►
From YouTube: IETF109-DMARC-20201118-0500
Description
DMARC meeting session at IETF109
2020/11/18 0500
https://datatracker.ietf.org/meeting/109/proceedings/
A
A
A
We
basically
have
just
split
the
main
demark,
this
document
into
three
parts,
so
this
is
fairly
new,
we'll
basically
discuss
a
set
of
topics
for
relevant
for
each
part
in
case
of
gmark
base.
There
actually
three
topics
we'll
talk
about
pct,
possibly
breaking
out
the
main
organizational
domain
definition
and
policy
discovery.
B
C
A
A
A
A
D
Yeah
regarding
the
the
perverse
incentive
of
p
equal
quarantine
percent
equals
zero.
I
don't
know
if
it's
true
any
longer,
but
there
was
a
time
when,
if
one
get
wanted
to
get
correct
reports
out
of
google,
especially
mail,
that
was
transiting
any
sort
of
google
groups,
one
had
to
have
the
p
equal
quarantine
percent
equals
zero
as
a
substitute
for
p
equal
none.
In
order
to
get
those
reports
again,
they
may
have
fixed
this.
D
This
was
several
years
ago
when
this,
when
this
was
true,
but
that
was
the
reason
I
think
for
the
perverse
incentive
in
the
first
place
in
general,
I'm
in
favor
of
getting
rid
of
the
percent
tag,
for
the
reason
stated
that
it's
just
probably
not
implemented
correctly,
but
we'll
need
to
make
sure
that
that
won't
have
any
impact
on
on
any
reports
coming
out
of
google.
First.
A
E
E
I
work
for
agari,
where
I
help
large
organizations
implement
dmarc
quarantine
and
reject
all
the
time,
and
particularly,
we
see
this
a
lot
with
google
groups,
but
also
with
a
couple
of
mailing
list.
Platforms
like
groups.io
and
listserv
by
elsoft
will
munch
headers
for
domains
using
a
quarantine
or
reject
tag,
but
not
using
a
p
equals
none
or
I
guess,
presumably,
no.
A
E
Yes,
we
could
do
something
like
allowing
this,
but
not
other
other
pct
equals
or
allowing
some
other
setting
that
accomplishes
a
similar
goal
would
be
fine.
Now
I
have
had
a
couple
of
organizations
that
do
use
percentage
tags
in
the
way
that
it
was
intended
to
be
used
to
roll
it
out
slowly,
but
that's
only
happened
with
a
couple
of
my
customers
and
I
think
they
were
people.
I
could
probably
have
talked
into
doing
this
without
that.
E
One
of
the
biggest
exceptions
to
that
was
one
of
the
largest
email
organizations
that
I've
worked
with,
and
that
was
because
they
were
worried
that
they
would
get
enough
reports
back,
that
their
upper
management
might
notice
and
decide.
Something
was
wrong,
even
though
nothing
was
wrong,
so
they
wanted
to
kind
of
slowly
test
the
waters.
F
Hopefully,
it's
connected
correctly
regarding
the
percentage
tag
anyway
autumn
will
also
mention
it
from
an
implementation
perspective.
From
a
practical
perspective,
I've
only
seen
very
useful
cases
when
moving
from
quarantine
to
reject,
in
the
more
a
more
restrictive
policy
component
in
a
way
to
test
well
or
at
least
have
confidence
in
enforcing
the
policies
even
more.
I
do
recognize
that
in
the
earlier
stages,
it's
confusing
from
impulsing
none
or
perhaps
the
policy
quarantine
quarantine,
but
dropping
it
to
actually
have
a
gradual
control
of
moving
from
quarantine
to
reject.
A
C
C
If
I'm
wrong
about
that,
please
let
me
know
the
other
thing
is
I'm
wondering
if
deprecate
is
the
right
term
here,
we're
writing
a
new
standards
track
specification
to
replace
an
informational
thing.
Do
we
need
to
deprecate
anything
shouldn't?
We
we're
not
going
to
do
it?
Don't
we
just
leave
pct
out
because.
