ietf-svn-bot
commented
4 years ago @seth@sethblank.com changed status from new to assigned
Closed ietf-svn-bot closed 3 years ago
ietf-svn-bot
commented
4 years ago @seth@sethblank.com changed status from new to assigned
ietf-svn-bot
commented
4 years ago @seth@sethblank.com removed owner (was draft-ietf-dmarc-rfc7601bis@ietf.org)
ietf-svn-bot
commented
4 years ago @seth@sethblank.com changed component from rfc7601bis to dmarc-bis
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed status from assigned to accepted
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com set owner to todd.herr@valimail.com
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
See also ticket #5
Elimination of the pct tag will result in removal of the following sections of text:
From "DMARC URIs":
pct:
: (plain-text integer between 0 and 100, inclusive; OPTIONAL;
default is 100). Percentage of messages from the Domain Owner's
mail stream to which the DMARC policy is to be applied. However,
this MUST NOT be applied to the DMARC-generated reports, all of
which must be sent and received unhindered. The purpose of the
"pct" tag is to allow Domain Owners to enact a slow rollout
enforcement of the DMARC mechanism. The prospect of "all or
nothing" is recognized as preventing many organizations from
experimenting with strong authentication-based mechanisms. See
(#message-sampling) for details. Note that random selection based on
this percentage, such as the following pseudocode, is adequate:
if (random mod 100) < pct then
selected = true
else
selected = falseFrom "Formal Definition":
[dmarc-sep dmarc-percent]and
dmarc-percent = "pct" *WSP "=" *WSP
1*3DIGITThe entire "Message Sampling" section:
### Message Sampling {#message-sampling}
If the "pct" tag is present in the policy record, the Mail Receiver
MUST NOT enact the requested policy ("p" tag or "sp" tag") on more
than the stated percent of the totality of affected messages.
However, regardless of whether or not the "pct" tag is present, the
Mail Receiver MUST include all relevant message data in any reports
produced.
If email is subject to the DMARC policy of "quarantine", the Mail
Receiver SHOULD quarantine the message. If the email is not subject
to the "quarantine" policy (due to the "pct" tag), the Mail Receiver
SHOULD apply local message classification as normal.
If email is subject to the DMARC policy of "reject", the Mail
Receiver SHOULD reject the message (see (#rejecting-messages)). If the email
is not subject to the "reject" policy (due to the "pct" tag), the
Mail Receiver SHOULD treat the email as though the "quarantine"
policy applies. This behavior allows Domain Owners to experiment
with progressively stronger policies without relaxing existing
policy.
Mail Receivers implement "pct" via statistical mechanisms that
achieve a close approximation to the requested percentage and provide
a representative sample across a reporting period.From "DMARC Tag Registry":
| pct | RFC 7489 | current | Sampling rate |In "Entire Domain, Monitoring Only", change the following:
* All messages from this Organizational Domain are subject to this
policy (no "pct" tag present, so the default of 100% applies)to
* All messages from this Organizational Domain are subject to this
policyor perhaps remove the bullet entirely since it adds no value without the mention of the pct tag
Last, rewrite the "Subdomain, Sampling, and Multiple Aggregate Reports URIs" section to remove mention of sampling and the use of the pct tag.
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed _comment0 which not transferred by tractive
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
As reported in ticket #5:
Valimail data on 22 March 2021:
74790 DMARC records examined
5548 have pct= tag
5066 of those with pct= defined have pct=100
482 of those with pct= defined have pct= other than 100
53 of those with pct= defined have pct=0@todd.herr@valimail.com changed status from accepted to infoneeded
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
Proposed text pushed to github and merged with main branch.
ietf-svn-bot
commented
3 years ago _@alexbrotman@comcast.com changed status from infoneeded to assigned
ietf-svn-bot
commented
3 years ago _@alexbrotman@comcast.com commented
I'm not sure I agree with removing pct completely, but seems like 0 and 100 should be ignored? The below is 1 day of data where a pct attribute was present. I removed the long tail of all sorts of broken records.
pct p percent 100 reject 51.194723 100 none 31.497058 100 quarantine 11.766201 10 none 1.680448 50 quarantine 0.750789 5 quarantine 0.373162 10 quarantine 0.343339 10 reject 0.334595 25 quarantine 0.220813 1 quarantine 0.202922 50 reject 0.201107 0 quarantine 0.181093 0 none 0.165156 20 quarantine 0.153728 1 none 0.140622 20 none 0.085060 70 quarantine 0.084914 75 quarantine 0.077796 90 quarantine 0.047547 30 reject 0.047254 75 reject 0.043798 90 reject 0.039404 30 quarantine 0.035075 90 none 0.031865 5 none 0.029756 25 none 0.029535 50 none 0.027966 40 quarantine 0.023774
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed status from assigned to infoneeded
ietf-svn-bot
commented
3 years ago @vesely@tana.it changed status from infoneeded to assigned
ietf-svn-bot
commented
3 years ago @vesely@tana.it commented
Setting p=quarantine; pct=0 seems to be a useful idiom to control From: munging, albeit not so much used.
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed status from assigned to infoneeded
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed status from infoneeded to assigned
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com commented
Consensus from 27 May 2021 interim (https://datatracker.ietf.org/doc/minutes-interim-2021-dmarc-01-202105270900/) was to leave tag in specification but to rewrite its definition to make its implementation and shortcomings more clear.
Rev -02 of dmarcbis does this.
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com changed status from assigned to closed
ietf-svn-bot
commented
3 years ago @todd.herr@valimail.com set resolution to fixed
keyword_nit_tag-updateowner:todd.herr@valimail.comresolution_fixedtype_defect| by seth@sethblank.comHow pct= is written, how it is implemented, how it is understood, and how it actually works are all different. It's also not statistically sound, and has additional poorly understood real-world behavior when used with p=reject.
Issue migrated from trac:47 at 2022-01-24 16:16:32 +0000