From nobody Fri Dec 1 05:47:24 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D77C512708C for ; Fri, 1 Dec 2017 05:47:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=Dsb1CYrr; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=BdSXWBN8 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UaWcT3fUYPNE for ; Fri, 1 Dec 2017 05:47:20 -0800 (PST) Received: from listserv.winserver.com (listserv.winserver.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id EA75F126DFF for ; Fri, 1 Dec 2017 05:47:17 -0800 (PST) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1418; t=1512136028; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=rGSDMHYFZRv8TUkzpGsx8md+rGY=; b=Dsb1CYrrxBvzSoLQxcH/qp50cPkso8rvlSRbwaHLy1480VkFvlty9z64hGr2yw S2XJ/dlGzB2+KpVMMECNsaje7TSKO9eI02WLNEr+TC8iB/sX1sm4CYv7SoDdBBgu e+JW24F+z7/JIm6N1ux2QUz2qWqmQpmwnmZQE0llUnRvw= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Fri, 01 Dec 2017 08:47:08 -0500 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2004750208.1.2552; Fri, 01 Dec 2017 08:47:07 -0500 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1418; t=1512135861; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=1rGobkL 1RjmZhwm4nQmfy4LQoc50YX5RWqhWOK+i6+I=; b=BdSXWBN8KHfZe6GpORkvKkU 3AuUQEc4g0heB7T84pMHN0LwqjxwSnrB4flwzmXk1dFW/O7aTwF3jwF9nv/U/ka9 tUiTKGzeAZrA/u4+rFryxFC4RKeKJIbBYen6lZSq9ZGiCvebPPSb56oA4Kqm3Gtl JZB+P6cA9doRtJ8TFzhU= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Fri, 01 Dec 2017 08:44:21 -0500 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2004702032.9.355536; Fri, 01 Dec 2017 08:44:20 -0500 Message-ID: <5A215D5F.1070203@isdg.net> Date: Fri, 01 Dec 2017 08:47:11 -0500 From: Hector Santos Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: "Kurt Andersen (b)" , Seth Blank CC: "dmarc@ietf.org" References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Proposed ARC "Experimental Considerations" section X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 13:47:23 -0000 On 11/29/2017 12:17 PM, Kurt Andersen (b) wrote: > > While I have a number of issues with the details of the proposal, I'll > tackle those in another thread. The fundamental problem that I have > with the whole "experiment" approach is that it is something like > throwing a baseball into a pool of quiescent sharks. I have no > confidence that "hoping" for people to do something that a random > group of people propose in an RFC will bear any fruit at all. It's not > an experiment, it's an exercise in futility. Hi Ken, The MARID experiment between SPF and SENDERID worked with random groups of people in the community/industry/market. The "better protocol" eventually prevailed. So it us possible this experimental approach for ARC is doable, albeit it will take a long time. However, it was pretty clear that SPF/SenderID offered a strong proof of concept. It was pretty solid what the intent was, how it was going to work, and it was easy to implement. With ARC, we don't have such comfort, in my opinion. Making it a proposed standard isn't going to increase its endorsement when it lacks technical merit. Where does ARC fit in the DKIM Service Architecture, RFC5585? https://tools.ietf.org/html/rfc5585#section-5 How does it fit with basic "DKIM Author Domain" policy model, in this case DMARC? That isn't clear and until then, I'm afraid it will be left in limbo. -- HLS From nobody Fri Dec 1 05:49:48 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 612F512869B for ; Fri, 1 Dec 2017 05:49:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=NSjOfBfN; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=surebR78 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w2Gibh43sFfG for ; Fri, 1 Dec 2017 05:49:46 -0800 (PST) Received: from listserv.winserver.com (ntbbs.santronics.com [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id 2989B12708C for ; Fri, 1 Dec 2017 05:49:46 -0800 (PST) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1544; t=1512136177; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=CxJDwwgxDQfoAT42j+gwVoudFko=; b=NSjOfBfNYdGccDK1Wq4JGHHs4+no3CVvH0pEYYYLAftKs7Mi+LlU4tdxKETXcf 6GMiN5x7wzQbjJMaog//tl42o9zzPvybxOwO7MqMEAW0aG5B3bPVI9bRQkTLtWDA aRsvpwynqhxERjoppjbWbqrU/wxYFllqxpNXItSNdWkW0= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Fri, 01 Dec 2017 08:49:37 -0500 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2004900374.1.284; Fri, 01 Dec 2017 08:49:37 -0500 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1544; t=1512136009; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=/adoPUZ iepEdnG0EIVuQ4tNeGn6ne8VXrNuJ4X5OAkM=; b=surebR78gCvK66iJaXhRmma ExfAmKBKFf0bW6D+8O5Qq2YzEJNAyVzD2yaCzlxyNwDonJsEgxAm9VZ/So/nYJZF H84gzHslsd1MFTCx0JgUDOebqDgdOiBny0fE2RC6YpEs6z5U5T4L6cpAC8Nb0mrD 6VKtfW/7sulMOKqteRCc= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Fri, 01 Dec 2017 08:46:49 -0500 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 2004850438.9.355624; Fri, 01 Dec 2017 08:46:48 -0500 Message-ID: <5A215DF4.8020407@isdg.net> Date: Fri, 01 Dec 2017 08:49:40 -0500 From: Hector Santos Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: "Kurt Andersen (b)" CC: "dmarc@ietf.org" References: <5A215D5F.1070203@isdg.net> In-Reply-To: <5A215D5F.1070203@isdg.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Proposed ARC "Experimental Considerations" section X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 13:49:47 -0000 Who's Ken? :) My apology Kurt. On 12/1/2017 8:47 AM, Hector Santos wrote: > On 11/29/2017 12:17 PM, Kurt Andersen (b) wrote: >> >> While I have a number of issues with the details of the proposal, I'll >> tackle those in another thread. The fundamental problem that I have >> with the whole "experiment" approach is that it is something like >> throwing a baseball into a pool of quiescent sharks. I have no >> confidence that "hoping" for people to do something that a random >> group of people propose in an RFC will bear any fruit at all. It's not >> an experiment, it's an exercise in futility. > > Hi Ken, > > The MARID experiment between SPF and SENDERID worked with random > groups of people in the community/industry/market. The "better > protocol" eventually prevailed. So it us possible this experimental > approach for ARC is doable, albeit it will take a long time. > > However, it was pretty clear that SPF/SenderID offered a strong proof > of concept. It was pretty solid what the intent was, how it was going > to work, and it was easy to implement. With ARC, we don't have such > comfort, in my opinion. Making it a proposed standard isn't going to > increase its endorsement when it lacks technical merit. > > Where does ARC fit in the DKIM Service Architecture, RFC5585? > https://tools.ietf.org/html/rfc5585#section-5 > > How does it fit with basic "DKIM Author Domain" policy model, in this > case DMARC? That isn't clear and until then, I'm afraid it will be > left in limbo. > -- HLS From nobody Fri Dec 1 09:18:23 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 900C6128A32 for ; Fri, 1 Dec 2017 09:18:22 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dm0u-rTeabCZ for ; Fri, 1 Dec 2017 09:18:21 -0800 (PST) Received: from mail-oi0-x235.google.com (mail-oi0-x235.google.com [IPv6:2607:f8b0:4003:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D45551277BB for ; Fri, 1 Dec 2017 09:18:20 -0800 (PST) Received: by mail-oi0-x235.google.com with SMTP id j17so7632822oih.3 for ; Fri, 01 Dec 2017 09:18:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:cc:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=gMTKy18shee9Wxbz74vVxlk9Z/1ptq6SyhbdhT9SXQw=; b=XeM1/ExuyFZFzVW/DrGazXY94s26NoS4grR24gsmC39skfFGx4MSpJpkHR5Oq91OSX MOnW3sH/EOXPcUEodcFpOv1NXga8cc6/Ewj7kf+RddvsM456kSUgCp7chUBJq7QQlYj4 BpHt3GmOr27a3t7x/YIplntwR0P6XuAkvgWWAnxIN/MazjJAvLpYqF7w5o3dDnnuIlsD OcrMcvWe8rqmoKPIojbrZUGQDFL4+cUw/Bclr0hN8gaOMPfQLDwBsz2AdqUvoAOiSbZv kqt6EVxgh9E3naHeqVgpB4uxjwUNFr8nwKfDs2/EBGn+u7oOrQBgfN12KGD/xSkOp6kH OU4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=gMTKy18shee9Wxbz74vVxlk9Z/1ptq6SyhbdhT9SXQw=; b=KerV4yc5wTReqnfYwlppTFi8oOQoF8MYD3VLdFr/NKMDO03gntGQSrq9ILYAiRp7BP myINMaJrQsVM1pxnJDt3SoobCvo6K3VvdBC4GWBMXdpNepTzKD73zMMjCfHRIv3dL28t 7kTOMuISqRu6wsaB1Ck1uHhBikF1lDBl2jNZhm/FCZLNNWt6LO/MwDRC+UNQPl20ZhrE ZLmtSiYaHYqXq365R2JNn7/4lGTJt18AMimk+p/rf8OIU6+9UVbPxr64stFofPaCLh5a uTPP08Zg+54z/OAsIDjJFk9mv/kRGbJRhAW7HIsvp95pzdDxsQiIWdUm0o6UN3ooFxPL 9tRA== X-Gm-Message-State: AJaThX7oHMhS7hSLuVU9q/N/hxkgPx8V3GO5UG+NvQhBMLD0NRUKdp6p +y+S2eh7++qgNd7fKEajQcqh/40l X-Google-Smtp-Source: AGs4zMYjC8kSOwRENcCwf2ViNUzdCckN/h0eZRRBzbg+MT8DCLjCVVZTX2uluE3yNiXOIbMy9Vk3hA== X-Received: by 10.202.187.11 with SMTP id l11mr7392643oif.20.1512148699495; Fri, 01 Dec 2017 09:18:19 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:b5e1:241d:76c3:9591? ([2600:1700:a3a0:870:b5e1:241d:76c3:9591]) by smtp.gmail.com with ESMTPSA id g23sm2886706oib.23.2017.12.01.09.18.17 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Dec 2017 09:18:17 -0800 (PST) To: Seth Blank References: From: Dave Crocker Cc: dmarc@ietf.org Message-ID: Date: Fri, 1 Dec 2017 09:18:14 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Proposed ARC "Experimental Considerations" section X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 17:18:22 -0000 Nicely done. Reads like a diligent effort and seems to indeed cover things nicely. Not that changes won't help -- as the thread already suggests -- but has a good template and good content. As for possible changes... I agree that it needs to be cast primarily as a DKIM value-added mechanism, where reference to DMARC is limited. Not zero, but not wholly dependent. As for 'experiment', again, the template here casts things useful in that regard. Whether the community will engage with the necessary due diligence is always an issue. But as I've noted before, basing delivery decisions on the authentication information done by intermediaries is new territory and since it would seem to be an invitation to spoofing, we should treat its initial use as needing very careful analysis. Errr... experimentation. To the details... On 11/22/2017 9:34 PM, Seth Blank wrote: > Since we're aiming for an Experimental document, it was discussed that > it makes sense to define that experiment. I'm proposing the following > section, and suggest it be the final section after Security > Considerations but before References. > > For this section, I'm taking the stance "the best way to get the right > answer online is to give the wrong answer online." The one thing I know > is that what I've proposed below is wrong. It's just a matter of how, > why, and to what degree. > > I'm also certain I'm missing critical design decisions, and the success > criteria probably needs some hard watermark (like 90% of mail that > fails/was subject to override now passes due to ARC alone). > > Anyway, let's attack this straw man to figure out what the right form of > this section should be. > > Seth > > -------- > > 16 Experimental Considerations > > [[ NOTE TO WORKING GROUP: Should this section be for the IESG only to be > removed by the document editor, or should it stay with the document as > long as it’s experimental? ]] Not sure what is typical. Having this text in the document means it will require reissuing the document when it transitions from Experimental to Standards track. Theoretically, a change in status doesn't require a new RFC. However it's almost always true that the document benefits from other changes over that sort of time, so there isn't any negative of having the text in the base document. The benefit, of course, is that it is more accessible, to more people. > It must be demonstrated that ARC actually solves the problem it is > supposed to - mainly, that ARC provides an effective signal to a Final > Receiver that allows messages indirectly delivered to properly be > rescued after a DMARC failure. It must be demonstrated that ARC provides utility in recovering from a validation failure for a DKIM signature by an originator. That is, can a final receiver perform useful validation of the message handling, to determine delivery disposition? This is especially relevant for DMARC processing when the DKIM d= value is aligned with the rfc5322.From author domain. Tossing in a distinct statement about DMARC acknowledged the issue that motivated this work, without putting it into the critical path for ARC. /d > This section defines what success and failure look like, the protocol > design decisions that influence those criteria, and open issues that the > experiment should shine light on. > > 16.1 Design Decisions > > 16.1.1 Trace information is valuable > > Because it is unclear exactly what information will be meaningful to > Final Receivers to make delivery decisions, it was decided that the > protocol would lean towards providing more information than less. Simple, useful bit of design background. Nice. /d > 16.1.2 Chains can’t be restarted > > Originally, it was expected that ARC Chains would be restartable. > However, this turned out to be a deeply complicated and implementation > dependent mechanism, for a use case that wasn’t clear would ever occur. > The ARC-Seal was necessary when restarting a chain to guarantee that the > restarter knew everyone who had been involved in the chain previously. The ARC-Seal might prove to be unnecessary. It is provided to provide additional analysis by the final receiver. The issue of restarting, per se, seems a distraction here. Useful history, but not really relevant to this section. /d > 16.2 Success Criteria > > Currently, many receivers have heuristic based overrides in place to > attempt to rescue mail from DMARC failures that they believe have been > delivered indirectly so as not to reject or junk mail their users > legitimately wish to receive. Currently, some receivers apply heuristics to augment the handling of DKIM-related validation failures. ARC is intended to permit more reliable and accurate handling of such cases. So the primary criterion for ARC success will be demonstrating a good cost/benefit result for that improvement. > > ARC will be a success if, for ARC Sealed messages, receivers show equal > or better delivery rates than achieved through their overrides. > > 16.3 Failure Criteria > > The intent of ARC is to be at most value-add and at worst benign. If ARC > opens up new vectors for abuse - beyond DKIM replay attacks and other > known issues (see:Security Considerations) inherent in the mail > protocols ARC is built upon - then ARC will be a failure. Having 'failure criteria' is interesting. Hadn't occurred to me but seems useful for the template and the explicit reference to ARC possibly making a new attack surface seems appropriate. /d > 16.4 Open Questions Questions To Be Resolved By The Experiment I agree with Murray's suggestion, which means also dropping the following paragraph. /d > The following open questions are academic and have no clear answer at > the time of the writing of this document. However, the ARC experiment > should gather the necessary data to conclusively answer some or all of them. > > 16.4.1 Value of ARC Seal > > Because the ARC Seal was initially intended to provide context when > restarting a chain, now that restarting the chain is not something ARC > attempts to do, the value of the ARC Seal appears limited. I think the above paragraph isn't needed. /d > As part of the ARC experiment, data should be collected to show if the > ARC Seal provides value beyond the ARC Message Signature for either > making delivery decisions or catching malicious actors trying to craft > or replay malicious chains. Data should be collected to show whether the ARC Seal provides significant value, beyond that of the ARC Message Signauture or, for that matter, beyond simple DKIM signing. taking Murray's point. /d > 16.4.2 DNS Overhead > > The longer an ARC Chain, the more queries that are needed to retrieve > keys to validate the Chain. It is not believed this will be a security > issue (see Security Considerations:DNS Attacks), but it is unclear how > much overhead will truly be added. A longer ARC Chain requires more queries for key retrieval. It is believed this will not be a security issue... > As part of the ARC experiment, data should be collected to better > understand the DNS impact of ARC Chains. DNS impact of -> DNS-related costs of creating an evaluating > 16.4.3 What trace information is valuable > > There are several edge cases where the information in the AAR can make > the difference between message delivery or rejection. For example, if > there is a well known mailing list that ARC Seals but doesn’t do its own > initial DMARC checks, a Final Receiver with this knowledge could make a > delivery decision based upon the authentication information it sees in > AAR[1]. > > Certain trace information in the AAR is useful in the construction of > DMARC reports. > > Furthermore, certain large receivers believe the entire set of trace > information would be valuable to feed into machine learning system to > shine light on fraud or determine other signals related to message delivery. Given the proprietary nature of such value-added processing, it is likely that the only public reporting on this aspect of the experiment will be some form of yes/no assertion by these receivers. > However, it is unclear what trace information will be consistently > valuable for all receivers, regardless of size. > > As part of the ARC experiment, data should be collected on what trace > information receivers are using that provide signal that affects > deliverability, and what portions of the trace data are left untouched > or provide no useful information. -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Fri Dec 1 10:09:46 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4379E12762F for ; Fri, 1 Dec 2017 10:09:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bLktnGpLlyBm for ; Fri, 1 Dec 2017 10:09:41 -0800 (PST) Received: from mail-lf0-x22b.google.com (mail-lf0-x22b.google.com [IPv6:2a00:1450:4010:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4118F1275C5 for ; Fri, 1 Dec 2017 10:09:41 -0800 (PST) Received: by mail-lf0-x22b.google.com with SMTP id x20so12671295lff.1 for ; Fri, 01 Dec 2017 10:09:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=rV55wLOALK3XJP6H3xCvrmUgrwPR2M1dMxhu+Tg9Lwc=; b=NrrfRlHo+wxID5th2JqYxKrPaPFNQTZF6HfOz3yYSOdvn3n1NfavI8HoEW0glq2hWv DiExSDWzy8igmH1zIic83s+d1GTmyUZt23W5X+sGk9WBAtAQOgKyMUoI8h6CrE4QGD1T i/fkA/pLfKOIEu+LFO6o73USQX28wXDnGs8TU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=rV55wLOALK3XJP6H3xCvrmUgrwPR2M1dMxhu+Tg9Lwc=; b=Eax7Y7kqG8f/LHj7OXg3Iaxgj7urXF8765lOt4XdDqIYX3yCvBkgsZgmalXndSUuca BITGjVT8FQ+G0U3JscUqSs9WaB+3IbahiOiju78az33vljKm9W5E4PE3gT77yo93GYh8 kHKK/m/9TDIgT4AAGWQngCik7I/LQWWHkRcNJ/iK1rncjT5QQZnpyQ7h6L+kVtmKRpBf bI3ekCLDJpEhEyGZbftywhAfpNZtt1fHySYaBYWpqqhP2AGXEQeCYCNIVfaFRPFodDUb Q5pJ+YWhfOuddcTAJZuvb5iO3mCCS5VAXsTH8X/evpCgVpTY5wYWpRW5IiNKl/OHvDvL k0kA== X-Gm-Message-State: AJaThX4xGdrpiQCQyfiBqiRQ4h33Awlm0AtYHF1LQdGA0vU5InMuRLDH ZmVDiVCyglZXV5kqxNKnqfheEbhO716W7OV3mXzp+Q== X-Google-Smtp-Source: AGs4zMaKIQNiUDoiqHhiJ7OFXQJiiVNb3ck+4Da1Svg9Ssb0+MhYcenlVosERQKwFAHsLZM5ztvWPyVmS7IOUYJUqkU= X-Received: by 10.25.21.11 with SMTP id l11mr4550089lfi.142.1512151779075; Fri, 01 Dec 2017 10:09:39 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Fri, 1 Dec 2017 10:09:38 -0800 (PST) In-Reply-To: References: From: "Kurt Andersen (b)" Date: Fri, 1 Dec 2017 18:09:38 +0000 X-Google-Sender-Auth: RyWhxvwnCKAs5GynRGijfDqbJic Message-ID: To: "Murray S. Kucherawy" Cc: Seth Blank , "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a113f240ea39515055f4b4587" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 18:09:43 -0000 --001a113f240ea39515055f4b4587 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 7:38 AM, Murray S. Kucherawy wrote: > . . . Or if we really want it in A-R, register it accordingly, independent > of ARC. > > But if we want to do that last thing, I'd like to have some sort of > discussion on the record for changing the scope of A-R, which is really > what we're talking about here. As I've said before, A-R's original purpose > was to collect data about authentication work done at the ingress MTA that > might be of interest to users or filters. We've specifically kept things > like IP addresses unregistered on the basis that your average human won't > know whether to trust one string of octets over another, and there's a > treatise in the appendix of RFC7601 and all of its predecessors that lays > out why. But that's the logic we applied eight years ago when RFC5451 was > written. If in the intervening time we've decided we want to repurpose it > to carry arbitrary stuff that might be of benefit to filters and concede > that users aren't the likely primary consumers as we intended, then we > should probably do up an RFC7601bis that says so, and renovate the prose > and registries accordingly. I'll put the editing work in, but there has to > be recorded consensus to back that move. > Where would you like to gather such a consensus? Is this DMARC-WG sufficient or would you want input from a wider community? I for one would be in favor of doing a 7601bis to reflect both the shift from human to machine consumption for the AR as well as these other pieces of information which are useful for machine analysis. --Kurt --001a113f240ea39515055f4b4587 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On F= ri, Dec 1, 2017 at 7:38 AM, Murray S. Kucherawy <superuser@gmail.com= > wrote:
. . . Or if we really= want it in A-R, register it accordingly, independent of ARC.