A
C
A
A
E
E
So,
even
if
something
is
fully
passing
authentication,
they
don't
always
the
people
I'm
talking
to
are
usually
a
security
or
I
t
team
for
a
large
organization,
maybe
a
business,
maybe
a
government
agency
and
a
lot
of
times.
They
have
no
idea
who
the
people
on
the
ground
are,
who
are
actually
sending
these
emails,
and
maybe
they've
got
that
somewhere
in
various
ticketing
systems
somehow.
E
But
they
don't
always
know
what
to
query.
So
when
we
have
selectors
included,
that
is
very
helpful
for
them
to
be
able
to
search
their
records
and
maybe
figure
out
who
put
something
in
dns
because
they're
much
more
likely
to
have
a
dns
record
tracked
to
say:
oh,
we
put
in
a
c
name
or
a
text
record,
so
it
facilitates
tracking.
E
So
I
would
be
happy
to
see
that
in
dmarc
reports
and
in
terms
of
how
we
would
make
that
extensible,
I
would
have
to
go.
Look
at
exactly
what
the
aggregate
reports
look
like
from
gmail.
I
don't
have
one
handy,
but
I
believe
it
just
has
s
equals
and
then
the
selector
in
the
same
list
of
format
like
you,
would
get
in
other
people's
aggregate
reports.
A
A
G
Sorry,
it
wasn't
yes
now
you're
hearing
me.
Yes,
we
did
rfc
8601
recently
to
revise
authentication
results
and
part
of
that
was
to
add
header.s
in
support
of
doing
exactly
what
we're
talking
about
here.
So
I
think
that's
one
that
makes
sense
to
do.
I
thought
it
was
tracked
as
a
as
an
issue
to
do
that
in
particular,
but
so
that's
the
that's
the
most
common
use
case.
I've
heard
in
terms
of
extending
this.
D
I
H
Well:
okay,
it's
not
clear
to
me
what
the
question
is
that
we
are
trying
to
address
here.
Is
it
what
other
things
do
we
want
people
to?
What
are
they?
What
yeah?
What
other
things
might
we
like
to
have
in
reports
or
is
the
question
is
how
do
we
put?
How
do
we
allow
people
to
put
stuff
into
reports
in
a
way
that
won't
won't
break
existing
parsers
and
7489
has
an
xml
grammar
which
is
fine,
and
I
suppose
we
could
put
some
stuff
into
the
grammar.
H
A
A
H
Go
ahead,
I
guess
what
I
said
in
the
chat.
Is
these
both
seem
reasonable
and
I
would
I
guess
I
would
encourage
whoever
suggested
that
they
want
these
reports
to
send
some
snippets
of
xml.
So
we
can
see
because
we
can
try
and
nail
down
what
it
is
they're
reporting,
because
I
could
imagine
particularly
for
arc
a
range
from
yeah
they
used
arc.
So
here's
the
entire
details
of
of
all
473
bits
of
stuff
in
the
arc
chain.
H
A
G
Is
the
question
about
the
straw?
Man
is
what
must
be
included?
What
may
be
included,
I
haven't
I'm.
I
haven't
read
the
new
document
yet,
but
does
anybody
know
what
that,
whether
we're
talking
about
a
minimal
set
of
things
that
have
to
be
included
or
a
full
list
of
things
that
might
be
included
or
some
mix
of
those.
A
D
Thanks
todd
yeah,
I
I
don't
see
him
on
the
call,
but
I
know
jesse
thompson
from
the
university
of
wisconsin
has
spoken
in
the
past
about
his
sort
of
straw,
man,
failure
reporting
and
how
it
would
be
super
helpful
for
him
who's
at
a
large
distributed
system
to
figure
out
just
just
where
the
failures
are
coming
from
to
have
that
from
in
the
two.
I
I
don't
like
the
idea
of
the
failure
report
sentence.
D
Failures
occur
that
just
seems
like
a
vector
to
to
be
abused
simply
from
somebody
forging
mail
and
causing
intentional
dmarc
failures,
but
something
stripped
down
with
just
from
and
two
sent
at
a
regular
interval
like
an
aggregate
report
sounds
reasonable.
Assuming
people
would
actually
consume
the.
