makes it worse than
useless.
The Outlook client is used in many places - it hooks up with the Exchange MTA
but also with multiple other mail services like Yahoo Mail,
7208 actually recommends that the HELO string be evaluated every time.
http://trac.tools.ietf.org/html/rfc7208#section-2.3
They do say to check it both times but I don't agree with the rationale
provided. Expanding on the excerpt that Laura provided:
2.3. The HELO Identity
It is
[Apologies for the cross-post from the Antiphishing Working Group discussion
alias, but there may be people on this list that are not on that list.]
[[ I understand that this is currently outside the current focus of the Dmarc
Working Group; we can shut this discussion down if the list owners
Sent: Thursday, December 11, 2014 3:00 PM
To: dmarc@ietf.org
Cc: Terry Zink
Subject: Re: [dmarc-ietf] Phishing attacks on the Display From
4. Anything else?
Figure out how to display signed mail from famous brands in a
distinctive way analogous to browser green bars, and tell people
to look
Since SPF authorizes an often _shared_ outbound IP address, it has been
accurately described
as an authorization method. DMaRC permits a DKIM signature to be spoofed and
still allow
a message to be accepted solely on the basis of SPF. What magic turns
authorization into
S. Kucherawy [mailto:superu...@gmail.com]
Sent: Monday, September 15, 2014 5:21 PM
To: Terry Zink
Cc: John Levine; dmarc@ietf.org; hen...@schack.dk
Subject: Re: [dmarc-ietf] Indirect mail flows: DKIM signature breakage by cloud
anti-virus/spam provider
How will most mail clients know
I am in favor of it, as written, as well.
-- Terry
From: dmarc [mailto:dmarc-boun...@ietf.org] On Behalf Of Mike Jones
Sent: Tuesday, July 1, 2014 11:20 AM
To: Douglas Otis; Dave Crocker
Cc: Pete Resnick; dmarc@ietf.org; Barry Leiba
Subject: Re: [dmarc-ietf] Draft DMARC working group charter
I
It would be nice to have some concrete examples in the draft, I find those
easier to follow than descriptions. So, maybe something like:
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=s1024;
d=sender.example.com;
To repeat, UI/UX design is a specialty requiring extensive training in
cognitive, memory and attention psychology, testing methodology and,
oh yes, computer science.
So I guess we will wait until Apples just does it, and then go and copy it,
whichever side it falls.
Your response is
We (people with p=reject) went to all well known ESPs
and asked them to send our emails with SPF and DKIM
alignment with our domain.
I did the same thing with microsoft.com (not every domain or brand at
Microsoft, just microsoft.com). It took me six months. I'm going to be giving a
talk
Should we also document in this Murray's draft that MS-Exchange breaks
DKIM on forwarding, inventory all the operational cases?
1. If a message is sent via Exchange with a 3rd party DKIM signer, then DKIM
will not be broken if the next Exchange hop forwards.
2. Messages will be preserved
46 matches
Mail list logo