But if we want to do that last thing, I'd like to have = some sort of discussion on the record for changing the scope of A-R, which = is really what we're talking about here.=C2=A0 As I've said before,= A-R's original purpose was to collect data about authentication work d= one at the ingress MTA that might be of interest to users or filters.=C2=A0= We've specifically kept things like IP addresses unregistered on the b= asis that your average human won't know whether to trust one string of = octets over another, and there's a treatise in the appendix of RFC7601 = and all of its predecessors that lays out why.=C2=A0 But that's the log= ic we applied eight years ago when RFC5451 was written.=C2=A0 If in the int= ervening time we've decided we want to repurpose it to carry arbitrary = stuff that might be of benefit to filters and concede that users aren't= the likely primary consumers as we intended, then we should probably do up= an RFC7601bis that says so, and renovate the prose and registries accordin= gly.=C2=A0 I'll put the editing work in, but there has to be recorded c= onsensus to back that move.

Where would you like to gather such a consensus? Is this DMARC-WG = sufficient or would you want input from a wider community?

I for one would be in favor of doing a 7601bis to reflect both the= shift from human to machine consumption for the AR as well as these other = pieces of information which are useful for machine analysis.

=
--Kurt=C2=A0
--001a113f240ea39515055f4b4587-- From nobody Fri Dec 1 11:32:19 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E5A1286B1 for ; Fri, 1 Dec 2017 11:32:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AAYNWu12VSWK for ; Fri, 1 Dec 2017 11:32:16 -0800 (PST) Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2F57126CB6 for ; Fri, 1 Dec 2017 11:32:15 -0800 (PST) Received: by mail-qk0-x22d.google.com with SMTP id z203so14573014qkb.5 for ; Fri, 01 Dec 2017 11:32:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lRU1cM7pSHq9bnPF+Qpt3ocYr3ljra9qLfG01CNjj34=; b=XayyVwjZjmJDMmsBhtJXCzVLphQ9UdwEvWNtIGTt8mA1SXvomf1BXjMF9M4K8UrPXQ QOp+Az2t6PsqRcxn1OtcSLX2B/coHfPK6b+1+JAe54HGzRhzS1xqZrj5U8RFra72dUBp 4+h96Bxyca97IPo5aNRW67TUr5N0Qz1kDEuKhhrryXSBAs7V7wyRXcCCvxpY0cySgHd5 /3JSt1LlzmYV07YbquHR6CNkvTbeOnI15ojemtELNLf762XrWswOPQyRXViNg4J4Y1zD JvLeLPlbyUVrUASgkgOmXZVqSqJiRNAp7YtAO3h7EKHHrri1ltDBXkXFaIqKyg8CzeWH xeYA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lRU1cM7pSHq9bnPF+Qpt3ocYr3ljra9qLfG01CNjj34=; b=HsX2qF5nVhbSTsxVqpnXYwM3cd3yt1DDmM55gE+YGUXhOShP+f9rUTf5EbvIw9tu7P fqXV2LceiXOJBqfaMb9+xx2DjCxuHI2CtyiRUulAwXt4nrZy5LwNlw6tUBaotA8dsyoB QvxXeBosoJMGDFA27ooDssV7/HUSBRmBNjSmLeaHMjzTzMfNhL4kxCzTaHCseL//jGDh /auTUL2HslAHkmjBgYCs/XypRzqBd5w6FtT+rvyiyy+fAOSkVgazht6s6V5MzAMeqGOT f05C5SHB+0dTJR8zo22Fr0Ijmj8sGtFTyg2Ab+d5AWxqSZ7g3yvvwYx7qd+Alwq43Jhw JCpA== X-Gm-Message-State: AJaThX6oFajL3JK8+VgBeAp02EjXt9smbWLgHtX73Kj5Y7/cy9CW6/q1 CHjLIIy5Fyk92IU3fxLBAqq2MinSj9ZKud8bNik= X-Google-Smtp-Source: AGs4zMbzh6I6XZyduSfCstBtHY4wzff6epkAG7ZjuisLJaj6bJj2lYj7vZVnUxcUueNvm2yd+wYOfXgOLwYXKlldqvk= X-Received: by 10.55.73.87 with SMTP id w84mr9628028qka.215.1512156734900; Fri, 01 Dec 2017 11:32:14 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.46.99 with HTTP; Fri, 1 Dec 2017 11:32:14 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Fri, 1 Dec 2017 11:32:14 -0800 Message-ID: To: "Kurt Andersen (b)" Cc: Seth Blank , "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a114a7394074fc4055f4c6d72" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 19:32:18 -0000 --001a114a7394074fc4055f4c6d72 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 10:09 AM, Kurt Andersen (b) wrote: > > Where would you like to gather such a consensus? Is this DMARC-WG > sufficient or would you want input from a wider community? > Here's fine. Or the ART list, or ietf-822. Or really, anywhere the IETF considers "on-the-record" in terms of recording consensus. Let's start here. -MSK --001a114a7394074fc4055f4c6d72 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Dec 1, 2017 at 10:09 AM, Kurt Andersen (b) <kboth@= drkurt.com> wrote:

Where would you like t= o gather such a consensus? Is this DMARC-WG sufficient or would you want in= put from a wider community?

Here's fine.=C2=A0 Or the ART list, or ietf-822.=C2=A0 Or real= ly, anywhere the IETF considers "on-the-record" in terms of recor= ding consensus.

Let's start here.

-MSK

--001a114a7394074fc4055f4c6d72-- From nobody Fri Dec 1 11:53:03 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5670F126CC4 for ; Fri, 1 Dec 2017 11:53:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzzAjyCdQ2S6 for ; Fri, 1 Dec 2017 11:53:00 -0800 (PST) Received: from mail-ot0-x22c.google.com (mail-ot0-x22c.google.com [IPv6:2607:f8b0:4003:c0f::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C90CB124D85 for ; Fri, 1 Dec 2017 11:53:00 -0800 (PST) Received: by mail-ot0-x22c.google.com with SMTP id j64so9974154otj.12 for ; Fri, 01 Dec 2017 11:53:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=mRQNvDWJvHbhtfC7aJOTtnDxNz6+PNgrw887d3SpnB4=; b=AFnBkALHpANAH5ZPgxCCZ2sE8gDIuB9A2qqhrQ/e7D/PIWwiDbgOwm2cV9gjymdBBJ 8FakveJJ7Rm5L/Urpkx9FEVtIqyWzFevJ5EAn5ukF1eclier3pbqUVkdUq/UB+clzrtz lox61/4EEXW7nCzVGiXCCuBWgon7IqGWgte/Th5kZFBXuSE8UK7FLLE33Sa6hAhs3Hut oTwXeQUvCzvxOc97xZLSFSWn2GAxDP4UoFA7Orqke0Wouwko+5ESjRfSE1XRIgsogdF/ 66xToayFX+W5pRPRrF3AF6gNUO/o1ZWV81hlWrkQODtB2wDR2PNj4t208n2PsF+gnp31 AJsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mRQNvDWJvHbhtfC7aJOTtnDxNz6+PNgrw887d3SpnB4=; b=tyEWEwhcmaFSjlHYUTEkLeAf18DJSyjM8gkpzpZPc4LlutqRv9nxtTXR6R/4AMg63p KtnD68WeJNLYEd9JEKT8uuhtlvREZ+WfTycWAZ0ES+aKUiLXhpLd931d1aFsDLbaRIQd zfOg4ZCtrK//lDOfIctYdTmnnTWB3YqXDDZRpVPCieqiEgbdZZtlEzFJNhnZ4PxX/6H9 7izDsPyLH5xb8QPC1K+Evs/bMCXuaPQlmaYx9uGQ3Elz23MGiImeUrAEqR6Qy70xS/pI 2xHvJJhijGRvRSCoE4f9EYisxV8jowsv3LCgqB9QzIMGlY5yZ++eqciWfpffBxyQp3nv E7wA== X-Gm-Message-State: AJaThX4XyYfpSJT2Y+Mms7BD4x3Utng/+Mit9OhrwFEXvyEc3eibQnrK QrrtBjr5RqBRQAB8IBmzHhM= X-Google-Smtp-Source: AGs4zMaBjIgS7V54YIyH01OWb3oq9qgm130dE/wQo8UD7fS+SbC4hfHe4HzfWJZxRu40euly/++1uA== X-Received: by 10.157.81.133 with SMTP id y5mr8450672otg.396.1512157979887; Fri, 01 Dec 2017 11:52:59 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:c4e8:d795:bbab:6d47? ([2600:1700:a3a0:870:c4e8:d795:bbab:6d47]) by smtp.gmail.com with ESMTPSA id g23sm3026063oib.23.2017.12.01.11.52.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Dec 2017 11:52:58 -0800 (PST) To: "Murray S. Kucherawy" , "Kurt Andersen (b)" Cc: "dmarc@ietf.org" , Seth Blank References: From: Dave Crocker Message-ID: Date: Fri, 1 Dec 2017 11:52:55 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 19:53:02 -0000 On 12/1/2017 11:32 AM, Murray S. Kucherawy wrote: > On Fri, Dec 1, 2017 at 10:09 AM, Kurt Andersen (b) > wrote: > > > Where would you like to gather such a consensus? Is this DMARC-WG > sufficient or would you want input from a wider community? > > > Here's fine.  Or the ART list, or ietf-822.  Or really, anywhere the > IETF considers "on-the-record" in terms of recording consensus. There really need to be two different questions. The easy one is 'where should this later assessment be discussed?". Your answer suffices for that, IMO. The more-difficult question is what the basis of analysis should be? An inherent problem with "in this working group" or the like is just how small a sampling of the email industry it is. It makes it too easy for the relatively few participants -- even with the best of intentions -- to make highly biases assessments. So I suggest making a point of soliciting input from various fora, such as M3AAWG and the range of *NOG groups. Anywhere else? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Fri Dec 1 11:56:00 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B745127599 for ; Fri, 1 Dec 2017 11:55:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-30yHv6O9Wr for ; Fri, 1 Dec 2017 11:55:57 -0800 (PST) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BA0C124D85 for ; Fri, 1 Dec 2017 11:55:57 -0800 (PST) Received: by mail-qk0-x232.google.com with SMTP id a71so14600860qkc.9 for ; Fri, 01 Dec 2017 11:55:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=AiPwfwKkSeiSGphtJKU+NGpAbEl8cdQhqQs4LW/QBkU=; b=bdoEEKzJjZF6A86xlUyCxn8r/qiMIbsJhowe8VqnHXLKNZRz71xYq1vNh+YFk83DM1 D9vGkGHiU/7dC9MWxylQIMZPnjdAEfcQ4F/OEqB0tVrn++MHFsbz84LIsWzfUhIwx0Yp hBK500bGRatI2O2vUcG2Jk0vRSHAuPhxuL+ifng12MQVP8EjxQ/b9MBOgvFqD0muwBOh cXOYsDB1vBCkVJPK3VFSB/f58GR930BbdgmMku4Ue8T9jrKGLUBlMwrXVGxsdZesvJOd lArnJG5kpyWHyDHKHVwggBEHEPbfk6VXT53jPdvZ+s/zQmq2TjBgnN+CkkTVma+tDGi3 l68Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=AiPwfwKkSeiSGphtJKU+NGpAbEl8cdQhqQs4LW/QBkU=; b=JtdPx2Qt1QzAg2tDyC8K69yzcAtJFuRDdZ9n4fvsakBjtFyZJyzcq4CFYrf+MJ87Zh 3WZnSf/LJAa5ROU606IUibfaog/TTYy7nQWG/G++npCxBY+CRAmzzjJNxliG00Ruk1bG LHVi0t/WwY3GlB0ZiEzTExgPwNxWQeMRENAP2w0ik7rmSn6/waopOtbGOFx4W8+segAS 2hOxZO4V/2MUKlVRBST0tbtFA4Il/+dpLflJLH+POiEu7RwCxGM5yp3moIY8jPqaS4fr aqVophBpKkvVv2ZxiMD5Z/8B/HaUlk0SoAFrEsB8bFG4t3JdCWKd8QejmimGmxFUKKo1 c28A== X-Gm-Message-State: AKGB3mIu0QScYybhhH1V7qsp694FC1Bpc3p0Kut6PI6WhbIdndztdOrl OAWDXWGgStupQVAjiQrsQ21tW/fNmIS6zlW6zWY= X-Google-Smtp-Source: AGs4zMYfW4i8N8IRB36kV2WG7yxhmcuGOpzs7iCSX/SzZOnXcXsjORXtIalkqC8iI1PIGhdskErvEbEhxWEkjg4wpJk= X-Received: by 10.55.222.21 with SMTP id h21mr9573292qkj.324.1512158156612; Fri, 01 Dec 2017 11:55:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.50.196 with HTTP; Fri, 1 Dec 2017 11:55:56 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Fri, 1 Dec 2017 11:55:56 -0800 Message-ID: To: Dave Crocker Cc: "Kurt Andersen (b)" , "dmarc@ietf.org" , Seth Blank Content-Type: multipart/alternative; boundary="089e082de984c4eef6055f4cc146" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 19:55:59 -0000 --089e082de984c4eef6055f4cc146 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 11:52 AM, Dave Crocker wrote: > The more-difficult question is what the basis of analysis should be? An > inherent problem with "in this working group" or the like is just how small > a sampling of the email industry it is. It makes it too easy for the > relatively few participants -- even with the best of intentions -- to make > highly biases assessments. > > So I suggest making a point of soliciting input from various fora, such as > M3AAWG and the range of *NOG groups. Anywhere else? The ones I mentioned as well, and I would say just mentioning once in all of those places that the discussion is happening in here is sufficient as a call for participants. If nobody else comes, we know we're the only ones that really care. -MSK --089e082de984c4eef6055f4cc146 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Dec 1, 2017 at 11:52 AM, Dave Crocker <dcrocker@= gmail.com> wrote:
The more-difficult question is= what the basis of analysis should be?=C2=A0 An inherent problem with "= ;in this working group" or the like is just how small a sampling of th= e email industry it is.=C2=A0 It makes it too easy for the relatively few p= articipants -- even with the best of intentions -- to make highly biases as= sessments.

So I suggest making a point of soliciting input from various fora, such as = M3AAWG and the range of *NOG groups.=C2=A0 Anywhere else?

The ones I mentioned as well, and I would say just mentioning once in all = of those places that the discussion is happening in here is sufficient as a= call for participants.=C2=A0 If nobody else comes, we know we're the o= nly ones that really care.

-MSK
--089e082de984c4eef6055f4cc146-- From nobody Fri Dec 1 12:40:06 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0D9B12704A for ; Fri, 1 Dec 2017 12:40:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w1EkjXa0ogBv for ; Fri, 1 Dec 2017 12:39:59 -0800 (PST) Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19BAB128959 for ; Fri, 1 Dec 2017 12:39:58 -0800 (PST) Received: by mail-lf0-x232.google.com with SMTP id x204so13035520lfa.11 for ; Fri, 01 Dec 2017 12:39:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:from:date:message-id:subject:to; bh=S1uNzWedkD0rdKvL1fFh5SJxo+q4TIDv29rdD1uF1Fk=; b=XEw+xF9AvLcG0W3/7C6XntHwi8xWLviQO3PLdDF/EmPWq3l6cKlk6XP3Cwaqbl5ksf dQyQjqTTD+7vD4lCEFcAVIYv8ix6L8+j48d9JHrvK+ogxeIMGDqR7PK5zKxprXEfHn2/ xHj04Ve0g96t1acM8tNlGo+NiR65so0gK14C4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=S1uNzWedkD0rdKvL1fFh5SJxo+q4TIDv29rdD1uF1Fk=; b=ICDpOOGCMmqs7WwuZETzef5Hw0hE9l006BZZH7fM/eJQN2H2dMQZb3zt/scxypV+oV saUgqtXf+MbITEztZ+L3hTuZSk/4m5ZJuRBwHNCbj0Jm/Y+TYIq+kNXN6USqzIIS258E u5zvJ1pNB/0xTOQVK8ekrmKWMQ/LmG2iec5IlwnjQbGAnhJGgKdMKepsNzv8QGcQ8ggo 57qgkh+W9RAxCo7p30EzH/jcvZK0qHh/NwrXdBhvDCaNwmwTDirTCyXdH05/edEljllm zjPIelFEiKMWTOb5/BkJigpV5k2XLzQATfYovjztBEfgpr9uq1T9SKYzOtPgbpe4jvvU btow== X-Gm-Message-State: AJaThX4fHVtMGzPVR2ng1KqslgPIippHSX16hhe75BpL54luxGYEfBa1 fHlxy7TuqomcV32mIYoVHt8vcYMGetw4UWcYeNjD5A== X-Google-Smtp-Source: AGs4zMZn+ODtac2ZbTj2U1iYMpknwgvqV01mZvwnr2SI5TzA2ocSt2rAvskWdgQb8C+4xgZxcZOJe+Y4wjYYZFZlb7A= X-Received: by 10.46.29.13 with SMTP id d13mr5355443ljd.8.1512160796185; Fri, 01 Dec 2017 12:39:56 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Fri, 1 Dec 2017 12:39:55 -0800 (PST) From: "Kurt Andersen (b)" Date: Fri, 1 Dec 2017 20:39:55 +0000 X-Google-Sender-Auth: L0Jws9h08aZIQPRdOizpa--zGoo Message-ID: To: art@ietf.org, ietf-822@ietf.org, smtp@ietf.org, "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="94eb2c082cdc19aa4e055f4d5fcb" Archived-At: Subject: [dmarc-ietf] Proposal to invoke a 7601bis effort X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 20:40:01 -0000 --94eb2c082cdc19aa4e055f4d5fcb Content-Type: text/plain; charset="UTF-8" In the context of work that is happening in the DMARC-WG, some changes to RFC7601 have been discussed which we think may merit a 'bis' effort to revise 7601. If you are interested or care, please join the DMARC WG where the detailed discussion will be carried out. (Apologies for the wide posting, but we wanted to reach a broad group of potentially interested parties.) --Kurt Andersen --94eb2c082cdc19aa4e055f4d5fcb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
In the context of work that is happening in the DMARC-WG, = some changes to RFC7601 have been discussed which we think may merit a '= ;bis' effort to revise 7601.