E
E
I
think
my
my
team
most
often
that
we
do
use
the
from
address
and
also
the
subject
line,
is
really
important
to
us
now.
The
subject
line,
I
think,
is
one
that
is
up
in
the
air
because
of
concerns
over
private
data,
but
that
is
extraordinarily
helpful.
Again.
The
use
case
I'm
seeing
is
a
domain
with
many
distinct
email
uses
many
distinct
vendors
and
not
a
lot
of
visibility,
otherwise
into
what's
being
sent.
E
E
So
that's
why
we
use
those.
My
team
members
also
find
the
message
id
helpful,
sometimes
because
sometimes
it
provides
insight
into
the
back
end
technology.
Now,
that's
another
question.
I
guess
what
would
be
helpful
for
this
is
if
we
could
find
what
specific
fields
people
are
really
objecting
to,
because
some
of
them
are
going
to
be
a
bigger
deal
than
others,
and
I
think
there's
potential
trade-offs
to
be
made.
Is
the
concern
really
over
possibly
exposing
infrastructure?
E
E
F
F
I
definitely
see
real
life
use
cases
for
having
in
a
way
abstracted
report
with
limited
api
information,
but
then
the
the
the
the
headers
regarding
where
the
message
originated
from
mta
wise
would
be
very
interesting
to
have
in
there
do
not
need
the
subject
to
be
honest
from
a
personal
perspective,
but
having
at
least
from
the
the
the
domain
part.
And
then
the
two-domain
part
without
the
local
parties
would
be
fine
from
a
specification
perspective.
B
A
J
Essentially,
if
we
re,
if
we
looked
at
all
of
the
urals
that
we
were
sending
from
our
own
mail,
subtracted
those
from
the
failure
reports,
all
that
was
left
was
badness
and
we
actually
use
those
links
from
the
badness
for
shutting
down
the
sites
that
are
hosting
malicious
activity,
abusive
our
name,
etc,
etc.
So
it
is
very
useful
in
getting
rid
of
the
badness.
H
H
A
H
Yeah,
well,
I'm
just
I'm
not
sure
we
are
able.
We
are
in
a
position
to
say
basically
you
know
we're
talking
to
lawyers
here
and
I'm
not
sure,
there's
anything
we
can
say
in
the
standard
that
says:
oh,
it's,
okay
to
send
x,
because
they'll
say
you
know
they
have
their
own.
They
have
their
own
opinions
about
it.
So,
like
I'm
not
opposed
to
doing
this,
I
just
think
I
don't
think
we
should
put
a
whole
lot
of
effort
into
it
because
I
think
in
reality,
people
are
going
to
report.
A
A
A
A
A
K
L
So
since
I
made
a
proposal
for
a
really
firm
split,
I'm
feeling
obligated
to
at
least
repeat
that
this
is
a
messy,
unpleasant
topic
with
a
bad
history.
It's
a
case
of
making
do
with
what
is
generally
viewed
as
a
not
very
good
or
terrible
solution,
but
it's
the
best
that's
available.
Now
there
are
different
approaches
to
making
it
a
lot
better.
One
of
these
days,
one
of
them,
might
actually
prove
successful
and
and
get
adopted
and
work
better
baking.
L
Anything
into
the
core
dmarc
spec
that
relies
on
anything
in
particular
happening
it
is,
is
just
inherently
risky
having
the
spec
state
what
it
wants
as
a
result,
what's
the
nature
of
the
information
it
wants?
That
makes
sense,
because,
because
dmarc
needs
to
use
that
information,
making
any
statements
about
how
it
gets,
the
information
is
the
problem,
and
I
I
now
don't
remember
who
made
the
suggestion
for
some
compromised
text.
I
can't
remember
whether
it
was
murray
or
barry
or
or
kurt
or
whoever,
but
it
was.
It
was
very
clean.
A
L
Well,
my
my
point
was:
some
text
was
offered,
it
was,
I
think,
two
sentences
and
it
seemed
to
me
complete
plenty
sufficient.
The
first
sentence
said
we're
not
specifying
it
and
the
second
sentence
said
by
the
way,
there's
some
existing
practice.
I
I
don't
remember
the
exact
language
now,
but
it
was.
