On Thursday, April 17, 2014 8:22 AM, Murray S. Kucherawy wrote: > For the "and" case, yes, that's possible to add if there's enough demand > to add it. So far the people that have tried this are satisfied with the > "or" logic.
making DMARC strictly based on OR-logic will get it obsolete as soon as someone finds a way to exploit any of the underlying mechanism, and that's already possible, either through DKIM replay attack, or through spoofed SPF authentication, whichever serves an attacker better. and if DMARC gets expanded by any additional mechanism, it will just make it weaker, with OR-dependency. > "I do not want alignment" is exactly the same as "I don't use DMARC" > since DMARC is pretty much all about alignment. So, again, I don't > understand why that's a useful thing to add. it's not the same. DMARC is not just authentication, it's also about reporting and conformance. i would be perfectly happy to get my email checked against SPF and DKIM and processed in a standard-defined way, and receive reports on which i can then act. otherwise, DMARC has no benefits for me at all. >> and it's a common practice, absolutely. whether it's formal or informal. > What's an example? i've already written about it. someone using yahoo or google email service to send their own domain email. i actually do that. and i imagine, a great deal of ppl. it also covers various 3rd party services, such as ones that deliver greeting cards, process petitions... >> as i said: combined, alignment OFF and AND processing logic would work great >> in cases where alignment isn't possible, yet email is fully legitimate. > For the "off" case, isn't that just the same as "p=none"? it isn't. if we accept the idea about making alignment optional, i would gladly expand the idea to more than just turning alignment on/off. actually, such alignment field would, in my proposal, include a three-state: 1. alignment ON, in which case from: header gets checked against. 2. alignment OFF, in which case domain owner specifies they have no benefit from DMARC alignment checks, but do want other checks performed, such as AND-logic mechanism evaluation, for example. 3. alignment domain-list value to include in alignment check: list of domains the domain owner wants to have included in DMARC alignment check, complementing from: header domain; this will cover almost all cases DMARC breaks now, such as 3rd party infrastructure, mailing lists that do not wish to make changes for DMARC-compatibility, forwarders that process their mail, but can't be controlled by domain owner, etc. it's somewhat similar to SPF domain definition, but different, since it affects DMARC-alignment process. > That probably means the benefit of adding SRS support wasn't obvious to > the people responding. This may be obvious to you, but it's apparently > not obvious to others. SRS has benefits. but not for big ESPs, mainly cause of infrastructure requirements. so, i'm done with advocating for that, cause it won't get supported by the most influential actors here, that's obvious. >> include sender-id as another DMARC supported check algorithm. >> yeah, i better not start this topic... we don't want another MARID. > I totally agree there, especially since Sender-ID got almost no adoption > (see RFC 6686), and that seems unlikely to change now. it would change quite fast if we would make it part of DMARC. actually, Sender-ID isn't all that bad at all. it was way ahead of its time. PRA could actually be a better way to determine owner's domain for alignment purposes than some undefined public-suffix list, especially in the light of newest moves by ICANN, introducing bunch of new top-lvl domains, which will probably host a bunch of sub-domains with registration capabilities by 3rd parties, etc. DMARC's dependance on a concept of "public-suffix list" is a can of worms i can't wait to see what will make of DMARC's usability at the end. it will be a mess for sure. i'm not rly sure how this isn't obvious to DMARC's authors, given all that experience in the domain. On Thursday, April 17, 2014 1:42 PM, "Popowycz, Alex" wrote: > Perhaps I'm missing something, but eliminating alignment essentially > nullifies the authentication value for a given domain. which, in some cases, has no value at all. as i mentioned up, alignment-OFF works well only with other options i'm proposing, and only in special cases. -- Vlatko Salaj aka goodone http://goodone.tk _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