If you are interested o= r care, please join the DMARC WG where the detailed discussion will be carr= ied out.

(Apologies for the wide posting, but we w= anted to reach a broad group of potentially interested parties.)
=
--Kurt Andersen
--94eb2c082cdc19aa4e055f4d5fcb-- From nobody Fri Dec 1 12:46:06 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2163812704A for ; Fri, 1 Dec 2017 12:46:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jL6p1nUIaiAO for ; Fri, 1 Dec 2017 12:46:03 -0800 (PST) Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EFBD126CE8 for ; Fri, 1 Dec 2017 12:46:03 -0800 (PST) Received: by mail-lf0-x22c.google.com with SMTP id a12so13073297lfe.4 for ; Fri, 01 Dec 2017 12:46:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=TJJpZlESxm7lSjwg/9cDi7fdIMrhqKV6fYfZI7iVOIg=; b=G33RLPzizeUF0lK06D1K9fdjaAEsRq1v5NzT2dLSg/x7TnrU3cXC8MPj9OdVBHrZBX rA8NMgep7oNe/RWwWipRH3HvxMcCTkAoRnpa3rECd2Oc0Bd3rVipqZJpUphy6Xun0pY+ M4emvVI2Z5oVAwQVbHijucfNx1RMZsUwTQ+yA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=TJJpZlESxm7lSjwg/9cDi7fdIMrhqKV6fYfZI7iVOIg=; b=O0Jz4e9E0Y+nswnRDk4X7YRrTh4wU2IaIh+Tetf4/wjgTsAAk3cSPKJWMbXqOSjkj1 TIWIhs/qX64aFdtgKYZOM7q09Zpfgp9R1hIDp9Lw72I+lF/yFpic91nUtvS6IDFxrynO GnMx5sWRU4r4aOvzO3+Xd403Y8ABppXniakkDw/TJ3QwaNjXKDks9IHNA4U7Xpw9j2oT I9xiBnCCggATXdMMPb9EfkvrhWmL7Y1mRYoScxwjbir6gTx8rYVH5p118CUiM/xxExWb gvv63Y7P0ws4iLxXorfEODTpbhXybYzcsNDf1+/auJj1nVv0twsE5hvJ1iN/6hbN8jnV f1gA== X-Gm-Message-State: AJaThX5PXhOGq3ouQ496PU5m+WHjNN7i0qgbnyT85FvZQqhN2q03Wsvo Pg7blpqM8u8KO5gn+2mPQ80wWzClBhQG9lh4uoDRyQ== X-Google-Smtp-Source: AGs4zMZD4PL8dnDIfFZA8CR3WsA2eOq22SoCNdKRnoq7YFSza/IhGngUqjZu8OtahVBKRnFa2yV+715FrWMa59IlUrs= X-Received: by 10.46.41.212 with SMTP id p81mr5356454ljp.173.1512161161059; Fri, 01 Dec 2017 12:46:01 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Fri, 1 Dec 2017 12:46:00 -0800 (PST) In-Reply-To: References: From: "Kurt Andersen (b)" Date: Fri, 1 Dec 2017 20:46:00 +0000 X-Google-Sender-Auth: 402xkv83WDC5MzJX_QubGU5A2ck Message-ID: To: "Murray S. Kucherawy" Cc: Dave Crocker , "dmarc@ietf.org" , Seth Blank Content-Type: multipart/alternative; boundary="001a114a60b8d946da055f4d74bd" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 20:46:05 -0000 --001a114a60b8d946da055f4d74bd Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 7:55 PM, Murray S. Kucherawy wrote: > On Fri, Dec 1, 2017 at 11:52 AM, Dave Crocker wrote: > >> The more-difficult question is what the basis of analysis should be? An >> inherent problem with "in this working group" or the like is just how small >> a sampling of the email industry it is. It makes it too easy for the >> relatively few participants -- even with the best of intentions -- to make >> highly biases assessments. >> >> So I suggest making a point of soliciting input from various fora, such >> as M3AAWG and the range of *NOG groups. Anywhere else? > > > The ones I mentioned as well, and I would say just mentioning once in all > of those places that the discussion is happening in here is sufficient as a > call for participants. If nobody else comes, we know we're the only ones > that really care. > > -MSK > I have just sent out a call for interest to ietf-smtp, art, and copied this group. I also sent it to the technical and collaboration lists @ M3AAWG. --Kurt --001a114a60b8d946da055f4d74bd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On F= ri, Dec 1, 2017 at 7:55 PM, Murray S. Kucherawy <superuser@gmail.com= > wrote:
On Fri, Dec 1, 2017 at 11:52 AM, Dave Crocker <dcrocker@gmail= .com> wrote:
The more= -difficult question is what the basis of analysis should be?=C2=A0 An inher= ent problem with "in this working group" or the like is just how = small a sampling of the email industry it is.=C2=A0 It makes it too easy fo= r the relatively few participants -- even with the best of intentions -- to= make highly biases assessments.

So I suggest making a point of soliciting input from various fora, such as = M3AAWG and the range of *NOG groups.=C2=A0 Anywhere else?

The ones I mentioned as well, and I would say = just mentioning once in all of those places that the discussion is happenin= g in here is sufficient as a call for participants.=C2=A0 If nobody else co= mes, we know we're the only ones that really care.

-MSK

I have just sent ou= t a call for interest to ietf-smtp, art, and copied this group. I also sent= it to the technical and collaboration lists @ M3AAWG.

--Kurt
--001a114a60b8d946da055f4d74bd-- From nobody Fri Dec 1 14:09:03 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7C0D12922E for ; Fri, 1 Dec 2017 14:09:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lig8El7tBuHu for ; Fri, 1 Dec 2017 14:08:59 -0800 (PST) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC4D1128B88 for ; Fri, 1 Dec 2017 14:08:59 -0800 (PST) Received: by mail-it0-x233.google.com with SMTP id p139so4102366itb.1 for ; Fri, 01 Dec 2017 14:08:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wjUQkDLgIrwj8drK6udUNqq7LibnV6VgEapOnoMB8HA=; b=NAJKSlIW0dP007HGAclO/xDsAe8z/worqt4f1reILkwYT+bHo1nkm72WJ6RynlryPn HV35bfBIK9iwMhEL8Rop4OMHnK/wsbiilqvIerSsGhaRI2gRcIQ/xVDqOX4Enp/FzLjO FLq75w+58Y5waPenLWp2FSobixeV5U/pFu+B1SFk7o/OinhS7RVfHgwsW45Nvq2lnKNe 1+ni76pmuJly35/YOzDx1oWgbKZ9G36c5cEFcqgUMj6cOCsdgj+cGhJAQXtw5THT3qM4 +9wu6AVRQzm/VbRaaFeVnmUpnsRzgFXwlNcRt2HsM/uS1tJ8lRjtlSSw7pUfCvXP6Q1a LYGg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wjUQkDLgIrwj8drK6udUNqq7LibnV6VgEapOnoMB8HA=; b=GdblKYsdYXdOp3jaoPPHu6hiYMH4C3XGi0gnxgSuNiYgU0J2y7EA2Mpx6oUqFWtXqQ Xk0Qm4Ddz4IuZo1npgxnsmhx/fwaLdAdtOohBWgpgt2L//UhdRAqtDi653j8eNXDx/PQ LIBeSjHg96M7W4ubKf1vYWuuJhzjbFj1zw9qodXkA6863h8qLhinvN2lZsQJx15KziVt Csx4YKhfo/Lar//hGEpcaNJhCUUkrqCrv7ug5m3fD5o158gASE9Sunb8SV1fu/2AGzle gGy6dmmj7EZq4ciYvKM65OUrnmleELR9mBa+bqp/OSrfcG1USGj/QmHJQzl1/a/7ppgi 4TIg== X-Gm-Message-State: AJaThX6PgWjk4m5PZxUSXXh7Zt0gKox/mugPUMKSkaElNcq0DVM2J5xq TsJo70PymK+DTvppMnq6RS5mz60Y25ibCiYrgnE+ X-Google-Smtp-Source: AGs4zMZrTt8ufliFybsrsLYF2n7IQo1I8cI0ltFcO1Kn5kZ005z9sXKkNwo3i/bz9LYbfZxp3MvK+50gOCg4HpktHPE= X-Received: by 10.36.81.82 with SMTP id s79mr3983466ita.144.1512166138824; Fri, 01 Dec 2017 14:08:58 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Brandon Long Date: Fri, 01 Dec 2017 22:08:47 +0000 Message-ID: To: "Kurt Andersen (b)" Cc: "Murray S. Kucherawy" , dmarc@ietf.org, Seth Blank Content-Type: multipart/alternative; boundary="001a113faf508c8a0f055f4e9dbe" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 22:09:02 -0000 --001a113faf508c8a0f055f4e9dbe Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 10:09 AM Kurt Andersen (b) wrote: > On Fri, Dec 1, 2017 at 7:38 AM, Murray S. Kucherawy > wrote: > >> . . . Or if we really want it in A-R, register it accordingly, >> independent of ARC. >> >> But if we want to do that last thing, I'd like to have some sort of >> discussion on the record for changing the scope of A-R, which is really >> what we're talking about here. As I've said before, A-R's original purpose >> was to collect data about authentication work done at the ingress MTA that >> might be of interest to users or filters. We've specifically kept things >> like IP addresses unregistered on the basis that your average human won't >> know whether to trust one string of octets over another, and there's a >> treatise in the appendix of RFC7601 and all of its predecessors that lays >> out why. But that's the logic we applied eight years ago when RFC5451 was >> written. If in the intervening time we've decided we want to repurpose it >> to carry arbitrary stuff that might be of benefit to filters and concede >> that users aren't the likely primary consumers as we intended, then we >> should probably do up an RFC7601bis that says so, and renovate the prose >> and registries accordingly. I'll put the editing work in, but there has to >> be recorded consensus to back that move. >> > > Where would you like to gather such a consensus? Is this DMARC-WG > sufficient or would you want input from a wider community? > > I for one would be in favor of doing a 7601bis to reflect both the shift > from human to machine consumption for the AR as well as these other pieces > of information which are useful for machine analysis. > +1 to 7601bis on those terms. Brandon --001a113faf508c8a0f055f4e9dbe Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On= Fri, Dec 1, 2017 at 10:09 AM Kurt Andersen (b) <kboth@drkurt.com> wrote:
On Fri, Dec 1, 2017 at 7:38 AM, Murray S. Kucherawy <superuser@gma= il.com> wrote:
. . . Or if= we really want it in A-R, register it accordingly, independent of ARC.
=

But if we want to do that last thing, I'd lik= e to have some sort of discussion on the record for changing the scope of A= -R, which is really what we're talking about here.=C2=A0 As I've sa= id before, A-R's original purpose was to collect data about authenticat= ion work done at the ingress MTA that might be of interest to users or filt= ers.=C2=A0 We've specifically kept things like IP addresses unregistere= d on the basis that your average human won't know whether to trust one = string of octets over another, and there's a treatise in the appendix o= f RFC7601 and all of its predecessors that lays out why.=C2=A0 But that'= ;s the logic we applied eight years ago when RFC5451 was written.=C2=A0 If = in the intervening time we've decided we want to repurpose it to carry = arbitrary stuff that might be of benefit to filters and concede that users = aren't the likely primary consumers as we intended, then we should prob= ably do up an RFC7601bis that says so, and renovate the prose and registrie= s accordingly.=C2=A0 I'll put the editing work in, but there has to be = recorded consensus to back that move.
<= div>
Where would you like to gather such a consensus? Is this= DMARC-WG sufficient or would you want input from a wider community?
<= div>
I for one would be in favor of doing a 7601bis to reflec= t both the shift from human to machine consumption for the AR as well as th= ese other pieces of information which are useful for machine analysis.

+1 to 7601bis on those = terms.

Brandon
--001a113faf508c8a0f055f4e9dbe-- From nobody Fri Dec 1 14:11:04 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3601270A3 for ; Fri, 1 Dec 2017 14:11:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0lJZUn6hFlWG for ; Fri, 1 Dec 2017 14:11:00 -0800 (PST) Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AF9B1292CE for ; Fri, 1 Dec 2017 14:11:00 -0800 (PST) Received: by mail-io0-x230.google.com with SMTP id d21so12826013ioe.7 for ; Fri, 01 Dec 2017 14:11:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dT5KoFR7tp0BMCFDo4vlCx1IOeTYvP9HajRQx+aBPuE=; b=a58MosuiX9wKlXFoxr9jvtce9N0q189BFqFA/9wSp47hsqqemivfxwehyMlG26xqBg MDzQBf5hVkHbfl0G0gUQmyb4y9G3VubAYvqR1bxVoDSjnaNDODpMNM483KHohD0lmPrg fcA6a7uQNNQHAb2MS0qSJ2DN642csp3p0LapHluFzRm0/VI1KrKJlO1zsVVjabXGbjRY WsUqKuMp0vYSW9Fx/lGbHMjb/2Pv2VlKWzBYCEuZDGQzScCf4jXM5SiUTR1ZmMXqJVCZ WEHL/XTrjzPCNza8ScHi7UfEEyVi7Fjc0y9vzvHap5u5l4n1IjADAslqC44643oFwd6x +ZsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dT5KoFR7tp0BMCFDo4vlCx1IOeTYvP9HajRQx+aBPuE=; b=KbovQjXLbFNWUX/NZqij7Ni7rhrpxmXPWyrnR85d4Cb4Z5HCLUzJ0ngyGhr5u00qj3 a2wedubcOFruOL1US3h7UyhPQRUGgPAhb3H2wNY5Kgbc6uTXjB98XpESnlWdy5A0jEq3 eObZq4tF/2zUA5u4P5wN3ZLXtqYfQ72R1UlMu7GCpRx8A6j0/zXhKzwErg/s1KPZN8UF 7QTXJWIOvsBrQaEu9eBclF6fLjRNYNFtKP9gaw/YdeGjDIHR6w1MyGTfQU2MdOUb1EB3 b/tvVZiIiHnCBwaZv2zs7XWrZCOKiLfIJO97/x0NbbU4b1MZzCozXV7Dc8qLFu6P6ZNU 6bxw== X-Gm-Message-State: AJaThX4wa449eWKOmapVqttHx+myx4hFqgULqRYnGVdkYGETZ5q8iel2 nq8Tku0Y5QK7MpHN/ZGl0yf4j5VeH634wMbfXBJ/tc4= X-Google-Smtp-Source: AGs4zMZnv6gWFPzjGggcfo3LinHIPDMq4lu1d8GxpnuHNJ47p17seN3Vb9qYXqldo1XFbIImaH/JtaxO2z5M1HgmOdU= X-Received: by 10.107.114.22 with SMTP id n22mr15623691ioc.166.1512166258998; Fri, 01 Dec 2017 14:10:58 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Brandon Long Date: Fri, 01 Dec 2017 22:10:47 +0000 Message-ID: To: "Murray S. Kucherawy" Cc: Seth Blank , dmarc@ietf.org Content-Type: multipart/alternative; boundary="089e0825f9b0b6647c055f4ea48e" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 22:11:02 -0000 --089e0825f9b0b6647c055f4ea48e Content-Type: text/plain; charset="UTF-8" On Thu, Nov 30, 2017 at 11:38 PM Murray S. Kucherawy wrote: > On Tue, Sep 5, 2017 at 2:52 PM, Seth Blank wrote: > >> Replace 5.1.1 with: >> >> 5.1.1. ptypes and properties for arc-info >> >> Certain information pertinent to ascertaining message disposition can be >> lost in transit when messages are handled by intermediaries. For example, >> failing DKIM signatures are sometimes removed by MTAs, and most DKIM >> signature on messages modified by intermediaries will fail. Therefore, a >> passing DKIM-Signature from the first ARC signer is likely to have been >> removed by final receipt of the message. >> >> The AAR, and in particular the ptype-properties stamped in arc-info, >> provide a mechanism for this information to survive transit. >> >> The ptypes and properties defined in this section SHOULD be stamped in >> the AAR: >> >> * smtp.client_id - The connecting client IP address from which the >> message is received; >> * header.ds - The domain/selector pair for each dkim signature on the >> message (header.ds=example.com,selector) >> * arc.closest_fail - The hop number of the most recent AMS that fails to >> validate, or 0 if all hops pass. >> > > Why "client_id" instead of "client-ip"? (it's an IP address, not some > opaque identifier) > agreed on ip instead of id. Why "header.ds" and not "header.d" and "header.s"? (why combine them?) > agreed on not combining things like this, sure string.split is easy and all, but let's use the parsing/etc we already have. Brandon Why "arc.closest_fail" and not "arc.closest-fail"? (use a hyphen, to be > consistent with other entries already in the registry) > > Unless someone wants to point me at the part of the spec that says > otherwise, the IP address is utterly orthogonal to anything ARC is doing. > I'd rather not shoe-horn it in here, even if DMARC operators might want > it. Rather, we should do a separate document (outside this WG if needed) > that registers a header field for this, since there's been something like > X-Original-IP in public use for years anyway, and then just require that it > be signed or something. Or if we really want it in A-R, register it > accordingly, independent of ARC. > > But if we want to do that last thing, I'd like to have some sort of > discussion on the record for changing the scope of A-R, which is really > what we're talking about here. As I've said before, A-R's original purpose > was to collect data about authentication work done at the ingress MTA that > might be of interest to users or filters. We've specifically kept things > like IP addresses unregistered on the basis that your average human won't > know whether to trust one string of octets over another, and there's a > treatise in the appendix of RFC7601 and all of its predecessors that lays > out why. But that's the logic we applied eight years ago when RFC5451 was > written. If in the intervening time we've decided we want to repurpose it > to carry arbitrary stuff that might be of benefit to filters and concede > that users aren't the likely primary consumers as we intended, then we > should probably do up an RFC7601bis that says so, and renovate the prose > and registries accordingly. I'll put the editing work in, but there has to > be recorded consensus to back that move. > > =============== >> >> Open questions: >> >> 1) The optimal ABNF for AAR would inherit the A-R payload ABNF from 7601. >> Unfortunately, authres-header was defined in a way that makes this >> difficult. Is there a better way to say that the AAR inherits the A-R >> payload, and if anything modifies the definition of authres-header in 7601, >> the AAR also needs to inherit this change? >> >> To be super specific, this is the current authres-header ABNF from 7601: >> >> authres-header = "Authentication-Results:" [CFWS] authserv-id >> [ CFWS authres-version ] >> ( no-result / 1*resinfo ) [CFWS] CRLF >> >> Optimally, there would be: >> >> authres-payload = [CFWS] authserv-id >> [ CFWS authres-version ] >> ( no-result / 1*resinfo ) [CFWS] CRLF >> >> And then we could have: >> >> arc-authres-header = "ARC-Authentication-Results:" [CFWS] arc-info >> authres-payload >> > > That seems reasonable to me. > > 2) The optimal way to transmit DKIM selector information is in the DKIM >> A-R methodspec as header.s. If we want to prevent a normative modification >> of 7601, I've proposed "header.ds" which will accomplish the same thing. >> > > Why the merge? > > 3) In the ARC-Seal megathread, there was an aside about knowing the last >> hop which validated: >> >> On Mon, Aug 14, 2017 at 5:12 PM, Bron Gondwana >> wrote: >> > That seems like it would be enough to fix that objection. An >> additional "first AMS failure" header at each hop would give you a list of >> who actually modified the message. >> >> arc.closest_fail has been defined to accomplish this. >> > > I'm not sure I like a hop number in here, which harkens back to Received > counts. I'd rather say it's an instance number, or better yet the sealing > domain name. > > 4) Have the ptype-properties been defined properly, and will these AAR >> ptype-properties need an IANA registry? >> > > If we decide we want AAR separate from of AR, then we also need to decide > if AAR uses the AR registry (in which case all of this has to get mushed in > with regular A-R stuff, but flagged "ARC use only" or something (ick), or > we'll need our own registry (ugh). > > -MSK > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --089e0825f9b0b6647c055f4ea48e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On= Thu, Nov 30, 2017 at 11:38 PM Murray S. Kucherawy <superuser@gmail.com> wrote:
On Tue, Sep 5, 2017 at 2:52 PM, Seth Bl= ank <seth@sethblank.com> wrote:
Replace 5.1.1 with:

5.1.1. ptypes and properties= for arc-info

Certain information pertinent to asc= ertaining message disposition can be lost in transit when messages are hand= led by intermediaries. For example, failing DKIM signatures are sometimes r= emoved by MTAs, and most DKIM signature on messages modified by intermediar= ies will fail. Therefore, a passing DKIM-Signature from the first ARC signe= r is likely to have been removed by final receipt of the message.