It
was
along
those
lines
and
the
important
part
was
it
wasn't
normative
and
it
wasn't
technical
detail.
A
H
I
just
want
to
make
sure
that
we
agree
that
when
we
split
this
out
into
another
document,
it
is
possible
that
what
we
end
up
specifying
as
as
the
org
domain
will
not
necessarily
be
the
same
domain
that
the
current
process
finds
and
in
particular,
if
we
do
a
t,
if
we
do
a
tree
walk
it
won't,
be
I
mean
I'm
fine
with
that.
I
just
want
to.
If
we're
going
to
do
this,
I
just
want.
I
think
we
need
to
make
sure
that
everybody
understands
that.
G
You
could
put
those
two
in
a
common
document
how
you
organize.
That
is
really
not
important.
I
don't
think,
but
I
think
it's
going
to
be
important
to
preserve
what
was
there
but
very
clearly
label
it,
as
this
is
what
we
came
up
with.
Originally,
we
don't
love
it.
It
served
a
purpose
for
a
while
watch
for
better
things
and
then
the
tree
walk
might
be,
might
follow
on
right
immediately
and
that
might
be
the
preferred.
A
F
A
I
All
right
well-
and
I
also
don't
think
that
it
makes
sense
to
have
a
separate
document
that
says
essentially
thanks
for
looking
here
about
finding
an
org
domain,
but
we
don't
care
anymore
because
do
a
tree
walk
instead
and
that
so
I
think
we'd
be
better
served
as
just
an
appendix
and
a
new
document
that
says
historically
here's
how
it's
done.
This
is
the
way
going
forward
and
not
have
a
separate
document
potentially
so
I'm
I'm
on
the
fence
about
a
separate
document
per
se.
A
E
E
It
just
happened
to
be
a
sub-domain
of
you,
know,
university.edu
and
university.edu
itself
was
not
interested
in
implementing
dmarc.
So
I
don't
know
how
often
this
use
case
occurs,
but
I
do
see
it
a
lot
with
higher
education
and
government
as
well,
and
that's
where
I
think
folks
would
be
really
happy
to
have
something
like
this.
Now
I
can
see
where
there
could
be
a
lot
of
downsides
to
performing
effectively
an
infinite
tree
walk.
I
mean
how
many
levels
out.
E
A
H
Yeah
I
went
over
and
asked
our
friends
in
dns
land.
How
much
do
they
hate
tree
walks
because
they
mean
it
used
to
be
a
total,
a
total
killer
and
the
response
I
got
was
like
oh
yeah.
Whatever?
Would
you
rather
surprise
me
and
they
pointed
out
that
the
caa
dns
record
that's
used
for
for
controlling
tls
certificate?
Issuance
has
specified
a
tree
walk
for
seven
years.
It
was
published
in
2013
and
I
can
tell
you
from
experience
arguing
with
with
certificate
authorities
that
they
actually
do
that.
H
H
More
than
maybe
five
levels
down,
you
know,
or
maybe
10
levels
down,
so
you
know
and
everybody
seemed
to
say
yeah.
You
know
it's
like.
Okay,
do
a
tree
walk
and
if
you're
worried
about
it
limited
to
five
levels,
and
then
they
had
a
couple
of
other
little
implement
implementation
tricks.
You
might
do
to
take
advantage
of
the
fact
that
if
your
dns
cache
sees
an
nx
domain
at
a
certain
level,
then
it
can
automatically
tell
you
without
going
back
to
the
authoritative
one,
there's
nothing
below
it.
H
So
I
mean
from
an
implementation
point
of
view.
You
know,
and
if
you
you
know,
I
I
say:
do
a
tree
walk
for.
Do
a
tree,
walk
for
five
levels
until
and
tell
people
if
you
want
to
have
more
than
if
you
want
to
have
stuff
more
than
five
levels,
deep
and
get
dmarc
reports,
then
you
better
put.
You
know
a
dmarc
record
at
least
every
at
least
35
levels,
and
I
think
we're
done
I
mean
and
the
only
the
only
issue
here
is
sort
of
mean.
