Discussion:
DMARC
(too old to reply)
Neil Schwartzman
2013-03-18 22:53:44 UTC
Permalink
Some people think DMARC will save email (from what?) others think it breaks email because of mailing lists such as this one (which are a rare anachronism say some).

Discuss.

{waves at new sub Murray}
Steve Atkins
2013-03-18 22:59:50 UTC
Permalink
Post by Neil Schwartzman
Some people think DMARC will save email (from what?) others think it breaks email because of mailing lists such as this one (which are a rare anachronism say some).
Discuss.
OK, I'll bite.

"DMARC saves email from X". Solve for X.

DMARC helps divide mail into two groups.

The first is mail that is sent by a single entity, under tight (typically corporate) control, primarily by machines rather than humans and likely in high volume. Primarily B2C or B2B, whether it be bulk or "transactional".

The second is mail that is sent by other entities, including almost all person-to-person email, as well as some subset of malicious / unwanted email.

X is "being sent by human beings".

Cheers,
Steve
Dotzero
2013-03-19 00:24:44 UTC
Permalink
Neil trolling?
Post by Neil Schwartzman
Some people think DMARC will save email (from what?) others think it breaks email because of mailing lists such as this one (which are a rare anachronism say some).
Discuss.
{waves at new sub Murray}
DMARC is a tool that allows domain owners or agents to do a couple of
things - if you want saving, seek religious counsel.

1) DMARC enables authentication failure reporting from mailbox
providers that choose to participate. This provides insight into mail
claiming to be from them for senders that never had this sort of
visibility before. This insight includes mail that was actually sent
by the domain but failed to validate (aligned SPF or DKIM) or mail
that was not sent by the domain and failed to validate (aligned SPF or
DKIM).

2) DMARC provides a domain owner or agent the opportunity to express
(negative) policy regarding mail that fails to validate for either
aligned SPF or DKIM. This ability to express policy indicating a
receiver should either quarantine or reject (depending on the policy
published) provides protection against direct domain abuse.

Mike
Alessandro Vesely
2013-03-19 17:30:36 UTC
Permalink
Post by Dotzero
Post by Neil Schwartzman
Some people think DMARC will save email (from what?) others think
it breaks email because of mailing lists such as this one (which
are a rare anachronism say some).
Discuss.
{waves at new sub Murray}
DMARC is a tool that allows domain owners or agents to do a couple of
things - if you want saving, seek religious counsel.
1) DMARC enables authentication failure reporting from mailbox
providers that choose to participate. This provides insight into mail
claiming to be from them for senders that never had this sort of
visibility before.
That is its astounding, revolutionary feature, IMHO. With that
feedback, even faint hearts can specify strong policies.
Post by Dotzero
2) DMARC provides a domain owner or agent the opportunity to express
(negative) policy regarding mail that fails to validate for either
aligned SPF or DKIM. This ability to express policy indicating a
receiver should either quarantine or reject (depending on the policy
published) provides protection against direct domain abuse.
That's a confusing repetition of already available policies, dkim=all
and -all. Rejecting is never mandatory, thus the ability to whitelist
failed authentications with one another has always been granted. For
a simpler-is-better approach, message disposition specifications could
have limited to bolstering and clarifying existing policies.
Dotzero
2013-03-19 18:20:46 UTC
Permalink
Post by Alessandro Vesely
Post by Dotzero
Post by Neil Schwartzman
Some people think DMARC will save email (from what?) others think
it breaks email because of mailing lists such as this one (which
are a rare anachronism say some).
Discuss.
{waves at new sub Murray}
DMARC is a tool that allows domain owners or agents to do a couple of
things - if you want saving, seek religious counsel.
1) DMARC enables authentication failure reporting from mailbox
providers that choose to participate. This provides insight into mail
claiming to be from them for senders that never had this sort of
visibility before.
That is its astounding, revolutionary feature, IMHO. With that
feedback, even faint hearts can specify strong policies.
Post by Dotzero
2) DMARC provides a domain owner or agent the opportunity to express
(negative) policy regarding mail that fails to validate for either
aligned SPF or DKIM. This ability to express policy indicating a
receiver should either quarantine or reject (depending on the policy
published) provides protection against direct domain abuse.
That's a confusing repetition of already available policies, dkim=all
and -all. Rejecting is never mandatory, thus the ability to whitelist
failed authentications with one another has always been granted. For
a simpler-is-better approach, message disposition specifications could
have limited to bolstering and clarifying existing policies.
It is not simply a confusing repitition of available policies
Alessandro. There are several key differences. that are important. 1)
DMARC introduces the concept of alignment for SPF and DKIM 2) DMARC
policy only comes into effect when a message fails both (aligned) SPF
and DKIM. This provides additional robustness that is not available
when looking at ONLY SPF or DKIM.
Alessandro Vesely
2013-03-19 19:10:31 UTC
Permalink
Post by Alessandro Vesely
Post by Dotzero
2) DMARC provides a domain owner or agent the opportunity to express
(negative) policy regarding mail that fails to validate for either
aligned SPF or DKIM. This ability to express policy indicating a
receiver should either quarantine or reject (depending on the policy
published) provides protection against direct domain abuse.
That's a confusing repetition of already available policies, dkim=all
and -all. Rejecting is never mandatory, thus the ability to whitelist
failed authentications with one another has always been granted. For
a simpler-is-better approach, message disposition specifications could
have limited to bolstering and clarifying existing policies.
It is not simply a confusing repetition of available policies
Alessandro. There are several key differences. that are important. 1)
DMARC introduces the concept of alignment for SPF and DKIM 2) DMARC
policy only comes into effect when a message fails both (aligned) SPF
and DKIM. This provides additional robustness that is not available
when looking at ONLY SPF or DKIM.
It seemed to me that the alignment concept could go in the category of
bolstering and clarifying (otherwise it would be insane to whitelist
an spf=pass smtp.mailfrom=phisher.example; dkim-adsp=discard
header.from=bank.example). The confusing part comes when the extra
policy is not consistent, for example:

spf=softfail smtp.mailfrom=user.example;
dkim-adsp=unknown header.from=user.example

but the DMARC policy is reject --or the other way around, fail,
discard, and none, respectively. Mandate consistency and redundancy
becomes explicit.
Ian Eiloart
2013-03-20 11:43:23 UTC
Permalink
Post by Dotzero
….ed to bolstering and clarifying existing policies.
It is not simply a confusing repitition of available policies
Alessandro. There are several key differences. that are important. 1)
DMARC introduces the concept of alignment for SPF and DKIM 2) DMARC
policy only comes into effect when a message fails both (aligned) SPF
and DKIM. This provides additional robustness that is not available
when looking at ONLY SPF or DKIM.
It also means that mailing lists like this break SPF+DMARC, whereas they actually pass SPF alone. Which is a great shame, since most DKIM breakage occurs on lists like this (not this one, though).

So, without DMARC, and assuming full deployment of SPF and DKIM, recipient MTAs can do domain based reputation assignment based on either DKIM or SPF.

DMARC complicates that by insisting that the RFC5322.FROM header address being validated, on the basis that the FROM header is exposed to the end recipient, which is just not true for users of many modern mail clients (Apple Mail, Outlook, OWA, Gmail web access, Thunderbird, etc). All they expose (by default) is the description part, where it exists, the address otherwise.

And it gets worse: RFC 6854 proposes to permit group formats in From headers, so they can contain things like "undisclosed sender":; without an email address to check for alignment.
--
Ian Eiloart
Postmaster, University of Sussex
+44 (0) 1273 87-3148
Dave Crocker
2013-03-19 15:47:32 UTC
Permalink
Post by Neil Schwartzman
Some people think DMARC will save email (from what?) others think it breaks email because of mailing lists such as this one (which are a rare anachronism say some).
Steve and Mike's postings comments were compatible-but-different, by my
reading. I'll continue that trend:

DMARC provides a set of mechanisms that facilitate development of a
trust-overly between mail operators who work on behalf of a specific
type of content author, and the operators of receiving mailbox services.
The mechanisms integrate existing MTA-level authentication methods,
extending them to the RFC5322.From field, and providing guidance for
processing and reporting on received messages.

I think that Steve's characterization of the most-appropriate
sending-side candidates for using DMARC is reasonable.

d/
--
Dave Crocker
Brandenburg InternetWorking
bbiw.net
Continue reading on narkive:
Loading...