The AAR, and in particular the ptype-properties=C2=A0stampe= d in arc-info, provide a mechanism for this information to survive transit.=

The ptypes and properties=C2=A0defined in this se= ction SHOULD be stamped in the AAR:

* smtp.client_= id - The connecting client IP address from which the message is received;
* header.ds - The domain/selector pair for each dkim signature on = the message (header.ds=3De= xample.com,selector)
* arc.closest_fail - The hop number of t= he most recent AMS that fails to validate, or 0 if all hops pass.

Why "client_id" instead = of "client-ip"?=C2=A0 (it's an IP address, not some opaque id= entifier)

agree= d on ip instead of id.=C2=A0

Why "header.ds" and not "header.d" and "head= er.s"?=C2=A0 (why combine them?)

agreed on not combining things like this, sure strin= g.split is easy and all, but let's use the parsing/etc we already have.=

Brandon

Why "arc.closest_fail" and not "arc.closest-fail&= quot;?=C2=A0 (use a hyphen, to be consistent with other entries already in = the registry)

Unless someone wants to point me at = the part of the spec that says otherwise, the IP address is utterly orthogo= nal to anything ARC is doing.=C2=A0 I'd rather not shoe-horn it in here= , even if DMARC operators might want it.=C2=A0 Rather, we should do a separ= ate document (outside this WG if needed) that registers a header field for = this, since there's been something like X-Original-IP in public use for= years anyway, and then just require that it be signed or something.=C2=A0 = Or if we really want it in A-R, register it accordingly, independent of ARC= .

But if we want to do that last thing, I'= d like to have some sort of discussion on the record for changing the scope= of A-R, which is really what we're talking about here.=C2=A0 As I'= ve said before, A-R's original purpose was to collect data about authen= tication work done at the ingress MTA that might be of interest to users or= filters.=C2=A0 We've specifically kept things like IP addresses unregi= stered on the basis that your average human won't know whether to trust= one string of octets over another, and there's a treatise in the appen= dix of RFC7601 and all of its predecessors that lays out why.=C2=A0 But tha= t's the logic we applied eight years ago when RFC5451 was written.=C2= =A0 If in the intervening time we've decided we want to repurpose it to= carry arbitrary stuff that might be of benefit to filters and concede that= users aren't the likely primary consumers as we intended, then we shou= ld probably do up an RFC7601bis that says so, and renovate the prose and re= gistries accordingly.=C2=A0 I'll put the editing work in, but there has= to be recorded consensus to back that move.

=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D

Open questions:
<= br>
1) The optimal ABNF for AAR would inherit the A-R payload ABN= F from 7601. Unfortunately, authres-header was defined in a way that makes = this difficult. Is there a better way to say that the AAR inherits the A-R = payload, and if anything modifies the definition of authres-header in 7601,= the AAR also needs to inherit this change?

To be = super specific, this is the current authres-header ABNF from 7601:

=C2=A0 =C2=A0 =C2=A0authres-header =3D "Authenti= cation-Results:" [CFWS] authserv-id
=C2=A0 =C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 [ CFWS authres-version ]
=C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ( no-result / 1*resinfo ) [CFWS] CRLF

Optimally, there would be:

<= /div>
=C2=A0 =C2=A0 =C2=A0authres-payload =3D [CFWS]=C2=A0authserv= -id
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [ CFWS authr= es-version ]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ( n= o-result / 1*resinfo ) [CFWS] CRLF

And then we coul= d have:

=C2=A0 =C2=A0arc-authres-header =3D &= quot;ARC-Authentication-Results:" [CFWS] arc-info authres-payload

That seems reasonable to me.<= /div>

2= ) The optimal way to transmit DKIM selector information is in the DKIM A-R = methodspec as header.s. If we want to prevent a normative modification of 7= 601, I've proposed "header.ds" which will accomplish the same= thing.

Why the merge?

3) In the= ARC-Seal megathread, there was an aside about knowing the last hop which v= alidated:

On Mon, Aug 14, 2017 at 5:12 PM, Br= on Gondwana <brong@fastmailteam.com> wrote:
> That seems like it wo= uld be enough to fix that objection.=C2=A0 An additional "first AMS fa= ilure" header at each hop would give you a list of who actually modifi= ed the message.

arc.closest_fail has bee= n defined to accomplish this.

I= 'm not sure I like a hop number in here, which harkens back to Received= counts.=C2=A0 I'd rather say it's an instance number, or better ye= t the sealing domain name.

4) Have the ptype-properties been defined properl= y, and will these AAR ptype-properties need an IANA registry?

If we decide we want AAR separate from of AR= , then we also need to decide if AAR uses the AR registry (in which case al= l of this has to get mushed in with regular A-R stuff, but flagged "AR= C use only" or something (ick), or we'll need our own registry (ug= h).

-MSK
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--089e0825f9b0b6647c055f4ea48e-- From nobody Fri Dec 1 14:14:11 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 970C912942F for ; Fri, 1 Dec 2017 14:14:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.5 X-Spam-Level: X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eDMZMIJ5G-BC for ; Fri, 1 Dec 2017 14:14:06 -0800 (PST) Received: from mail-io0-x230.google.com (mail-io0-x230.google.com [IPv6:2607:f8b0:4001:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 261BB129420 for ; Fri, 1 Dec 2017 14:14:06 -0800 (PST) Received: by mail-io0-x230.google.com with SMTP id q15so12849720ioh.2 for ; Fri, 01 Dec 2017 14:14:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M8rWnETzyml5gkRkO9oAk0y5m3JRoLHktgMWS0yFRkU=; b=CQuASEFs/59vWFhRWD0NmJf1hZVIqXVM4Uk9CQze9Tk6LrvKM0dMZXiI/6fJU10y+/ rAqWk0KNaMloSsPyAX5vfWfrN4KiLyn/677tyk1eVy7mKAOm7AQqWO/auHKu77t5L4NG PwuZVmXrS55R1kynZ5caoTFnmkSaf3PLQ6xF59c4ez+gktYXsxC6d9R0v7ECNnaPN1xA kKz7qzAUzRQwoSTLKtCgKhKz+Ig33azGUPr/yPeVSGGW5W9Jj+7TCCkXLrAejLr9aw0+ RsCmNt6+taifHTEe1GTWODluw3ncrv4bX0obZnD86ooi+QskGqpmwfQYUL8hEIs8yMxz L1hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M8rWnETzyml5gkRkO9oAk0y5m3JRoLHktgMWS0yFRkU=; b=IHVxPfBcSY0R6lkaY9UdKpVjU+eTJtXqOGx5VpEm+kLMpkj7Qqd2vjd8ttzxXgKmSi rcR1gPcVazCbZydFwnhUU1P/lkZv3HMv0uf1nJO8gzwR8ALOPEGXjW8Pb/s6O/HZJ/7k b/R5mmOCc0MzT3vqfVQvlpHhk0G+8fdaFjtPw+rxPEi5PRWHHf0oUoL3NZgtckP35g6b /gfL26QCJvus5ZuYQwL+NqjAkioYtFzV+0FA9gKX0oqYxOnSECJLZzWiyl8ARqRCLPA+ uYbnqW1BrYLJ7qKkz51jLw1IzQPZWdE/iV9zqKG7cZFKC+obQgO+WKqVZ6KD7OIkP5q/ ruSw== X-Gm-Message-State: AJaThX6Chh7mPsRU5XewT7Rn1l3LO1Yt9o4yoSVwe2QAKEeZo7zabppt WHi4xLXItseKefyjyMhEFBvkYhh5 X-Google-Smtp-Source: AGs4zMYxi3JER22h4vxQULNtc0QHiK8M4PQNimFAabs16qI9YRo5mJQ5zxXkmZQuBVD4keZzh5uGxA== X-Received: by 10.107.43.16 with SMTP id r16mr14266038ior.172.1512166445405; Fri, 01 Dec 2017 14:14:05 -0800 (PST) Received: from mail-io0-f175.google.com (mail-io0-f175.google.com. [209.85.223.175]) by smtp.gmail.com with ESMTPSA id v19sm1075355ite.4.2017.12.01.14.14.04 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Dec 2017 14:14:04 -0800 (PST) Received: by mail-io0-f175.google.com with SMTP id e204so12809847iof.12 for ; Fri, 01 Dec 2017 14:14:04 -0800 (PST) X-Received: by 10.107.205.69 with SMTP id d66mr15351683iog.254.1512166444201; Fri, 01 Dec 2017 14:14:04 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Brandon Long Date: Fri, 01 Dec 2017 22:13:52 +0000 X-Gmail-Original-Message-ID: Message-ID: To: "Murray S. Kucherawy" Cc: Seth Blank , dmarc@ietf.org Content-Type: multipart/alternative; boundary="94eb2c188716c04057055f4eaf6d" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-08 updates to section 5.1 and WG questions X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 22:14:09 -0000 --94eb2c188716c04057055f4eaf6d Content-Type: text/plain; charset="UTF-8" And again from the right address, sigh. Brandon On Fri, Dec 1, 2017 at 2:10 PM Brandon Long wrote: > > > > On Thu, Nov 30, 2017 at 11:38 PM Murray S. Kucherawy > wrote: > >> On Tue, Sep 5, 2017 at 2:52 PM, Seth Blank wrote: >> >>> Replace 5.1.1 with: >>> >>> 5.1.1. ptypes and properties for arc-info >>> >>> Certain information pertinent to ascertaining message disposition can be >>> lost in transit when messages are handled by intermediaries. For example, >>> failing DKIM signatures are sometimes removed by MTAs, and most DKIM >>> signature on messages modified by intermediaries will fail. Therefore, a >>> passing DKIM-Signature from the first ARC signer is likely to have been >>> removed by final receipt of the message. >>> >>> The AAR, and in particular the ptype-properties stamped in arc-info, >>> provide a mechanism for this information to survive transit. >>> >>> The ptypes and properties defined in this section SHOULD be stamped in >>> the AAR: >>> >>> * smtp.client_id - The connecting client IP address from which the >>> message is received; >>> * header.ds - The domain/selector pair for each dkim signature on the >>> message (header.ds=example.com,selector) >>> * arc.closest_fail - The hop number of the most recent AMS that fails to >>> validate, or 0 if all hops pass. >>> >> >> Why "client_id" instead of "client-ip"? (it's an IP address, not some >> opaque identifier) >> > > agreed on ip instead of id. > > Why "header.ds" and not "header.d" and "header.s"? (why combine them?) >> > > agreed on not combining things like this, sure string.split is easy and > all, but let's use the parsing/etc we already have. > > Brandon > > Why "arc.closest_fail" and not "arc.closest-fail"? (use a hyphen, to be >> consistent with other entries already in the registry) >> >> Unless someone wants to point me at the part of the spec that says >> otherwise, the IP address is utterly orthogonal to anything ARC is doing. >> I'd rather not shoe-horn it in here, even if DMARC operators might want >> it. Rather, we should do a separate document (outside this WG if needed) >> that registers a header field for this, since there's been something like >> X-Original-IP in public use for years anyway, and then just require that it >> be signed or something. Or if we really want it in A-R, register it >> accordingly, independent of ARC. >> >> But if we want to do that last thing, I'd like to have some sort of >> discussion on the record for changing the scope of A-R, which is really >> what we're talking about here. As I've said before, A-R's original purpose >> was to collect data about authentication work done at the ingress MTA that >> might be of interest to users or filters. We've specifically kept things >> like IP addresses unregistered on the basis that your average human won't >> know whether to trust one string of octets over another, and there's a >> treatise in the appendix of RFC7601 and all of its predecessors that lays >> out why. But that's the logic we applied eight years ago when RFC5451 was >> written. If in the intervening time we've decided we want to repurpose it >> to carry arbitrary stuff that might be of benefit to filters and concede >> that users aren't the likely primary consumers as we intended, then we >> should probably do up an RFC7601bis that says so, and renovate the prose >> and registries accordingly. I'll put the editing work in, but there has to >> be recorded consensus to back that move. >> > +1 to 7601bis on Kurt's terms. > >> =============== >>> >>> Open questions: >>> >>> 1) The optimal ABNF for AAR would inherit the A-R payload ABNF from >>> 7601. Unfortunately, authres-header was defined in a way that makes this >>> difficult. Is there a better way to say that the AAR inherits the A-R >>> payload, and if anything modifies the definition of authres-header in 7601, >>> the AAR also needs to inherit this change? >>> >>> To be super specific, this is the current authres-header ABNF from 7601: >>> >>> authres-header = "Authentication-Results:" [CFWS] authserv-id >>> [ CFWS authres-version ] >>> ( no-result / 1*resinfo ) [CFWS] CRLF >>> >>> Optimally, there would be: >>> >>> authres-payload = [CFWS] authserv-id >>> [ CFWS authres-version ] >>> ( no-result / 1*resinfo ) [CFWS] CRLF >>> >>> And then we could have: >>> >>> arc-authres-header = "ARC-Authentication-Results:" [CFWS] arc-info >>> authres-payload >>> >> >> That seems reasonable to me. >> >> 2) The optimal way to transmit DKIM selector information is in the DKIM >>> A-R methodspec as header.s. If we want to prevent a normative modification >>> of 7601, I've proposed "header.ds" which will accomplish the same thing. >>> >> >> Why the merge? >> >> 3) In the ARC-Seal megathread, there was an aside about knowing the last >>> hop which validated: >>> >>> On Mon, Aug 14, 2017 at 5:12 PM, Bron Gondwana >>> wrote: >>> > That seems like it would be enough to fix that objection. An >>> additional "first AMS failure" header at each hop would give you a list of >>> who actually modified the message. >>> >>> arc.closest_fail has been defined to accomplish this. >>> >> >> I'm not sure I like a hop number in here, which harkens back to Received >> counts. I'd rather say it's an instance number, or better yet the sealing >> domain name. >> >> 4) Have the ptype-properties been defined properly, and will these AAR >>> ptype-properties need an IANA registry? >>> >> >> If we decide we want AAR separate from of AR, then we also need to decide >> if AAR uses the AR registry (in which case all of this has to get mushed in >> with regular A-R stuff, but flagged "ARC use only" or something (ick), or >> we'll need our own registry (ugh). >> >> -MSK >> _______________________________________________ >> dmarc mailing list >> dmarc@ietf.org >> https://www.ietf.org/mailman/listinfo/dmarc >> > --94eb2c188716c04057055f4eaf6d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
And again from the right address, sigh.

Brandon


On Fri, Dec= 1, 2017 at 2:10 PM Brandon Long <bl= ong@google.com> wrote:



On Thu, Nov 30, 2017 at 11:38 PM Murray S. Kucherawy <superuser@gmail.com&= gt; wrote:
On Tue, Sep 5, 2017 at 2:52 PM, Seth Blank &l= t;seth@sethblank.co= m> wrote:
Re= place 5.1.1 with:

5.1.1. ptypes and properties for = arc-info

Certain information pertinent to ascertai= ning message disposition can be lost in transit when messages are handled b= y intermediaries. For example, failing DKIM signatures are sometimes remove= d by MTAs, and most DKIM signature on messages modified by intermediaries w= ill fail. Therefore, a passing DKIM-Signature from the first ARC signer is = likely to have been removed by final receipt of the message.

=
The AAR, and in particular the ptype-properties=C2=A0stamped in = arc-info, provide a mechanism for this information to survive transit.

The ptypes and properties=C2=A0defined in this section= SHOULD be stamped in the AAR:

* smtp.client_id - = The connecting client IP address from which the message is received;
<= div>* header.ds - The domain/selector pair for each dkim signature on the m= essage (header.ds=3Dexampl= e.com,selector)
* arc.closest_fail - The hop number of the mo= st recent AMS that fails to validate, or 0 if all hops pass.

Why "client_id" instead of &q= uot;client-ip"?=C2=A0 (it's an IP address, not some opaque identif= ier)

agreed on = ip instead of id.=C2=A0

Why "header.ds" and not "header.d"= ; and "header.s"?=C2=A0 (why combine them?)
=

agreed on not combining things like = this, sure string.split is easy and all, but let's use the parsing/etc = we already have.

Brandon

Why "arc.closest_fail&qu= ot; and not "arc.closest-fail"?=C2=A0 (use a hyphen, to be consis= tent with other entries already in the registry)

U= nless someone wants to point me at the part of the spec that says otherwise= , the IP address is utterly orthogonal to anything ARC is doing.=C2=A0 I= 9;d rather not shoe-horn it in here, even if DMARC operators might want it.= =C2=A0 Rather, we should do a separate document (outside this WG if needed)= that registers a header field for this, since there's been something l= ike X-Original-IP in public use for years anyway, and then just require tha= t it be signed or something.=C2=A0 Or if we really want it in A-R, register= it accordingly, independent of ARC.

But if we= want to do that last thing, I'd like to have some sort of discussion o= n the record for changing the scope of A-R, which is really what we're = talking about here.=C2=A0 As I've said before, A-R's original purpo= se was to collect data about authentication work done at the ingress MTA th= at might be of interest to users or filters.=C2=A0 We've specifically k= ept things like IP addresses unregistered on the basis that your average hu= man won't know whether to trust one string of octets over another, and = there's a treatise in the appendix of RFC7601 and all of its predecesso= rs that lays out why.=C2=A0 But that's the logic we applied eight years= ago when RFC5451 was written.=C2=A0 If in the intervening time we've d= ecided we want to repurpose it to carry arbitrary stuff that might be of be= nefit to filters and concede that users aren't the likely primary consu= mers as we intended, then we should probably do up an RFC7601bis that says = so, and renovate the prose and registries accordingly.=C2=A0 I'll put t= he editing work in, but there has to be recorded consensus to back that mov= e.
+1 to 7601bis on Kurt's t= erms.
=C2=A0

=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D

Open questions:
=

1) The optimal ABNF for AAR would inherit the A-R paylo= ad ABNF from 7601. Unfortunately, authres-header was defined in a way that = makes this difficult. Is there a better way to say that the AAR inherits th= e A-R payload, and if anything modifies the definition of authres-header in= 7601, the AAR also needs to inherit this change?

= To be super specific, this is the current authres-header ABNF from 7601:

=C2=A0 =C2=A0 =C2=A0authres-header =3D "Au= thentication-Results:" [CFWS] authserv-id
=C2=A0 =C2=A0 =C2= =A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [ CFWS authres-version ]
=C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 ( no-result / 1*resinfo ) [CFWS] = CRLF

Optimally, there would be:

=C2=A0 =C2=A0 =C2=A0authres-payload =3D [CFWS]=C2=A0a= uthserv-id
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 [ CFW= S authres-version ]
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2= =A0 ( no-result / 1*resinfo ) [CFWS] CRLF

And then = we could have:

=C2=A0 =C2=A0arc-authres-heade= r =3D "ARC-Authentication-Results:" [CFWS] arc-info authres-paylo= ad

That seems reasonable = to me.

