Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DMARCbis WGLC More Nits #133

Closed
toddherr opened this issue Mar 14, 2024 · 10 comments
Closed

DMARCbis WGLC More Nits #133

toddherr opened this issue Mar 14, 2024 · 10 comments
Labels
component: dmarc-bis

Comments

@toddherr
Copy link
Contributor

section 11.4, Display Name Attacks. It has:

   From: "[user@example.org](mailto:user@example.org) via Bug Tracker" [support@example.com](mailto:support@example.com)
   (mailto:[support@example.com](mailto:support@example.com))

Should be:

   From: "[user@example.org](mailto:user@example.org) via Bug Tracker" <[support@example.com](mailto:support@example.com)>
   (mailto:[support@example.com](mailto:support@example.com))

Or even

   From: "<[user@example.org](mailto:user@example.org)> via Bug Tracker" <[support@example.com](mailto:support@example.com)>
   (mailto:[support@example.com](mailto:support@example.com))
@toddherr
Copy link
Contributor Author

Example 3 in appendix B.1.2 uses sample.net (an
existing domain) instead of example.net:

     DKIM-Signature: v=1; ...; d=[sample.net](http://sample.net/); ...

@toddherr
Copy link
Contributor Author

Appendix B.1.2 Example 2 is labelled "parent" in both SPF and DKIM subsections.
However, for SPF the identifier is a child of the From: domain, while
for DKIM the From: domain is a child of the identifier.

I'd either label "child" the DKIM example or parallelize the roles of
the identifiers.

@toddherr
Copy link
Contributor Author

Section 5.4 ABNF:

dmarc-value = %x20-3A | %x3C-7E should be dmarc-value = %x20-3A / %x3C-7E

Reword comments for URI to:

            ; "URI" is imported from [RFC3986];  
            ; commas (ASCII 0x2C) and exclamation
            ; points (ASCII 0x21) MUST be
            ; encoded

@toddherr
Copy link
Contributor Author

Values for 'fo' tag in section 5.3, General Record Format:

d: Generate a DKIM failure report if the message had a signature that failed evaluation, regardless of its alignment. DKIM-specific reporting is described in [[RFC6651](https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/133#RFC6651)]. s: Generate an SPF failure report if the message failed SPF evaluation, regardless of its alignment. SPF-specific reporting is described in [[RFC6652](https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/133#RFC6652)].

should be:

d: Generate a DMARC failure report if the message had a signature that failed evaluation, regardless of its alignment. DKIM-specific reporting is described in [[RFC6651](https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/133#RFC6651)]. s: Generate an DMARC failure report if the message failed SPF evaluation, regardless of its alignment. SPF-specific reporting is described in [[RFC6652](https://github.com/ietf-wg-dmarc/draft-ietf-dmarc-dmarcbis/issues/133#RFC6652)].

@toddherr
Copy link
Contributor Author

Section 11.4 nit fixed with adding backslashes to precede angle brackets that were already there.

Example 3 in section B.1.2 - changed sample.net to example.net

Examples in sections B.1.1 and B.1.2 that say "(parent)" and suggestion to parallelize them...

For both sections, I've changed the labeling as follows:

  • Example 1: (SPF|DKIM) in strict alignment:
  • Example 2: (SPF|DKIM) in relaxed aligment:
  • Example 3: (SPF|DKIM) not in alignment:

The text below each example further explains each.

ABNF changes made

All changes checked in to working branch.

@toddherr
Copy link
Contributor Author

Leaving 'fo' text (i.e., 'd', and 's', options) as it was in RFC 7489. The requests for DKIM-specific and SPF-specific failure reports are correct, per RFCs 6651 and 6652, respectively.

@alevesely
Copy link

Do RFCs 6651 and 6652 provide for sending DKIM/ SPF failure reports to the DMARC address?

@toddherr
Copy link
Contributor Author

I submit that DMARC, both RFC 7489 and DMARCbis, provides for sending DKIM/SPF failure reports to the DMARC address.

RFCs 6651 and 6652 pre-date 7489, obviously, and both contain text (https://www.rfc-editor.org/rfc/rfc6651.html#section-4 and https://www.rfc-editor.org/rfc/rfc6652.html#section-3, respectively) that speak of there currently being no method defined for receiving DKIM or SPF specific failure reports. RFC 7489 and DMARCbis, which both came after, define a method for receiving these reports with the ruf tag, yes?

@jrlevine
Copy link

I have a folder of 89,000 failure reports sent to my ruf address, and as far as I can see, none of them are SPF or DKIM reports. So, no. Many of the DMARC failure reports are triggered by SPF or DKIM failure but that's not the same thing.

@alevesely
Copy link

The description of ruf=, in both DMARCbis and RFC7489 says:

  • A Mail Receiver MUST implement support for a "mailto:" URI, i.e., the ability to send a DMARC report via electronic mail.

RFCs 6651/2 speak of there currently being no sending method until then. They do define one. (A local part, not a mailto: URI.) If we want to define another method to send DKIM/SPF failure reports, we should do it properly. The current definition of fo= allows to receive either DMARC failure reports or DKIM/SPF ones.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component: dmarc-bis
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alevesely @toddherr @jrlevine