H
You
know
I
take
autumn's
point
of
view
of
the
universities
that
I
refer
to
as
the
holy
roman
empire
model
of
governance
and
that
they
have
there's
you
know
and
you
basically,
you
cannot
tell
from
the
structure
of
their
dns
tree
who's
in
charge
of
what
and
the
flip
side
is
their
organizations
where
by
golly
you
know
the
regis
their
second
level
domain,
that
they
registered
is
their
domain,
and
that's
where
all
the
reports
should
go.
I
mean
I
don't
know
if
they're
people
who
feel
really
strongly
about
this,
you.
I
H
And
that
would
be
an
argument
for
keeping
something
like
the
current
organizational
domain.
Although
the
counter
counter
argument
is
like
well,
then
woke
up
and
what
you
know
if,
if
that
is
a
problem
for
you,
then
write
a
little
script
that
walks
up
and
down
your
dns
tree.
Looking
for
rogue
dmarc
records
and
fix
them.
A
C
Hi,
so
I
have
to
say
that
I'm
I'm
rather
amused
by
the
idea
of
doing
a
tree
walk
here,
because
we
discussed
it
extensively
when
we
were
doing
adsp
and
the
you
know
it
was
just
like.
Well,
no,
you
can't
possibly
do
a
tree
walk,
it
was,
it
was
considered,
it
was.
It
was
really
toxic
at
the
time,
and
I
have
to
say
I
mean
my
recollection-
is
that
the
objections
to
it
didn't
come
from
the
dns
folks.
It
came
from
the
people
that
are
in
this
meeting.
C
C
I
don't
think
it's
going
to
create
a
a
heavy
load,
but
one
thing
that
you
do
want
to
make
sure
that
you
have
is
that
the
the
the
record
that
you
get
to
with
the
tree
walk
needs
to
have
a
flag
in
it
to
indicate
whether
it's
intended
to
apply
to
lower
layers?
Because
otherwise
you
know
you
might
you
might
want
to
have
a
lower
layer
that
doesn't
have
a
policy
or
doesn't
have
a
dmarc
record
and
a
higher
layer
that
does,
and
you
don't
want
to
essentially
have
including
the
tree
walk.
C
B
So
not
a
dmarc
expert
do
know
a
little
bit
about
dns.
On
the
other
hand,
so
a
couple
of
things,
and
I
I
don't
I'm
not
even
sure
I
have
an
opinion
on
walking
myself
or
not.
I
think
if
you
asked
a
lot
of
people,
you'd
get,
you
know
a
bunch
of
different
answers.
In
fact,
if
you
ask
10
people,
you
get
11
answers,
I'm
sure,
but
as
to
whether
it's
actually
you
know
good
or
bad.
I
will
point
out
a
couple
of
things.
One.
B
The
caa
example
is
is
one
where
they,
where
it's
done,
but
there's
a
huge
amount
of
difference
between
the
queries
that
will
be
generated
by
caa
searches
which
are
rare
versus
those.
You
know
by
mail
servers
actually
doing
dmarc,
there's
there's
a
significant
difference
in
traffic,
so
you
know
q
name.
Minimization
is
actually
another
way,
we're
actually
increasing
the
load
on
the
dns
by
by
making
more
requests
and
that's
sort
of
a
tree
walk
going
downward.
B
Ideally,
the
right
thing
to
do
is
provide
guidance
at
that
point,
and
so,
if
you
have
a
lot
of
different,
you
know
subdivisions
within
a
university.
For
example,
I'm
I'm
at
one,
so
I'm
just
as
equally
as
guilty
right.
We
have
a
sub
department
that
that
you
know
is
inside
of
the
major
one.
It'd
be
better
if
you
could
add
a
reference
right
to
to
be
able
to
say
and
that
reference
could
be.
You
know
even
possibly
just
a
cname
would
work
of.
B
I
need
my
sub
department
to
actually
I
want
you
to
go,
follow
this
policy
somewhere
else,
and
that
way
you
know
you
don't
have
to
do
a
walk.
If
you
can
point
directly
at
it
right,
you
take
out
that's
a
much
more
optimized
solution.
In
terms
of
both
you
know
the
number
of
dns
requests
required,
as
well
as
just
simplicity
of
an
algorithm.