2) The optimal way to transmit DKIM selector infor= mation is in the DKIM A-R methodspec as header.s. If we want to prevent a n= ormative modification of 7601, I've proposed "header.ds" whic= h will accomplish the same thing.

Why the merge?

3) In the ARC-Seal megathread, there wa= s an aside about knowing the last hop which validated:

=
On Mon, Aug 14, 2017 at 5:12 PM, Bron Gondwana <brong@fastmailteam.com>= ; wrote:
> That seems like it would be enough to fix that obje= ction.=C2=A0 An additional "first AMS failure" header at each hop= would give you a list of who actually modified the message.

arc.closest_fail has been defined to accomplish this.<= /div>

I'm not sure I like a hop n= umber in here, which harkens back to Received counts.=C2=A0 I'd rather = say it's an instance number, or better yet the sealing domain name.

4) Have the ptype-properties been defined properly, and will= these AAR ptype-properties need an IANA registry?
=

If we decide we want AAR separate from of AR, then we a= lso need to decide if AAR uses the AR registry (in which case all of this h= as to get mushed in with regular A-R stuff, but flagged "ARC use only&= quot; or something (ick), or we'll need our own registry (ugh).

-MSK
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--94eb2c188716c04057055f4eaf6d-- From nobody Fri Dec 1 15:23:12 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA29126CF6 for ; Fri, 1 Dec 2017 15:23:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id utokSEjTkaiL for ; Fri, 1 Dec 2017 15:23:09 -0800 (PST) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [208.43.65.50]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A424124234 for ; Fri, 1 Dec 2017 15:23:09 -0800 (PST) Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id C2AE3C401BB for ; Fri, 1 Dec 2017 17:23:06 -0600 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1512170586; bh=4qG73MUcL9eNi9sGPf8YHcOESg13BMEeuDIrAS2W8Ro=; h=From:To:Subject:Date:In-Reply-To:References:From; b=MM628DGkhvIurStJaSnOPWltKat9miHFmGzhwHbXrKbgUxn6SHi2QQfaKCkTvIVsF 3z2FWCvTYRcGFQDqw0G+2WGuV/u1JClgf/eOduqs5ztsdBA2oCcMNcDaBB8Ky6KfnC Hc+ZOe2xInOFWMJ+rR4v9+r5AJOtQEFqt1OyTgAs= From: Scott Kitterman To: dmarc@ietf.org Date: Fri, 01 Dec 2017 18:23:06 -0500 Message-ID: <1666507.niPtZfyClL@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-133-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: Re: [dmarc-ietf] Proposal to invoke a 7601bis effort X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 01 Dec 2017 23:23:11 -0000 On Friday, December 01, 2017 08:39:55 PM Kurt Andersen wrote: > In the context of work that is happening in the DMARC-WG, some changes to > RFC7601 have been discussed which we think may merit a 'bis' effort to > revise 7601. > > If you are interested or care, please join the DMARC WG where the detailed > discussion will be carried out. > > (Apologies for the wide posting, but we wanted to reach a broad group of > potentially interested parties.) > > --Kurt Andersen Isn't Dispatch ( https://datatracker.ietf.org/wg/dispatch/about/ ) the proper venue to discuss this (as the successor to appswg)? Scott K From nobody Fri Dec 1 21:24:00 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E3A8129459 for ; Fri, 1 Dec 2017 21:23:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9DE2DE3-xnkK for ; Fri, 1 Dec 2017 21:23:56 -0800 (PST) Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3047F127698 for ; Fri, 1 Dec 2017 21:23:56 -0800 (PST) Received: by mail-qt0-x236.google.com with SMTP id i40so15633452qti.8 for ; Fri, 01 Dec 2017 21:23:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rg05JTyAbHkSN47xCoheCP60X7ftrPbT1/TfJ78j+rk=; b=tZudlm4AuznF0/3l12xFT1EFTm2qIrdg6lfSGIl6M0os07qfp9J+D/GmR2Ejv/Fi3I 2CY5HnuNXNwezhYzYA2h89EUDvMnAxrvdLaENm2cxmc7X8ZqtvCJg1yNLJJJZnTAcp3p vW1khNBjJI6txL+fRGaAZuMhT03bKJH1SxBjxF73WX/EMCGTjy8m/fUOsFdvq93v9tce w3Ykx2gSUkfSQIZgdVmT1SA2bSwJcK+5X3bmsoAb9jIXqA3RyKOwXkp/ziXqmeclYvNn RePbxuzDUKtOSzlYSZmnaoD2vIR20cHTEv7Tc/BOWUMvs9xCORLqkyOv8lxCLioMAaPd jGLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rg05JTyAbHkSN47xCoheCP60X7ftrPbT1/TfJ78j+rk=; b=GMqQyMFPGfYEiuRk/kwGXgjM9RIXqAZRGvAoi5tysik7aJ4jvC3hw2Tge9TrHcSFe1 5rI5mHeu8jPIF17xG1AtHYupIj8f6e56ruNbwZkuhRu/Ij+VuD+XDrkce9e0pRbzs/53 atZ634tdHojf8aGmo2e86hqhjsVa1F8qdh9NyQavU1P73aS14Uxx6g2mu+PmDRQXxAzo jZdZgJBnu7Za+Jdmdy6mvsq3SCCLP2UqIm7D2I4Ml5KgjYe6jHmQIfpJCLCf9yPQKtrb 4YcEYeMu6WY1sS6OIk27k/adGDrYpa8cFf3UJYjpndNPHU8ZxJ1CEdHBytBH6dOL7Dvu 0KGQ== X-Gm-Message-State: AKGB3mImYv6q+sFllflTJmSR5mhHLhRK+p3Eluyed/c9yok0pdmAIVyj 0itnd4jn1KK+lorMffZwnGjUgbn3AoDn46zjX2DY2A== X-Google-Smtp-Source: AGs4zMafH7oz+cVII9BapKCX2ZXu1EJ+GA3a94RITBfzaUUIrDzZtDz80vQBguAatPQcixWrI00OtwTmNs6zCBuK+QA= X-Received: by 10.200.46.233 with SMTP id i38mr12998858qta.109.1512192235213; Fri, 01 Dec 2017 21:23:55 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.50.196 with HTTP; Fri, 1 Dec 2017 21:23:54 -0800 (PST) In-Reply-To: <1666507.niPtZfyClL@kitterma-e6430> References: <1666507.niPtZfyClL@kitterma-e6430> From: "Murray S. Kucherawy" Date: Fri, 1 Dec 2017 21:23:54 -0800 Message-ID: To: Scott Kitterman Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a113b08de031966055f54b105" Archived-At: Subject: Re: [dmarc-ietf] Proposal to invoke a 7601bis effort X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 02 Dec 2017 05:23:58 -0000 --001a113b08de031966055f54b105 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 1, 2017 at 3:23 PM, Scott Kitterman wrote: > > Isn't Dispatch ( https://datatracker.ietf.org/wg/dispatch/about/ ) the > proper > venue to discuss this (as the successor to appswg)? > No; "art" is the right list for general ART area topics. DISPATCH is the right place to discuss work being started that's looking for a home; we would recommend taking the work to an existing working group, forming a new one (and helping with a charter), approaching an AD for sponsorship, taking it to the Independent Submission Editor, or suggesting the work is not appropriate for ART or the IETF. We don't have new work that needs dispatching right now. -MSK (as a DISPATCH co-chair) --001a113b08de031966055f54b105 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Dec 1, 2017 at 3:23 PM, Scott Kitterman <skli= st@kitterman.com> wrote:
<= div class=3D"h5">
Isn't Dispatch ( https://datatracker.= ietf.org/wg/dispatch/about/ ) the proper
venue to discuss this (as the successor to appswg)?
No; "art" is the right list for general ART area top= ics.=C2=A0 DISPATCH is the right place to discuss work being started that&#= 39;s looking for a home; we would recommend taking the work to an existing = working group, forming a new one (and helping with a charter), approaching = an AD for sponsorship, taking it to the Independent Submission Editor, or s= uggesting the work is not appropriate for ART or the IETF.=C2=A0 We don'= ;t have new work that needs dispatching right now.

=
-MSK (as a DISPATCH co-chair)
--001a113b08de031966055f54b105-- From nobody Thu Dec 7 12:31:13 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6059124B09 for ; Thu, 7 Dec 2017 12:31:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IylWwUcp70zK for ; Thu, 7 Dec 2017 12:31:08 -0800 (PST) Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B834127977 for ; Thu, 7 Dec 2017 12:31:08 -0800 (PST) Received: by mail-qt0-x22c.google.com with SMTP id g10so20870105qtj.12 for ; Thu, 07 Dec 2017 12:31:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Im2NgrEbuVYJyKyQk2/phZxQ27908yl5SLdIEE3Ozec=; b=G8TxEfG+gjqOF2X0B1D/bDY5UVRSVBzx2sQE+McnAHwHyZMUg5o5QEWiPOKBTebNZs MWi9YBlbszvNxYon3aFeMTtlEEXYGtv+RZO7qH5GqNYeXAaVqsiaDBh8IfCX19EyYgGX 8MkWmZ/CjiGyvQTzzEhIXryYLMufnNU9EGw3X+7pFaTSdLCOp8gAiOlX2pl1PjHzazx8 JOC93Jx2ninmDd9SrnimDbUj/uPBdaVYtQj/oIy03oU+BlzWmaJ8xRwGUlP8xRmmvjkQ So7uNijaTs8Ey8VpTfIR9rZisCcruNEVRz//gU4i4qGRQMAwLehrGKN73PSGB0p8YodH /Ybg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Im2NgrEbuVYJyKyQk2/phZxQ27908yl5SLdIEE3Ozec=; b=KU4A0hYmkSWdgM/lvgTYw7Ah8KUfvyuhM9pgFtq2uMFX5a4/6paWLeVsqBV4wmq+49 MuvAbY+4H6OtEhEWymMSOIrdTu2I7GCcEPIOQ9PwJy0dyaUFynpJFoIbYAl/W2pv3zGJ hERhWwrAdOpTEIKMY4DgvQgottBvqCV0O624FuakbIOkHxYzKkphFo//+HVAnA3bjSsW zwdueJ3EV+CQJ9HvmmIs/SYtfTm+N16te/baxkxIJ22izYzW/svLx3JhsJU9cvQT00hy NklgGO+Z8BZ7Duwm06f9Av+VxuiOiRPQuGAsgi0/hWuQza2nbLkR8V4VWoDC6luewwqC /xUw== X-Gm-Message-State: AKGB3mLRCUi1eHPiqtmjmtboSsUf9/vTGpYVBIRlMKjxSrexdYx6ygWe gU8ZPG88hg+fH0dnHXR774w5eEfe8U+/Ze93y3t4cEuZ X-Google-Smtp-Source: AGs4zMapUkJFmcEfWJ7bItKOl4qRV3BpdnKO725hwrKyyjQsx3ZXmrqDRt/XpdDE1lMgXpervcID6Yy+xfBa77zxOTU= X-Received: by 10.237.53.172 with SMTP id c41mr11033713qte.191.1512678667189; Thu, 07 Dec 2017 12:31:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.81 with HTTP; Thu, 7 Dec 2017 12:31:06 -0800 (PST) From: "Murray S. Kucherawy" Date: Thu, 7 Dec 2017 12:31:06 -0800 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a1130c1029e0313055fc5f2c0" Archived-At: Subject: [dmarc-ietf] OpenARC v0.1.0 available X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Dec 2017 20:31:11 -0000 --001a1130c1029e0313055fc5f2c0 Content-Type: text/plain; charset="UTF-8" There's now an open source implementation of ARC available for download if anyone wants to try practice rather than theory, and you can be an integral part of the experiment. Here's the release announcement. -- The Trusted Domain Project is pleased to announce the availability of the first alpha release of OpenARC. This has been in development for a long while. Our thanks go out to the open source community that's already contributing patches. The generous support of volunteers is always inspiring! A particular shout-out goes to Seth Blank and ValiMail, as they have spent a great deal of time doing in-person brainstorming, hacking, and issue tracking with us as we made progress. Development has focused mainly on getting the library and filter to a very basic operational level. Users familiar with our other packages will see a stark contrast between the feature set of our more mature packages and this one. Also missing here is documentation of the library. Before we go to a 1.0.0 release, we intend to have full library documentation available for application developers, and after a shakedown in these alpha releases, a more robust (but still hopefully relatively constrained) set of features to make this useful in a variety of production environments. Suggestions for these are welcome. Pull requests and use of the issue trackers on GitHub are the best way to get attention on your issues or support for your questions. The mailing lists are also available for general discussion. The release link: https://github.com/trusteddomainproject/OpenARC/releases Again, thank you for your support! -MSK, for TDP --001a1130c1029e0313055fc5f2c0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
There's now an open source implementation of ARC avail= able for download if anyone wants to try practice rather than theory, and y= ou can be an integral part of the experiment.=C2=A0 Here's the release = announcement.

--

The Trusted Do= main Project is pleased to announce the availability of the first alpha rel= ease of OpenARC.

This has been in development for a long while.=C2=A0 Our thanks go out to the= =20 open source community that's already contributing patches.=C2=A0 The ge= nerous support of volunteers is always inspiring!=C2=A0 A particular shout-out go= es to Seth Blank and ValiMail, as they have spent a great deal of time=20 doing in-person brainstorming, hacking, and issue tracking with us as we made progress.

Development has focused mainly on getting=20 the library and filter to a very basic operational level.=C2=A0 Users=20 familiar with our other packages will see a stark contrast between the=20 feature set of our more mature packages and this one.=C2=A0 Also missing he= re is documentation of the library.=C2=A0 Before we go to a 1.0.0 release, we= =20 intend to have full library documentation available for application=20 developers, and after a shakedown in these alpha releases, a more robust (but still hopefully relatively constrained) set of features to make=20 this useful in a variety of production environments.=C2=A0 Suggestions for= =20 these are welcome.

Pull requests and use of the issue=20 trackers on GitHub are the best way to get attention on your issues or=20 support for your questions.=C2=A0 The mailing lists are also available for= =20 general discussion.

The release link: https://gith= ub.com/trusteddomainproject/OpenARC/releases

Again, t= hank you for your support!

-MSK, for TDP
--001a1130c1029e0313055fc5f2c0-- From nobody Wed Dec 13 11:10:58 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D69FF12778D for ; Wed, 13 Dec 2017 11:10:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Kva8p4Je; dkim=pass (1536-bit key) header.d=taugh.com header.b=LOoa9FW1 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yaESTsbgzDvq for ; Wed, 13 Dec 2017 11:10:56 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F082127735 for ; Wed, 13 Dec 2017 11:10:55 -0800 (PST) Received: (qmail 73652 invoked from network); 13 Dec 2017 19:10:54 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=11fae.5a317b3e.k1712; bh=OZ4hysHCpCVlNS3KOQ3pSNONFPMpJ1Uw2dr0SRWNe5M=; b=Kva8p4JeGKQZ6DhS0KXvIBHGuYxvsGHPK63Iy3aIFl0haod3dOrfZ59BUrFgxtDm6axRqoBABLp+1QRTM3zbj0ubMEKY9/tiNBLeKVfdRSfwCV0iPelY+mitNGuWr3A1x3/qrNpfrjahehicTvFveyvs8fQwxJ6raWAPY2PGP2YAE+/FoThbMW/gK0GDpmw33xkbqb7i4iFMB3CIJ310Hda/Q851M1ioLP/7tvK3uDI2tf62DSg40QWorL7yuiGQ DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=11fae.5a317b3e.k1712; bh=OZ4hysHCpCVlNS3KOQ3pSNONFPMpJ1Uw2dr0SRWNe5M=; b=LOoa9FW11bWYqjm5H2o7yYLnNydcpo5BKcvrx/t7sObcsJJ50/ImuUnPZClf5zirWw6lRUhBNw8m69d4AMeZpzdJuVQlb7MlGdDAy/xLVV0PuwNzHOSe9Dn3i3n0puPHHIxPgj7j5m97L+zMdvHXt2wBmpMlZbkoVyVp3pzINOKFlo8jbFoc2IAZnDh5iSjN/H9uTZjXwhDuNo602jA0nVYeDXaYdYDSQjJWokjsBxMVQY12KCYt+1pXyGQq2no/ Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 13 Dec 2017 19:10:54 -0000 Received: by ary.qy (Postfix, from userid 501) id 8B2D717EE13A; Wed, 13 Dec 2017 14:10:53 -0500 (EST) Date: 13 Dec 2017 14:10:53 -0500 Message-Id: <20171213191054.8B2D717EE13A@ary.qy> From: "John Levine" To: dmarc@ietf.org Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: [dmarc-ietf] SHA1 and short keys, threat or menace X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 19:10:58 -0000 I am working on yet another ARC library and am wondering what to do about SHA1 signatures and 512 bit keys. The DCRUP working group has sent a DKIM update to the RFC editor which finally kills SHA1 hashes and RSA keys shorter than 1024 bits. It's in the queue and will be published when they get around to it, probably next month. On the assumption that ARC signatures track DKIM, what should I do? At the moment I have a "strict" option in the verifier which when set rejects SHA1 hashes and short keys. I suppose it should be on by default, but a couple of the tests in the YANG test suite have SHA1 signatures. There's also a test that 512 bit signatures are rejected, so depending on the setting currently I can either fail the SHA1 signatures or I can fail the short key signature. Suggestions? Signed, Uncertain PS: Coming soon to DKIM, ed25519 signatures, but since the underlying library code isn't in OpenSSL yet, I'm not yet worrying about it. From nobody Wed Dec 13 11:37:17 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 483641275F4 for ; Wed, 13 Dec 2017 11:37:16 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jByayhR4QRJT for ; Wed, 13 Dec 2017 11:37:14 -0800 (PST) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9779B126FDC for ; Wed, 13 Dec 2017 11:37:13 -0800 (PST) Received: by mail-lf0-x229.google.com with SMTP id a12so3980175lfe.4 for ; Wed, 13 Dec 2017 11:37:13 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KhQGp1B60M16Kwt9M0NM2YlbhW0FWVpnMREymxNx0b4=; b=sqgLrhyew5YwvvosVoPlsPTJHu4SYIbVCouVK4US4ceE3fKtOqgRTUStPc8PQ5+yVz VGwRXksUJh7N1dx8Myg9m3q+W8YUIjpIK+jCQZ7jzwPc/MMKCMvXKo5xPF7edn+6DpsN h3XxFlwU2Eed39jc+MBjeeHGmHPvsMPzIL6Ke+DGG9StP9Cz/4zEW9j++BFZ217gbXHH 2lupQV7f8Cgxh8QgN549itiOEKuQi4LxiV70I5tRHgvzFANzQvcqguAzA7Jhk2ZVxmm3 dN885lHlT/3NF/ex5QUKDaPHIRwTd5O4ca0GdGlDvVW3wxnhnCr5br/kb9hztKC4oKXK D47Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KhQGp1B60M16Kwt9M0NM2YlbhW0FWVpnMREymxNx0b4=; b=Y9vTcERZ4xZtbmoVWOJuBxSZ+tSkdv12txZw5gGzYu3ZOVMZENcMVxU6guWlq95jtp kkedNOv5Fr6MLbIucvyrA5rTtqh6hdB22rycauBmxILrjJp9l+Ob6jtc3Wcl+wb4/d4B rYVbFVxZTG38xa4G3WzTtGZLvqJnhEcBpfnqE19xAIj4HcbAh96QWJgLqys3Yee0QigK oQGphqp17Rrrx1xqvFwqmKPwVW6zxjVimWmUmhlbYEuk4CC9yoPkoa6oFrXSe+OHrWzt 6s1Jz33HgvFjcs0eAp5BwvqV1bPSEjSLLR+uO7rB+P8LN5EKhwa022GZymxbWshVwMNB 4qBA== X-Gm-Message-State: AKGB3mL1RJzolhriweb0jrfWo4XiW18AF4IIU+ZBMxeDA4sB0rbjaM2s BLyaQ/fGJpRnwh0bEZBF/6rEQ6Ko+ysOo1Fflk9DpQ== X-Google-Smtp-Source: ACJfBovkc139pIdJbFXz8MkuXKPNhGKQTFU/L8rcfH2cCgMNudyfxcQSqrWAUk/xjRcCiNq3N3Yzfd87AdjjaK06hH8= X-Received: by 10.25.201.87 with SMTP id z84mr2183476lff.62.1513193831634; Wed, 13 Dec 2017 11:37:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.233.157 with HTTP; Wed, 13 Dec 2017 11:37:10 -0800 (PST) In-Reply-To: <20171213191054.8B2D717EE13A@ary.qy> References: <20171213191054.8B2D717EE13A@ary.qy> From: "Peter M. Goldstein" Date: Wed, 13 Dec 2017 11:37:10 -0800 Message-ID: To: John Levine Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114b9442cf9faa05603de4b2" Archived-At: Subject: Re: [dmarc-ietf] SHA1 and short keys, threat or menace X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 19:37:16 -0000 --001a114b9442cf9faa05603de4b2 Content-Type: text/plain; charset="UTF-8" So my thought here is that now that DCRUP is due imminently, we should update the YANG test suite to reject SHA-1 hashes. Thoughts? Best, Peter On Wed, Dec 13, 2017 at 11:10 AM, John Levine wrote: > I am working on yet another ARC library and am wondering what to do > about SHA1 signatures and 512 bit keys. The DCRUP working group has > sent a DKIM update to the RFC editor which finally kills SHA1 hashes > and RSA keys shorter than 1024 bits. It's in the queue and will be > published when they get around to it, probably next month. > > On the assumption that ARC signatures track DKIM, what should I do? > At the moment I have a "strict" option in the verifier which when set > rejects SHA1 hashes and short keys. I suppose it should be on by > default, but a couple of the tests in the YANG test suite have SHA1 > signatures. There's also a test that 512 bit signatures are rejected, > so depending on the setting currently I can either fail the SHA1 > signatures or I can fail the short key signature. > > Suggestions? > > Signed, > Uncertain > > PS: Coming soon to DKIM, ed25519 signatures, but since the underlying > library code isn't in OpenSSL yet, I'm not yet worrying about it. > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --001a114b9442cf9faa05603de4b2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
So my thought here is that now that DCRUP is due imminentl= y, we should update the YANG test suite to reject SHA-1 hashes.

