On 12/30/2020 10:41 AM, Michael Thomas wrote:
DMARC != Auth-res. Auth-res provides all kinds of useful information
than just pass/fail. For DMARC Auth-res should provide what the policy
was at a bare minimum. But none of this seems to have any normative
language anywhere which is a problem unto itself. DMARC in auth-res
seems to be an orphan.
A-R was a moving target for a long period and I am not sure it is
completed for the task at hand.
It was why my own wcSMTP used name space field values and made use of
for potential visual reports, wcAVS filters at the backend and
potentially the MUA frontend. That has always been a consideration
since day one.
But it was also a consideration the MUA filter could only safely apply
it to messages verified by the host, i.e. the A-R record MUST was
created by the host by domain name which the MUA client trust.
This brings up the important fact, the most mail host have a
responsibility to filter "bad" mail before the user gets it and not
pass it on to potential phishable users. However, in this real market,
like even in this WG, we have both camps; those who believe strongly
in rejection at SMTP (system wide) and those who believe of accepting
all and passing the buck to the user (user-level filters). IMO, you
can't fight it. You accept both and program for both because both exist.
For example for Mike's message, its a simple A-R:
Authentication-Results: dkim.winserver.com;
dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
dkim=pass header.d=ietf.org header.s=ietf1 header.i=ietf.org;
dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=mtcc.com
header.s=fluffulence header.i=mtcc.com;
There are no DKIM-POLICY protocol records like ADSP or DMARC. No A-R
line for DMARC means the domain have NO record. It is not
participating in DMARC, purposely or not. Having no A-R line avoids
making erroneous interpretations by consumer like Mike has pointed out.
Any A-R evaluation looking for the specific DMARC verification bits as
part of its algorithm, but sees none, MUST use the default input and
output values for a domain that lacks a DMARC record. For DMARC, when
no record exist, the default values are (please confirm, I am going
off my https://secure.winserver.com/public/wcDMARC wizard form values).
p=none
sp=none
adkim=relaxed
aspf=relaxed
pct=100%
rua=0
ruf=0
rf=afrf
ri=86400
The dmarc= value SHOULD not be dmarc=fail nor dmarc=pass because no
DMARC record exist. So if an A-R is written for a non-DMARC domain,
it should be perhaps write:
dmarc=unknown author.d=gmail.com signer.d=gmail.com (originating
signer);
or
dmarc=none author.d=gmail.com signer.d=gmail.com (originating signer);
Although the dmarc=none could erroneously suggest a DMARC record exist
with a p=none policy, when a real policy exist, then a policy= tag
used in our A-R, like:
dmarc=dkim-fail policy=none author.d=gmail.com signer.d=gmail.com
(originating signer);
which reads:
The author.d=gmail.com has a DMARC none policy. It has an aligned
author and signer domain, but DMARC failed due to a dkim-fail
signature which the A-R dkim line shows:
dkim=fail (DKIM_BODY_HASH_MISMATCH) header.d=gmail.com
header.s=20161025 header.i=gmail.com;
I am not suggesting this or no DMARC A-R line should be written when
the domain lacks a DMARC record.
If a A-R dmarc line is recorded, it should be readable by humans. It
should not erroneously misdirect an A-R evaluator routine when a DMARC
does not exist. Using the comment field SHOULD be reserved for
non-standard HUMAN readable data. But some of used it to fill in the
gaps we wanted A-R for verification results, i.e. for SPF, the ip name
field.
Overall, I agree, resolving the A-R name space technical issue SHOULD
be resolve in the WG for DMARC-bis. I think it is well worth the
effort to define what we need and then use this for the update up the
A-R specs to create a more common and useful name space to all.
--
Hector Santos,
https://secure.santronics.com
https://twitter.com/hectorsantos
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
