Are we trying to define a protocol that evaluators can follow automatically without ever making any mistakes? I am not.
It is simply wrong to assume that changes-in-transit are the only cause of DMARC Fail on acceptable messages. If you work with a mailstream, you should be aware of these other causes, which are probably more important, because they have universal applicability: - Benevolent impersonation by trusted entities - Overzealous implementation of DMARC before all messages have DKIM signature - Software errors that cause outbound signatures to be missing or unverifiable (a variant of the previous) If we say, "DMARC should only be implemented by domains where FAIL will never occur on an acceptable message", then there are few domains that can use DMARC, and the value of the protocol vanishes. If DMARC FAIL could actually mean that a message source is certainly malicious, then the necessary response is much more than blocking one message. A competent administrator must block all messages from a source known to be malicious. It would be reckless to reject malicious impersonations while accepting malicious messages that are not impersonations. But recklessly blocking message sources based on an automated DMARC FAIL would multiply the mistakes. The flip side of this topic is an implicit assumption that acceptable p=none messages will never be discarded because the evaluator will not enforce authentication. Similarly, an assumption that No Policy messages will never be discarded because the evaluator cannot enforce authentication. The domain owner does not eliminate risks by avoiding DMARC, he merely chooses different risks. For the current topic, we need language that says simply: - Evaluators need to be cautious about blocking messages exclusively on DMARC results, as acceptable messages may be blocked sometimes. and - Domain owners need to be cautious when setting DMARC policy to reject, because acceptable messages may not appear authenticated when they are received by the evaluator, and some evaluators may block on DMARC results alone.. The evaluator is the most important part of the DMARC process. If we want optimal results, we need to give him the guidance needed to make optimal decisions. Doug Foster On Tue, Mar 28, 2023 at 4:15 AM Barry Leiba <[email protected]> wrote: > I raised this issue in the DMARC session in Vienna, and have let it > sit for a while so as not to derail other discussion. As we're pretty > close to finished with the DMARCbis document, I'd like to raise it > again, this time with specific proposed text for us to discuss. > > And so: > > OLD > > 5.5.6. Decide If and When to Update DMARC Policy > > Once the Domain Owner is satisfied that it is properly authenticating > all of its mail, then it is time to decide if it is appropriate to > change the p= value in its DMARC record to p=quarantine or p=reject. > Depending on its cadence for sending mail, it may take many months of > consuming DMARC aggregate reports before a Domain Owner reaches the > point where it is sure that it is properly authenticating all of its > mail, and the decision on which p= value to use will depend on its > needs. > > NEW > > 5.5.6. Decide If and When to Update DMARC Policy > > Once the Domain Owner is satisfied that it is properly authenticating > all of its mail, then it is time to decide if it is appropriate to > change the p= value in its DMARC record to p=quarantine or p=reject. > Depending on its cadence for sending mail, it may take many months of > consuming DMARC aggregate reports before a Domain Owner reaches the > point where it is sure that it is properly authenticating all of its > mail, and the decision on which p= value to use will depend on its > needs. > > It is important to understand that many domains may never use > policies of “quarantine” or “reject”, and that these policies are > intended not as goals, but as policies available for use when they > are appropriate. In particular, “reject” is not intended for > deployment in domains with users who send routine email, and its > deployment in such domains can disrupt indirect mail flows and cause > damage to operation of mailing lists and other forwarding services. > This is discussed in [RFC7960] and in Section 5.8, below. The > “reject” policy is best reserved for domains that send only > transactional email that is not intended to be posted to mailing > lists. > > To be explicitly clear: domains used for general-purpose email MUST > NOT deploy a DMARC policy of p=reject. > > END > > I'm well aware that the MUST will *not* be followed by everyone, and > that some domain owners will feel that they need to use p=reject, > regardless. I think that's fine: the standard should specify what's > right for interoperability, and I believe that improper use of > p=reject is extremely harmful to interoperability... so "MUST" is > correct here. And no one will be arrested or fined for choosing not > to follow it. We should still say it, nonetheless. > > OK, have at it. > > Barry > > _______________________________________________ > dmarc mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