Thoughts?

Best,

P= eter

O= n Wed, Dec 13, 2017 at 11:10 AM, John Levine <johnl@taugh.com> wrote:
I am working on yet another ARC = library and am wondering what to do
about SHA1 signatures and 512 bit keys.=C2=A0 The DCRUP working group has sent a DKIM update to the RFC editor which finally kills SHA1 hashes
and RSA keys shorter than 1024 bits.=C2=A0 It's in the queue and will b= e
published when they get around to it, probably next month.

On the assumption that ARC signatures track DKIM, what should I do?
At the moment I have a "strict" option in the verifier which when= set
rejects SHA1 hashes and short keys.=C2=A0 I suppose it should be on by
default, but a couple of the tests in the YANG test suite have SHA1
signatures.=C2=A0 There's also a test that 512 bit signatures are rejec= ted,
so depending on the setting currently I can either fail the SHA1
signatures or I can fail the short key signature.

Suggestions?

Signed,
Uncertain

PS: Coming soon to DKIM, ed25519 signatures, but since the underlying
library code isn't in OpenSSL yet, I'm not yet worrying about it.
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

--001a114b9442cf9faa05603de4b2-- From nobody Wed Dec 13 11:40:59 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3288126E7A for ; Wed, 13 Dec 2017 11:40:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=VxEghabo; dkim=pass (1536-bit key) header.d=taugh.com header.b=iwFdriyq Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7QWEbDMtxVnL for ; Wed, 13 Dec 2017 11:40:56 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41072126FDC for ; Wed, 13 Dec 2017 11:40:56 -0800 (PST) Received: (qmail 77941 invoked from network); 13 Dec 2017 19:40:55 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13073.5a318247.k1712; bh=+rDF4iCWQBGspslf4AyLwUyUttWrmWPoNsZ/3gbZp7c=; b=VxEghabo1BAM5sHDkhO6rRKyzBHNH5GEoR0VE2TzTRuf29b6RTk9ythzGmeDFn85PFMn2MGJcM0BypxH/z5eh8bIW5MyD1IyPgXv7IjHCWX/UL8m1REqmprfsRLZ9S5Enw1YPe8rQanDCvKtezLHoL0gS4iBY7Xu3xNy6Oi8c1MHQ0tGZeuxZwsoHADERULN6bPKaspk9p1EgP9xA9ZCfEndHHhdMGkXeuGUUxgzcCYrPLPwdfw3D0Q++fQwftwf DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13073.5a318247.k1712; bh=+rDF4iCWQBGspslf4AyLwUyUttWrmWPoNsZ/3gbZp7c=; b=iwFdriyqNm2NV7C2TQhWZDS9vgMh4ee1enMdGFW6zK05d5uhQHFOr4seb/3XLyQvM9hG8wmC7jU9bNl+NYguX+YiuRwGbX/4nVlt6UOpbwKprDBT91Tl2vNrViKeJ+j3jN6YJNJVt8Vfw7I8y6eKF1RmnIqLhzhT5f/1oJtnZQ29Svpxxc361zGet2Cob6TV2r0L+MotoBsQX0BNYEcJrgpIBAuUcY5P82ktwHe1D04QPwaoYuSRLjTmoZZg3Jgi Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 13 Dec 2017 19:40:54 -0000 Date: 13 Dec 2017 14:40:54 -0500 Message-ID: From: "John R Levine" To: "Peter M. Goldstein" Cc: dmarc@ietf.org In-Reply-To: References: <20171213191054.8B2D717EE13A@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [dmarc-ietf] SHA1 and short keys, threat or menace X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 19:40:58 -0000 > So my thought here is that now that DCRUP is due imminently, we should > update the YANG test suite to reject SHA-1 hashes. > > Thoughts? That's what I would do. Given how new ARC is and the absence of legacy code, I don't see any reason to allow them. R's, John From nobody Wed Dec 13 11:55:50 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A15941242F5 for ; Wed, 13 Dec 2017 11:55:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ngzz0rRDCtXH for ; Wed, 13 Dec 2017 11:55:45 -0800 (PST) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7658A12009C for ; Wed, 13 Dec 2017 11:55:45 -0800 (PST) Received: by mail-lf0-x22d.google.com with SMTP id i2so4017760lfe.9 for ; Wed, 13 Dec 2017 11:55:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=46pV4tnflXiuxax8ssQUlwsWymQKq3W2Lr0WSomM5ic=; b=J+aEAgmPWzH21N2lMd+lP16JU7RiuxHh8IILaTH40xAiuGleoWvn7k6P88/0rtI6KR Fak1eMMbPi+VdNjDVtVSypFQEux/huDUpE20jWJETpRY50NVdu8xHuAL045g1IDzZ0ec b97M9D8Vb0vYZfJW/Joj1iLnwNm1PScEhH/nc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=46pV4tnflXiuxax8ssQUlwsWymQKq3W2Lr0WSomM5ic=; b=mwTfPcym6qQO8ft2qm04VtBebUoDFvICgJVGcD8TOS2hN7PmK7dVAtQMp/EYY5mqVU DzjZxCIkwpFLMdcU7B9NAjyUJLjtEXlZ9rS2vG2x96WOt4d8cy1UBjb9xX+WIYdI882e m/CwyjZEtTUHWYgmG2lIenznIbnCIwXSKOk9jP/mc8iGTxjtIMmqJWRLU/4YQi60tzzq AU0aQKQYN/IhlsYy9DITlWohLS1epE6DVg5GO6rvwO8+P/4W+CFpdXptLZCCccfLLatp lYfR337mxr2tkPIxP/o1kBJAa2uxaKbmm9wJQ5SXhi+//4nK5f74RoU5Jy09j3odQwyO vznA== X-Gm-Message-State: AKGB3mJr8r9pGkpjAhMVW9eD8HSlxPzIXn/6oSl/9a8ZRzl4JwdcQUIe nBXEoAuKROAd0bJ5rgqqZJdKd0XPMhWWC6OXJoYCnw== X-Google-Smtp-Source: ACJfBouSJygejv3Vuf5eSBww2qicqTtsaaW7Zn0/67RVMuALNzqmJO1DObpy0rPT3Ue3ERY0eFDN+1UJovzuN/5p/8E= X-Received: by 10.46.91.75 with SMTP id p72mr2419882ljb.95.1513194943437; Wed, 13 Dec 2017 11:55:43 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Wed, 13 Dec 2017 11:55:42 -0800 (PST) In-Reply-To: References: <20171213191054.8B2D717EE13A@ary.qy> From: "Kurt Andersen (b)" Date: Wed, 13 Dec 2017 19:55:42 +0000 X-Google-Sender-Auth: FJXiQsrXUKcHZ7N6pKDvE7tkAOc Message-ID: To: John R Levine Cc: "Peter M. Goldstein" , "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a114c1d2214719605603e272c" Archived-At: Subject: Re: [dmarc-ietf] SHA1 and short keys, threat or menace X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 19:55:49 -0000 --001a114c1d2214719605603e272c Content-Type: text/plain; charset="UTF-8" On Wed, Dec 13, 2017 at 7:40 PM, John R Levine wrote: > So my thought here is that now that DCRUP is due imminently, we should >> update the YANG test suite to reject SHA-1 hashes. >> >> Thoughts? >> > > That's what I would do. Given how new ARC is and the absence of legacy > code, I don't see any reason to allow them. > > R's, > John I agree too. We had that debate about forcing the DCRUP "upleveling" by writing it into the ARC spec but solved that problem by doing DCRUP instead. No need to keep legacy support. --Kurt --001a114c1d2214719605603e272c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On W= ed, Dec 13, 2017 at 7:40 PM, John R Levine <johnl@taugh.com> w= rote:
So my thought here is that now that DCRUP is due imminently, we should
update the YANG test suite to reject SHA-1 hashes.

Thoughts?

 That's what I would do.=C2=A0 Given how new ARC is and the absence of l= egacy code, I don't see any reason to allow them.

R's,
John

I agree too. We had that debate about = forcing the DCRUP "upleveling" by writing it into the ARC spec bu= t solved that problem by doing DCRUP instead. No need to keep legacy suppor= t.

--Kurt=C2=A0
--001a114c1d2214719605603e272c-- From nobody Wed Dec 13 11:57:58 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06C7812009C for ; Wed, 13 Dec 2017 11:57:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cUeivYuhfdKT for ; Wed, 13 Dec 2017 11:57:55 -0800 (PST) Received: from mail-lf0-x22a.google.com (mail-lf0-x22a.google.com [IPv6:2a00:1450:4010:c07::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82BB1275F4 for ; Wed, 13 Dec 2017 11:57:54 -0800 (PST) Received: by mail-lf0-x22a.google.com with SMTP id l81so4032417lfl.6 for ; Wed, 13 Dec 2017 11:57:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=uc6Hfx1BkR77IzkgLvDF/zNnHbmgjXTigKywUQYiVkA=; b=m/DpOZ3YJH0hKvyVhDvBFv6Hgo2RusOqDD2scnRBI98WDvJRWr7c6m9fOkzghqZ8QM pOPNFJP7b4o65Ezy4DEgBPDD5mrEZ2zJwDX8W6uszllfdB4cwK4PL9CnrCpolzlmguUh 7f9uEfD4AgXMbLNvGYYqeOGPS1ks7NGUZE3tg4mPDQHREGJeKHkdp76JNgPqxbtqagy3 sc+JhKXdYZA9YAygMDpmoSls9RcBqGXDF544LyxGWoVvqusrQpM85SvngP+yzfNBnaB4 OcNrNVAckOJfUc8+1tj5WVOG6h9H/G9EKDg8Xy9VBj54hzcgmj4dGvKY3QBmVy2d4Pax buWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=uc6Hfx1BkR77IzkgLvDF/zNnHbmgjXTigKywUQYiVkA=; b=Mcmv15H5y6tj8grlSUWVX/r2GQyv5A4kyjgg4tfB3u5Xs3/cM8EDSkD+EC5jI5bB4k TC9k6Ro+vlw6f/V0aF5kVymp9z3OrlIVTGb4Pkhm/2QkMGX1z2U0D/r0LheKlyqC/F1i 3aT7OOYhr2vPQ/bzRzC6HPCfOhP3dZ64tG5EhLktGPSUMisgWktZKTe0wYC1Rq5sQ8qf OgdAizRuaA/o6/ZI+DGGYqZn4qXmGWkjqaMDlX2ksRoXPH3BEPytdhlp9ftykwkBpIzF 7Dewl1Wfl+Ag7BOnIpmrrFOSPVlRnoWOqelDdvTYU2TqPx4qXm+ETUfDXbX0YIFzxEOy kIAw== X-Gm-Message-State: AKGB3mJuDmHYynL4AH6xuf3WS/xLgA4K92oOkeNhawTU4+bbGVQu2Dz/ Uj1dh4suT5z2YlN4J/bxq4t38J0YAxqKsNMLyWe1Dg== X-Google-Smtp-Source: ACJfBovVPSY7EWpVwAIXV450dxjh3IjsGqhhLrl1O7FkIUUe/6dIQE2HMo4K/ZZ4TIx08mNpYqHVUKCaFa7TOt1cY+I= X-Received: by 10.46.32.7 with SMTP id g7mr2096961ljg.49.1513195072863; Wed, 13 Dec 2017 11:57:52 -0800 (PST) MIME-Version: 1.0 Received: by 10.25.233.157 with HTTP; Wed, 13 Dec 2017 11:57:52 -0800 (PST) In-Reply-To: References: <20171213191054.8B2D717EE13A@ary.qy> From: "Peter M. Goldstein" Date: Wed, 13 Dec 2017 11:57:52 -0800 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a1142b9accb40a105603e2e61" Archived-At: Subject: Re: [dmarc-ietf] SHA1 and short keys, threat or menace X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 19:57:57 -0000 --001a1142b9accb40a105603e2e61 Content-Type: text/plain; charset="UTF-8" Great. If there's group consensus I can take updating the test suite as an action item. Any objections? Thanks. Best, Peter On Wed, Dec 13, 2017 at 11:55 AM, Kurt Andersen (b) wrote: > On Wed, Dec 13, 2017 at 7:40 PM, John R Levine wrote: > >> So my thought here is that now that DCRUP is due imminently, we should >>> update the YANG test suite to reject SHA-1 hashes. >>> >>> Thoughts? >>> >> >> That's what I would do. Given how new ARC is and the absence of legacy >> code, I don't see any reason to allow them. >> >> R's, >> John > > > I agree too. We had that debate about forcing the DCRUP "upleveling" by > writing it into the ARC spec but solved that problem by doing DCRUP > instead. No need to keep legacy support. > > --Kurt > --001a1142b9accb40a105603e2e61 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Great.=C2=A0 If there's group consensus I can take upd= ating the test suite as an action item.=C2=A0 Any objections?

Thanks.

Best,

Peter=

On We= d, Dec 13, 2017 at 11:55 AM, Kurt Andersen (b) <kboth@drkurt.com> wrote:
On Wed, = Dec 13, 2017 at 7:40 PM, John R Levine <johnl@taugh.com> wrote= :
So my thought here is that now that DCRUP is due imminently, we should
update the YANG test suite to reject SHA-1 hashes.

Thoughts?

 That's what I would do.=C2=A0 Given how new ARC is and the absence of l= egacy code, I don't see any reason to allow them.

R's,
John

I agree too. We had that d= ebate about forcing the DCRUP "upleveling" by writing it into the= ARC spec but solved that problem by doing DCRUP instead. No need to keep l= egacy support.
--Kurt=C2=A0

--001a1142b9accb40a105603e2e61-- From nobody Wed Dec 13 12:06:23 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC65126D45 for ; Wed, 13 Dec 2017 12:06:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oO-0OCuVWDFV for ; Wed, 13 Dec 2017 12:06:20 -0800 (PST) Received: from mail-lf0-x22d.google.com (mail-lf0-x22d.google.com [IPv6:2a00:1450:4010:c07::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B9B81241FC for ; Wed, 13 Dec 2017 12:06:19 -0800 (PST) Received: by mail-lf0-x22d.google.com with SMTP id r143so4044639lfe.13 for ; Wed, 13 Dec 2017 12:06:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=QoOG5z9PpO3RudIG5SAoewX6vA5XJba/HkSQc5MXyjo=; b=DWjgRmP74LWz+2bsT6r9wAlC/BX67w86uZR15IRgfsiThL2X07edKHZNlwBd04Zy0a YJMhlkbOCdrU7wGe/SwjktPVK2mxLUFDXOAsh5QqUXrDFxj/pzNYE7jO+Eusm9icEOFU JZnsE67eDxYIXYLTfXKk6KLZAk+UOHw5VDhL4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=QoOG5z9PpO3RudIG5SAoewX6vA5XJba/HkSQc5MXyjo=; b=qr/IysW3dxIwUJnneQ5Ye7uvJBLQKFMzFaw180CXNI0fD9nj9OF/jQhDkFXOhNs+dl 7YFDmJeuFOpcq9J+xR1lrZbLM7woIPJmhFp/5/jqvmXdgIOt0AurYXL6XcqzJqnNoH4M m3TYcXHRR6cqVsGa9aVt21Gam8ZRUtKX/ipeec8jlkRDOz88jz2NZYlYdlSRfFuDxSP8 Vey8rMqzRayFlhLAn6fJ0FS8ZQywm/U+AXes+D9wie1frG7XMNxOE5tc2wufKRUg5Ud+ k/We2RUk+Vh3Fu3npyIXh70ASENqU3c/2O5m/7b4ALRQn7j9RvtWhdBqINUg/Kor1fRu ZEgA== X-Gm-Message-State: AKGB3mJfUI/5EzloA0zrdEZBf+4BuT7W2Ox0Tba2b9WvsY0f5dNZTM4k 7+a2K0J0Lp/FMgWfxPsfnOqpZG9fjiNA3l3QnRkxRwly X-Google-Smtp-Source: ACJfBosl2jurfJWXDCaP301p3AOA2LcSBkxvtJR+tk8GR68T2/YFymOi4mpv/Og3fajYlilydP0ZeuRk/ztxlLgmfRA= X-Received: by 10.25.233.142 with SMTP id j14mr2117889lfk.101.1513195577734; Wed, 13 Dec 2017 12:06:17 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Wed, 13 Dec 2017 12:06:16 -0800 (PST) In-Reply-To: References: <20171213191054.8B2D717EE13A@ary.qy> From: "Kurt Andersen (b)" Date: Wed, 13 Dec 2017 20:06:16 +0000 X-Google-Sender-Auth: zKMa2fWKdi9SkylRSsn7hW34Csw Message-ID: To: "Peter M. Goldstein" Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a113c5a94e3119b05603e4cb8" Archived-At: Subject: Re: [dmarc-ietf] SHA1 and short keys, threat or menace X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 13 Dec 2017 20:06:21 -0000 --001a113c5a94e3119b05603e4cb8 Content-Type: text/plain; charset="UTF-8" On Wed, Dec 13, 2017 at 7:57 PM, Peter M. Goldstein < peter.m.goldstein@gmail.com> wrote: > Great. If there's group consensus I can take updating the test suite as > an action item. Any objections? > Make it so :-) --001a113c5a94e3119b05603e4cb8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On W= ed, Dec 13, 2017 at 7:57 PM, Peter M. Goldstein <peter.m.goldste= in@gmail.com> wrote:
Great.=C2=A0 If there's group consensus I can take updating = the test suite as an action item.=C2=A0 Any objections?
<= div>
Make it so :-)=C2=A0
--001a113c5a94e3119b05603e4cb8-- From nobody Fri Dec 15 13:30:12 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 595A6128D2E for ; Fri, 15 Dec 2017 13:30:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yyZMrGQAJcz4 for ; Fri, 15 Dec 2017 13:30:09 -0800 (PST) Received: from mail-lf0-x236.google.com (mail-lf0-x236.google.com [IPv6:2a00:1450:4010:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64834124F57 for ; Fri, 15 Dec 2017 13:30:09 -0800 (PST) Received: by mail-lf0-x236.google.com with SMTP id i2so11892399lfe.9 for ; Fri, 15 Dec 2017 13:30:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:from:date:message-id:subject:to; bh=qvGEK43wCKZ5lywSckCwGc4l2iuHSrtOtHauzm3X+6Y=; b=cWjl5meDZEMcdtVYaMllTCRXDOlEBm0q2Hjuhd5DOTZVMQQC1PEZOnH2RJjUmhaM18 Ab7nLFZC5LyXRKs03qZygCRM4kptKuNpR0kBEcSVfp5iOlvFF6l0ikSZAD28UeDCuwSl bv7frIFhdxXqEsh7rr8OxF4lPo0xJQ6DFrxmE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=qvGEK43wCKZ5lywSckCwGc4l2iuHSrtOtHauzm3X+6Y=; b=P3I9CmYuuBdrkboq20R0bX1/ISuuxJeESG9LjY/kAjP3RGpo26F2KrvUAfRKdPGaGL wW5FqwroGVHDrN11xi7Yirh7SBdwi97yFgFjaKxpmq9An6Roac46q7Lb/9w+QffH7GPh 7HdLu6VMmoN6V/cI3ovRW21ZsnlWOmV0GmU/8KCNIYBDNzbXRIXY8ME00IibIrwglzp4 PjO5YP/7uTdZv31Z23togtcDgfNIfp5vGUZV783UdosQ0y/fvYwvwUBekaxyE3sC7qwK S72AWkxmin84lnUmSQ6WRrhOJWI2R3FJJue+SVPXDEmp4jhjmMjFJGhkNbO93gVPTc01 LbKg== X-Gm-Message-State: AKGB3mIhr/m207pMmQk8Ol4HxDCqUqplJ8I6XQxHP87ikByoHxkh6wnn hqQCjKjTz0ncylgUXg/JCHcQqTuRessG+WKrZSLW8q8Q X-Google-Smtp-Source: ACJfBovRl+n6fNd8/+FuoCmR20LQ7n0c+KHlfOtMJaUEzGpq9QUAuwnBeXCR5qeIzPZsBQOwKSW844WnqbQpZ5ZRX2E= X-Received: by 10.46.22.15 with SMTP id w15mr6984031ljd.17.1513373407118; Fri, 15 Dec 2017 13:30:07 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Fri, 15 Dec 2017 13:30:06 -0800 (PST) From: "Kurt Andersen (b)" Date: Fri, 15 Dec 2017 21:30:06 +0000 X-Google-Sender-Auth: tSD1194v_EZH3qyu1Xhr_BGlTQ8 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="f403045fc1b85820d5056067b466" Archived-At: Subject: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 15 Dec 2017 21:30:12 -0000 --f403045fc1b85820d5056067b466 Content-Type: text/plain; charset="UTF-8" I know that there had been some very preliminary thoughts about protecting the PSL domains themselves, but those never got very far (they were in the context of the DBOUND WG). I've heard from one of my contacts that country-level TLDs like gov.za are being used for attacks and that there is not a particularly effective way to protect against that or to protect against non-existent subdomains being abused. (It's even worse if those public suffix level domains are being used to send mail, but if they aren't, how do you protect it?) Any ideas here? --Kurt Andersen --f403045fc1b85820d5056067b466 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I know that there had been some very preliminary thoughts = about protecting the PSL domains themselves, but those never got very far (= they were in the context of the DBOUND WG).

I've hea= rd from one of my contacts that country-level TLDs like gov.za are being used for attacks and that there is not a partic= ularly effective way to protect against that or to protect against non-exis= tent subdomains being abused. (It's even worse if those public suffix l= evel domains are being used to send mail, but if they aren't, how do yo= u protect it?)

Any ideas here?

--Kurt Andersen
--f403045fc1b85820d5056067b466-- From nobody Sat Dec 16 10:32:40 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBCE126CF9 for ; Sat, 16 Dec 2017 10:32:38 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.365 X-Spam-Level: X-Spam-Status: No, score=0.365 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, NUMERIC_HTTP_ADDR=1.242, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=C9uFHfff; dkim=pass (1536-bit key) header.d=taugh.com header.b=N6K9eXN7 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7LJ5MjyWKC04 for ; Sat, 16 Dec 2017 10:32:30 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60B3812422F for ; Sat, 16 Dec 2017 10:32:29 -0800 (PST) Received: (qmail 29662 invoked from network); 16 Dec 2017 18:32:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=73db.5a3566bb.k1712; bh=Dspm8DqryMjgeNV2o2h/TWMLvCS6Ou6m/72Qf+wC7Z8=; b=C9uFHfffS9Q9YmMdpCel5S4/Wco/6yb9Fcpg8YeP+IuqKjvJwwBjL1vY9QwwndLJXR2CHcxSfa2SrvENSS39YMM0j/kWIDwA4zAN5+oJHxm5WkuyMOjkkf6/qbHpm1HEe7OMGlgW40G0GmWtJcJvPkYpVnrFV42dExl9R4wA+JJB9Gc8Su4+dCPBV6/vlSxde6Q4b98ztJwWeW8XdQmRe7V5pad1Wbc+vVllEX+ZUwIbJuAzGDaopu1IEbu1J4mp DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=73db.5a3566bb.k1712; bh=Dspm8DqryMjgeNV2o2h/TWMLvCS6Ou6m/72Qf+wC7Z8=; b=N6K9eXN7oT4rN9b4S1qT4vyWU0+FoUIK7eSad1lhot0u75rTZNWBpxnmmfIgq04HHSNH/Agmlrk9MrSFe6BypLzOrfwL5VHxSBa+SyDOipgvpgndoqYKAFiXKlbNsJa82l9hKoDiggtEUNEIx8tobZQ/PI8mbo49wDaKsyb9toMEu4/rziAapXDuIguR/Gz4+fPEQ7oT7t17HA6YXVsCppuEQRUt32F0SDdXdAYfQ3zx6BAQMF4t4QvMHElBZBIY Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 16 Dec 2017 18:32:27 -0000 Received: by ary.qy (Postfix, from userid 501) id 6BCDE180B57B; Sat, 16 Dec 2017 13:32:26 -0500 (EST) Date: 16 Dec 2017 13:32:26 -0500 Message-Id: <20171216183227.6BCDE180B57B@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: kboth@drkurt.com In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2017 18:32:38 -0000 In article you write: >I've heard from one of my contacts that country-level TLDs like gov.za are >being used for attacks and that there is not a particularly effective way >to protect against that or to protect against non-existent subdomains being >abused. (It's even worse if those public suffix level domains are being >used to send mail, but if they aren't, how do you protect it?) I was about to say that surely nobody would be foolish enough to put a name in the PSL that has live MX records and used for mail. Silly me. The obvious response is that if they can publish A and MX and SPF records for gov.za, which they do, they can publish DMARC, too. It also suggests that putting gov.za in the PSL was not a very good idea. R's, John ================ freight.aero: 10 mx1.champ.aero. freight.aero: 10 mx3.champ.aero. freight.aero: 10 mx2.champ.aero. freight.aero: 10 mx4.champ.aero. ai: 10 mail.offshore.ai. off.ai: 10 mail.offshore.ai. net.ai: 10 mail.net.ai. uri.arpa: 10 pechora.icann.org. urn.arpa: 10 pechora.icann.org. sa.edu.au: 10 sadie.tafe.sa.edu.au. sa.edu.au: 10 sadie-2.tafe.sa.edu.au. qld.gov.au: 50 mx01.citec.com.au. qld.gov.au: 50 mx02.citec.com.au. qld.gov.au: 10 mailer3.mail.qld.gov.au. qld.gov.au: 10 mailer4.mail.qld.gov.au. sa.gov.au: 10 au-smtp-inbound-1.mimecast.com. sa.gov.au: 10 au-smtp-inbound-2.mimecast.com. tas.gov.au: 10 mx001.mgs.nettas.com. vic.gov.au: 10 mxa-001fc401.gslb.pphosted.com. vic.gov.au: 10 mxb-001fc401.gslb.pphosted.com. wa.gov.au: 100 mailgw.bs.wa.gov.au. ax: 5 mail.aland.net. gov.az: 0 mx.mail.gov.az. com.ba: 10 mail.com.ba. gov.bf: 10 pmg.gov.bf. gov.bf: 40 mx2.gov.bf. gov.bf: 20 mg01.gov.bf. gov.bf: 30 mg02.gov.bf. bh: 10 mail2.batelco.com.bh. gouv.bj: 10 pop.gouv.bj. gov.bm: 5 mail2.gov.bm. gov.bm: 10 mail.gov.bm. gob.bo: 10 smtp.agetic.gob.bo. ac.gov.br: 0 mail.ac.gov.br. ba.gov.br: 0 ba-gov-br.mail.protection.outlook.com. df.gov.br: 5 320sv100.gdfnet.df.gov.br. es.gov.br: 10 ironport.mail.es.gov.br. ma.gov.br: 20 mail3.seati.ma.gov.br. mg.gov.br: 1 mx1.antispammg.mg.gov.br. mg.gov.br: 1 mx2.antispammg.mg.gov.br. ms.gov.br: 10 assp.ms.gov.br. mt.gov.br: 1 ASPMX.L.GOOGLE.COM. mt.gov.br: 5 ALT1.ASPMX.L.GOOGLE.COM. mt.gov.br: 5 ALT2.ASPMX.L.GOOGLE.COM. mt.gov.br: 10 ASPMX2.GOOGLEMAIL.COM. mt.gov.br: 10 ASPMX3.GOOGLEMAIL.COM. pa.gov.br: 10 colab-antispam-02.pa.gov.br. pa.gov.br: 10 colab-antispam-01.pa.gov.br. pa.gov.br: 10 colab-antispam-03.pa.gov.br. pb.gov.br: 100 mx1.pb.gov.br. pb.gov.br: 100 mx2.pb.gov.br. pe.gov.br: 0 as.pe.gov.br. pi.gov.br: 0 zmta.pi.gov.br. pr.gov.br: 5 smtp01.pr.gov.br. pr.gov.br: 5 smtp02.pr.gov.br. pr.gov.br: 5 smtp03.pr.gov.br. pr.gov.br: 5 smtp04.pr.gov.br. pr.gov.br: 5 smtp05.pr.gov.br. pr.gov.br: 10 smtpfilter01.pr.gov.br. pr.gov.br: 10 smtpfilter02.pr.gov.br. pr.gov.br: 10 smtpfilter03.pr.gov.br. pr.gov.br: 10 smtpfilter04.pr.gov.br. pr.gov.br: 10 smtpfilter05.pr.gov.br. pr.gov.br: 15 ssmtp002.pr.gov.br. pr.gov.br: 15 ssmtp003.pr.gov.br. pr.gov.br: 15 ssmtp004.pr.gov.br. pr.gov.br: 15 ssmtp005.pr.gov.br. pr.gov.br: 15 ssmtp006.pr.gov.br. rj.gov.br: 10 mx.rj.gov.br. rn.gov.br: 1 pratico.rn.gov.br. rr.gov.br: 5 mail.rr.gov.br. rs.gov.br: 10 mx.via-rs.com.br. rs.gov.br: 20 mxbkp.via-rs.com.br. sc.gov.br: 10 smtp.sc.gov.br. se.gov.br: 10 mxs2.se.gov.br. se.gov.br: 5 mxs.se.gov.br. sp.gov.br: 10 mx2.sp.gov.br. sp.gov.br: 10 mx1.sp.gov.br. to.gov.br: 10 mail.to.gov.br. gov.bt: 5 ALT2.ASPMX.L.GOOGLE.COM. gov.bt: 1 ASPMX.L.GOOGLE.COM. gov.bt: 5 ALT1.ASPMX.L.GOOGLE.COM. gov.bt: 10 ASPMX2.GOOGLEMAIL.COM. gov.bt: 10 ASPMX3.GOOGLEMAIL.COM. of.by: 0 fe01.mail.hoster.by. gc.ca: 10 newman.srv.gc.ca. gc.ca: 20 clavin.srv.gc.ca. cf: 0 mail.intnet.cf. gouv.ci: 40 mx1.gouv.ci. gouv.ci: 40 mx3.gouv.ci. gouv.ci: 40 mx4.gouv.ci. gouv.ci: 10 mail.sndi.ci. gov.cl: 10 smtp3.gov.cl. gov.cl: 20 smtp4.gov.cl. gob.cl: 10 smtp3.gob.cl. gob.cl: 20 smtp4.gob.cl. mil.cn: 10 mx.mail.mil.cn. gov.cy: 10 mail03.gov.cy. parliament.cy: 10 mail03.gov.cy. dm: 10 mail.nic.dm. com.dm: 10 mail.nic.dm. net.dm: 10 mail.nic.dm. org.dm: 10 mail.nic.dm. edu.dm: 10 mail.nic.dm. gov.dm: 10 mail.nic.dm. pol.dz: 0 mail.eldjazair.net.dz. art.dz: 0 mail.eldjazair.net.dz. edu.ee: 10 mail.edu.ee. gov.ee: 10 mail.gov.ee. riik.ee: 20 smtp.aso.ee. eun.eg: 10 NEWMAILER.eun.eg. aland.fi: 0 mail.regeringen.ax. assedic.fr: 10 smtp1.pole-emploi.fr. avoues.fr: 10 spool.mail.gandi.net. avoues.fr: 50 fb.mail.gandi.net. cci.fr: 10 cci-mail.entreprise.cci.fr. chirurgiens-dentistes.fr: 10 mail.chirurgiens-dentistes.fr. experts-comptables.fr: 10 mx-ec.mutu.shrd.fr. geometre-expert.fr: 10 relay-mx2.ecritel.net. huissier-justice.fr: 10 mx-1.huissier-justice.fr. medecin.fr: 20 mx01.medecin.fr. notaires.fr: 10 smtp.adsn.gmessaging.net. port.fr: 10 mail.avancenet.net. veterinaire.fr: 50 ecisnet242.ec-is.net. gov.ge: 5 mail.gov.ge. gp: 10 ns1.nic.gp. com.gp: 10 manta.outremer.com. net.gp: 10 manta.outremer.com. mobi.gp: 10 manta.outremer.com. edu.gp: 10 manta.outremer.com. org.gp: 10 manta.outremer.com. asso.gp: 10 manta.outremer.com. gt: 20 ALT2.ASPMX.L.GOOGLE.COM. gt: 30 ASPMX2.GOOGLEMAIL.COM. gt: 30 ASPMX3.GOOGLEMAIL.COM. gt: 20 ALT1.ASPMX.L.GOOGLE.COM. gt: 30 ASPMX4.GOOGLEMAIL.COM. gt: 10 ASPMX.L.GOOGLE.COM. gt: 30 ASPMX5.GOOGLEMAIL.COM. hr: 5 alpha.carnet.hr. iz.hr: 0 cornu.carnet.hr. from.hr: 0 cornu.carnet.hr. name.hr: 0 cornu.carnet.hr. my.id: 10 mx.mail.my.id. gov.ie: 10 gbext.gn.gov.ie. gov.ie: 10 cwext.gn.gov.ie. gov.il: 5 mail.tehila.gov.il. nic.in: 0 mailgw.nic.in. gov.in: 5 mailgw.nic.in. eu.int: 10 s-dc-edg007-q.mail.ec.europa.eu. eu.int: 10 s-dc-edg032-Z.mail.ec.europa.eu. eu.int: 10 s-dc-edg006-q.mail.ec.europa.eu. eu.int: 10 s-dc-edg008-q.mail.ec.europa.eu. eu.int: 10 s-dc-edg031-Z.mail.ec.europa.eu. eu.int: 10 s-dc-edg030-Z.mail.ec.europa.eu. gov.it: 10 mail.rupa.it. gov.it: 20 mx1.rupa.it. gov.it: 20 mx2.rupa.it. trentinosudtirol.it: 10 in.arubabusiness.it. altoadige.it: 0 altoadige-it.mail.protection.outlook.com. aquila.it: 5 mail.h-email.net. uto.kumamoto.jp: 10 mail11.ksc.kumamoto.jp. chichibu.saitama.jp: 10 mail01.sc.pref.saitama.jp. gov.kg: 10 relay.whitehouse.gov.kg. gov.kg: 20 relay2.whitehouse.gov.kg. gov.kg: 30 mail.elcat.kg. mil.kg: 5 mail.mil.kg. km: 100 mail1.comorestelecom.km. gov.km: 100 mail1.comorestelecom.km. edu.km: 10 mail1.comorestelecom.km. gouv.km: 100 mail2.comorestelecom.km. gouv.km: 10 mail1.comorestelecom.km. gov.kn: 20 mx2.emailsrvr.com. gov.kn: 0 gov-kn.mail.protection.outlook.com. gov.kn: 10 mx1.emailsrvr.com. gov.ky: 10 mail.gov.ky. gov.ky: 15 mail2.gov.ky. lk: 20 malithi-lc.nic.lk. lk: 10 malithi-slt.nic.lk. gov.lk: 10 mx1.gov.lk. gov.lk: 20 mx2.gov.lk. sch.lk: 10 mgsch.schoolnet.lk. ac.lk: 50 in-relay.ac.lk. ac.lk: 60 in-relay-t.ac.lk. gov.lv: 5 mail.gov.lv. mil.lv: 10 mx.mil.lv. edu.me: 10 mail.edu.me. ac.me: 10 mail.ac.me. gov.me: 10 smtp2.gov.me. gov.me: 10 smtp1.gov.me. gov.mg: 10 mail.gov.mg. gouv.ml: 0 domino4.gouv.ml. gouv.ml: 5 domino3.gouv.ml. gouv.ml: 10 domino1.gouv.ml. presse.ml: 10 mx-host.dot.tk. gov.mn: 0 mail.gov.mn. edu.mn: 10 ocm.edu.mn. gov.mo: 10 mailscan.gov.mo. mq: 10 mx1-mq.mediaserv.net. gov.ms: 40 mx1.mailhop.co.uk. gov.ms: 30 mx2.mailhop.co. gov.ms: 20 mx2.mailhop.us. gov.ms: 40 mx2.mailhop.co.uk. gov.ms: 20 mx1.mailhop.us. gov.ms: 10 a923756.mx.mailhop.org. gov.ms: 30 mx1.mailhop.co. gov.mu: 20 mx2.improvmx.com. gov.mu: 10 mx1.improvmx.com. computerhistory.museum: 0 . versailles.museum: 10 mailfront1.oxyd.fr. versailles.museum: 10 mailfront2.oxyd.fr. pro.mv: 10 mail.pro.mv. name.my: 5 mf.mynic.net.my. gov.mz: 10 mx01.gov.mz. gov.mz: 20 mx02.gov.mz. info.na: 10 ASPMX.L.GOOGLE.COM. info.na: 20 ALT1.ASPMX.L.GOOGLE.COM. info.na: 20 ALT2.ASPMX.L.GOOGLE.COM. info.na: 30 ASPMX2.GOOGLEMAIL.COM. info.na: 30 ASPMX4.GOOGLEMAIL.COM. info.na: 30 ASPMX3.GOOGLEMAIL.COM. info.na: 30 ASPMX5.GOOGLEMAIL.COM. school.na: 10 ASPMX.L.GOOGLE.COM. school.na: 20 ALT1.ASPMX.L.GOOGLE.COM. school.na: 20 ALT2.ASPMX.L.GOOGLE.COM. school.na: 30 ASPMX2.GOOGLEMAIL.COM. school.na: 30 ASPMX4.GOOGLEMAIL.COM. school.na: 30 ASPMX3.GOOGLEMAIL.COM. school.na: 30 ASPMX5.GOOGLEMAIL.COM. cc.na: 10 ASPMX.L.GOOGLE.COM. cc.na: 20 ALT2.ASPMX.L.GOOGLE.COM. cc.na: 20 ALT1.ASPMX.L.GOOGLE.COM. cc.na: 30 ASPMX5.GOOGLEMAIL.COM. cc.na: 30 ASPMX4.GOOGLEMAIL.COM. cc.na: 30 ASPMX3.GOOGLEMAIL.COM. cc.na: 30 ASPMX2.GOOGLEMAIL.COM. bv.nl: 20 mx.lowvoice.nl. mil.no: 10 mail2.mil.no. mil.no: 10 mail1.mil.no. dep.no: 10 mx.u.dep.no. gov.nr: 10 mail.naurugov.nr. pa: 5 ns.pa. gov.ph: 20 ce-mail2.gov.ph. gov.ph: 30 mail2.asti.dost.gov.ph. gov.ph: 10 ce-mail1.gov.ph. est.pr: 0 mail2.est.pr. gov.ps: 10 mail01.gov.ps. plo.ps: 5 mail.plo.ps. ac.rs: 10 afrodita.rcub.bg.ac.rs. gov.rs: 10 smtp.gov.rs. edu.ru: 10 mgate.runnet.ru. edu.ru: 50 ns3.runnet.ru. gov.ru: 20 mx4.gov.ru. gov.ru: 10 mx3.gov.ru. int.ru: 5 relay.macomnet.ru. mil.ru: 20 mail2.mil.ru. mil.ru: 10 mail1.mil.ru. gov.rw: 10 mailgateway.bsc.rw. gov.sc: 20 mx2.egov.sc. gov.sc: 10 mx1.egov.sc. gouv.sn: 20 smtp-appli.gouv.sn. gouv.sn: 10 smtp.gouv.sn. gov.st: 10 mail.gov.st. org.st: 10 mail.org.st. org.st: 20 mail.org.st. saotome.st: 10 mx.saotome.st. net.sy: 10 mail.tarassul.sy. nic.tj: 10 oxmail.registrar-servers.com. co.tm: 10 mail.co.tm. co.tm: 20 mail.co.tm. net.tm: 20 mail.net.tm. net.tm: 10 mail.net.tm. gov.tm: 20 mail.gov.tm. gov.tm: 10 mail.gov.tm. mil.tm: 10 mail.mil.tm. mil.tm: 20 mail.mil.tm. edu.tm: 10 mail.edu.tm. edu.tm: 20 mail.edu.tm. gov.tn: 50 mx2email.ingw.tn. gov.tn: 10 mx1email.ingw.tn. edunet.tn: 10 mx1inbmi.ingw.tn. edunet.tn: 50 mx2inbmi.ingw.tn. rns.tn: 10 mx1cimsp.ingw.tn. rns.tn: 50 mx2cimsp.ingw.tn. mincom.tn: 50 mx2email.ingw.tn. mincom.tn: 10 mx1email.ingw.tn. agrinet.tn: 10 mx1agrinet.ingw.tn. agrinet.tn: 50 mx2agrinet.ingw.tn. defense.tn: 10 mx1defense.ingw.tn. defense.tn: 50 mx2defense.ingw.tn. tt: 10 ALT1.ASPMX.L.GOOGLE.COM. tt: 1 ASPMX.L.GOOGLE.COM. jobs.tt: 0 . gov.tt: 10 smtp10.gov.tt. gov.tt: 40 smtp2.gov.tt. gov.tt: 40 smtp1.gov.tt. gov.tt: 20 smtp20.gov.tt. edu.tt: 1 mail.edu.tt. mil.tw: 10 smtp.mil.tw. ua: 10 mr.kolo.net. in.ua: 5 inua-mx.alefhost.od.ua. net.ua: 10 relay1.net.ua. net.ua: 30 relay2.hostmaster.net.ua. cherkassy.ua: 10 ns.ck.ua. cherkassy.ua: 20 ns3.ck.ua. cherkassy.ua: 0 smtp.ctsense.net. cherkasy.ua: 0 smtp.ctsense.net. cherkasy.ua: 10 ns.ck.ua. cherkasy.ua: 20 ns3.ck.ua. chernivtsi.ua: 5 relay.cv.ua. chernovtsy.ua: 5 relay.cv.ua. ck.ua: 20 ns3.ck.ua. ck.ua: 0 smtp.ctsense.net. ck.ua: 10 ns.ck.ua. cn.ua: 10 relay2.cn.ua. crimea.ua: 10 relay0.crimea.ua. cv.ua: 10 relay.cv.ua. dn.ua: 10 dn.ua. dnepropetrovsk.ua: 20 relay2.trifle.net. dnepropetrovsk.ua: 10 mail.nic.dp.ua. dnipropetrovsk.ua: 20 relay2.trifle.net. dnipropetrovsk.ua: 10 mail.nic.dp.ua. dominic.ua: 30 aspmx3.googlemail.com. dominic.ua: 30 aspmx4.googlemail.com. dominic.ua: 30 aspmx5.googlemail.com. dominic.ua: 10 dominic.ua. dominic.ua: 10 aspmx.l.google.com. dominic.ua: 20 alt1.aspmx.l.google.com. dominic.ua: 20 alt2.aspmx.l.google.com. dominic.ua: 30 aspmx2.googlemail.com. dp.ua: 20 relay2.trifle.net. dp.ua: 10 mail.nic.dp.ua. kh.ua: 0 relay.kh.ua. kharkiv.ua: 0 relay.kh.ua. kharkov.ua: 0 relay.kharkov.ua. kherson.ua: 10 relay.kherson.ua. khmelnitskiy.ua: 10 relay-in.ic.km.ua. km.ua: 10 relay-in.ic.km.ua. ks.ua: 10 relay.ks.ua. lutsk.ua: 10 smtp.vizor.lutsk.ua. lutsk.ua: 20 mail.vizor.lutsk.ua. lviv.ua: 30 Alpha.UAR.Net. lviv.ua: 90 Relay2.UAR.Net. mk.ua: 1 4friends.od.ua. nikolaev.ua: 1 4friends.od.ua. od.ua: 1 mx.ns.od.ua. odessa.ua: 1 mx.ns.od.ua. sm.ua: 10 sm.ua. sumy.ua: 10 sumy.ua. te.ua: 5 relay.cv.ua. ternopil.ua: 5 relay.cv.ua. vn.ua: 10 relay1.nest.vinnica.ua. yalta.ua: 10 relay0.cris.net. zhitomir.ua: 20 ns2.trifle.net. zhitomir.ua: 10 impuls.zhitomir.ua. zp.ua: 20 mx1.zssm.zp.ua. zp.ua: 1 zp.eunic.net.ua. zt.ua: 10 impuls.zhitomir.ua. zt.ua: 20 relay2.carrier.kiev.ua. ac.uk: 1 rimmer.ja.net. ac.uk: 2 kryten.ja.net. nhs.uk: 50 mail.nhs.uk. k12.al.us: 0 mailscanner.asc.edu. k12.ar.us: 10 dns1.state.ar.us. k12.az.us: 10 k12-az-us.mail.protection.outlook.com. k12.az.us: 5 k12-az-us.mail.protection.outlook.com. k12.dc.us: 20 smtp3b.dc.gov. k12.dc.us: 10 smtp3.dc.gov. k12.de.us: 10 dovereip001.k12.de.us. k12.de.us: 10 dovereip002.k12.de.us. k12.ga.us: 20 wilson.bor.usg.edu. k12.ga.us: 0 k12-ga-us.mail.protection.outlook.com. k12.ga.us: 10 heart.bor.usg.edu. k12.ia.us: 10 dmzjhngw06.iowa.gov. k12.ky.us: 10 412707362.mail.outlook.com. k12.ma.us: 10 sidehack.sat.gweep.net. k12.md.us: 20 mx2.umd.iphmx.com. k12.md.us: 20 mx1.umd.iphmx.com. k12.me.us: 0 mail-relay.msln.net. k12.ne.us: 50 mx50.gnenc.org. k12.ne.us: 10 mx10.gnenc.org. k12.ne.us: 30 mx30a.esu10.org. k12.nm.us: 5 smtp1.mail.osogrande.com. k12.nm.us: 5 smtp4.mail.osogrande.com. k12.or.us: 10 mgw1.clackesd.k12.or.us. k12.wa.us: 10 k12-wa-us.mail.protection.outlook.com. k12.wi.us: 10 warden.wiscnet.net. k12.wy.us: 10 janus.k12.wy.us. cc.al.us: 0 mailscanner.asc.edu. cc.ca.us: 10 mx1.cccco.edu. cc.ca.us: 20 mx2.cccco.edu. cc.ia.us: 10 dmzjhngw06.iowa.gov. lib.al.us: 0 mailscanner.asc.edu. lib.az.us: 10 mail.azsos.gov. lib.ia.us: 10 dmzjhngw06.iowa.gov. lib.md.us: 10 yawl.soc.lib.md.us. lib.nj.us: 120 mx4c28.concentric.com. lib.nj.us: 110 mx3c28.concentric.com. lib.nj.us: 100 mx2c28.concentric.com. lib.nj.us: 10 mx1c28.concentric.com. lib.oh.us: 10 av.lib.oh.us. lib.wi.us: 10 warden.wiscnet.net. co.uz: 10 mail.reg.uz. com.uz: 10 mail.reg.uz. net.uz: 10 reg.uz. gov.vc: 10 mail.gov.vc. ws: 10 mail.worldsite.ws. ac.za: 10 protea.tenet.ac.za. agric.za: 10 gwsmtp1.agric.za. alt.za: 0 ln1.cequrux.com. co.za: 10 mx2.coza.net.za. gov.za: 100 mta.gov.za. grondar.za: 0 gromit.grondar.org. law.za: 20 luke.voffice.co.za. law.za: 30 mail.attorneys.law.za. law.za: 10 mailfirewall.voffice.co.za. mil.za: 10 fm-mail-in.voxtelecom.co.za. ngo.za: 10 mxc01.mxrc.co.za. ngo.za: 10 mxc02.mxrc.co.za. nis.za: 0 nis.za. nom.za: 20 secdns1.posix.co.za. nom.za: 10 mail.nom.za. org.za: 10 mx2.coza.net.za. school.za: 10 ochre.school.za. school.za: 20 mopani.school.za. tm.za: 20 alt1.aspmx.l.google.com. tm.za: 20 alt2.aspmx.l.google.com. tm.za: 30 aspmx2.googlemail.com. tm.za: 30 aspmx3.googlemail.com. tm.za: 30 aspmx4.googlemail.com. tm.za: 30 aspmx5.googlemail.com. tm.za: 10 aspmx.l.google.com. cc.ua: 8 mail-u4.1gb.ua. inf.ua: 8 mail-u4.1gb.ua. ltd.ua: 8 mail-u4.1gb.ua. beep.pl: 10 mx01.agnat.pl. cn-north-1.eb.amazonaws.com.cn: www.amazonaws.cn. s3.amazonaws.com: s3-1.amazonaws.com. s3-ap-northeast-2.amazonaws.com: s3.ap-northeast-2.amazonaws.com. s3-ap-south-1.amazonaws.com: s3.ap-south-1.amazonaws.com. s3-ca-central-1.amazonaws.com: s3.ca-central-1.amazonaws.com. s3-eu-central-1.amazonaws.com: s3.eu-central-1.amazonaws.com. s3-eu-west-2.amazonaws.com: s3.eu-west-2.amazonaws.com. s3-us-east-2.amazonaws.com: s3.us-east-2.amazonaws.com. pimienta.org: 10 mail.poivron.org. poivron.org: 10 mail.poivron.org. potager.org: 10 mail.potager.org. sweetpepper.org: 10 mail.poivron.org. myfritz.net: 5 mail1.myfritz.net. myfritz.net: 5 mail2.myfritz.net. betainabox.com: 30 aspmx3.googlemail.com. betainabox.com: 20 alt2.aspmx.l.google.com. betainabox.com: 10 aspmx.l.google.com. betainabox.com: 30 aspmx2.googlemail.com. betainabox.com: 20 alt1.aspmx.l.google.com. bnr.la: 1 aspmx.l.google.com. bnr.la: 5 alt1.aspmx.l.google.com. bnr.la: 5 alt2.aspmx.l.google.com. bnr.la: 10 aspmx2.googlemail.com. bnr.la: 10 aspmx3.googlemail.com. bplaced.net: 10 mx.bplaced.net. mycd.eu: 10 luke.callidomus.com. mycd.eu: 20 leia.callidomus.com. ae.org: 10 cluster8.eu.messagelabs.com. ae.org: 10 cluster8a.eu.messagelabs.com. br.com: 0 mx-01.emailme.com. cn.com: 0 mx-01.emailme.com. com.de: 10 mx203.inbound-mx.org. com.de: 10 mx203.inbound-mx.net. com.se: 0 mx01.glesys.se. com.se: 0 mx02.glesys.se. de.com: 10 cluster8.eu.messagelabs.com. de.com: 10 cluster8a.eu.messagelabs.com. eu.com: 0 mx-01.emailme.com. gb.net: 10 cluster8.eu.messagelabs.com. gb.net: 10 cluster8a.eu.messagelabs.com. hu.net: 10 cluster8.eu.messagelabs.com. hu.net: 10 cluster8a.eu.messagelabs.com. jp.net: 0 jp-net-null-mx.centralnic.net. jpn.com: 10 cluster8.eu.messagelabs.com. jpn.com: 10 cluster8a.eu.messagelabs.com. mex.com: 10 cluster8.eu.messagelabs.com. mex.com: 10 cluster8a.eu.messagelabs.com. ru.com: 10 cluster8.eu.messagelabs.com. ru.com: 10 cluster8a.eu.messagelabs.com. sa.com: 0 . se.com: 20 cluster3a.eu.messagelabs.com. se.com: 10 cluster3.eu.messagelabs.com. se.net: 10 cluster8.eu.messagelabs.com. se.net: 10 cluster8a.eu.messagelabs.com. uk.com: 0 mx-01.emailme.com. uk.net: 0 mx-01.emailme.com. us.com: 0 mx-01.emailme.com. za.bz: 0 mail.za.bz. za.com: 10 cluster8.eu.messagelabs.com. za.com: 10 cluster8a.eu.messagelabs.com. africa.com: 20 alt1.aspmx.l.google.com. africa.com: 10 aspmx.l.google.com. africa.com: 40 aspmx2.googlemail.com. africa.com: 50 aspmx3.googlemail.com. africa.com: 30 alt2.aspmx.l.google.com. gr.com: 20 aspmx5.googlemail.com. gr.com: 10 aspmx2.googlemail.com. gr.com: 1 aspmx.l.google.com. gr.com: 10 aspmx3.googlemail.com. gr.com: 5 alt2.aspmx.l.google.com. gr.com: 5 alt1.aspmx.l.google.com. gr.com: 20 aspmx4.googlemail.com. in.net: 1 aspmx.l.google.com. in.net: 5 alt1.aspmx.l.google.com. in.net: 5 alt2.aspmx.l.google.com. in.net: 10 alt3.aspmx.l.google.com. in.net: 10 alt4.aspmx.l.google.com. us.org: 20 alt1.aspmx.l.google.com. us.org: 20 alt2.aspmx.l.google.com. us.org: 30 aspmx3.googlemail.com. us.org: 10 aspmx.l.google.com. us.org: 30 aspmx4.googlemail.com. us.org: 30 aspmx2.googlemail.com. us.org: 30 aspmx5.googlemail.com. co.com: 10 mx.spamexperts.com. co.com: 20 fallbackmx.spamexperts.eu. co.com: 30 lastmx.spamexperts.net. c.la: 10 mail.c.la. jdevcloud.com: 5 mx1.cloudaccess.net. jdevcloud.com: 10 mx2.cloudaccess.net. wpdevcloud.com: 5 mx1.cloudaccess.net. wpdevcloud.com: 10 mx2.cloudaccess.net. cloudaccess.host: 10 mx2.cloudaccess.net. cloudaccess.host: 5 mx1.cloudaccess.net. freesite.host: 5 mx1.cloudaccess.net. freesite.host: 10 mx2.cloudaccess.net. cloudaccess.net: 10 aspmx2.googlemail.com. cloudaccess.net: 5 alt1.aspmx.l.google.com. cloudaccess.net: 10 aspmx3.googlemail.com. cloudaccess.net: 1 aspmx.l.google.com. cloudaccess.net: 10 aspmx5.googlemail.com. cloudaccess.net: 5 alt2.aspmx.l.google.com. cloudaccess.net: 10 aspmx4.googlemail.com. cloudns.asia: 10 mailforward102.cloudns.net. cloudns.asia: 5 mailforward101.cloudns.net. cloudns.biz: 5 mailforward1.cloudns.net. cloudns.biz: 10 mailforward2.cloudns.net. cloudns.cc: 10 mailforward21.cloudns.net. cloudns.eu: 5 mailforward1.cloudns.net. cloudns.eu: 10 mailforward2.cloudns.net. cloudns.in: 10 mailforward2.cloudns.net. cloudns.in: 5 mailforward1.cloudns.net. cloudns.info: 5 mailforward1.cloudns.net. cloudns.info: 10 mailforward2.cloudns.net. cloudns.org: 10 mailforward2.cloudns.net. cloudns.org: 5 mailforward1.cloudns.net. cloudns.us: 10 mailforward2.cloudns.net. cloudns.us: 5 mailforward1.cloudns.net. dyn.cosidns.de: 20 mailgate2.isp-cosimo.de. dyn.cosidns.de: 10 mailgate1.isp-cosimo.de. dynamisches-dns.de: 10 mailgate1.isp-cosimo.de. dynamisches-dns.de: 20 mailgate2.isp-cosimo.de. dnsupdater.de: 10 mailgate1.isp-cosimo.de. dnsupdater.de: 20 mailgate2.isp-cosimo.de. internet-dns.de: 20 mailgate2.isp-cosimo.de. internet-dns.de: 10 mailgate1.isp-cosimo.de. l-o-g-i-n.de: 20 mailgate2.isp-cosimo.de. l-o-g-i-n.de: 10 mailgate1.isp-cosimo.de. dynamic-dns.info: 10 mailgate1.isp-cosimo.de. dynamic-dns.info: 20 mailgate2.isp-cosimo.de. feste-ip.net: 10 mailgate1.isp-cosimo.de. feste-ip.net: 20 mailgate2.isp-cosimo.de. knx-server.net: 20 mailgate2.isp-cosimo.de. knx-server.net: 10 mailgate1.isp-cosimo.de. static-access.net: 20 mailgate2.isp-cosimo.de. static-access.net: 10 mailgate1.isp-cosimo.de. realm.cz: 10 mx.realm.cz. cupcake.is: 10 in1.smtp.messagingengine.com. cupcake.is: 20 in2.smtp.messagingengine.com. daplie.me: 10 mxa.mailgun.org. daplie.me: 10 mxb.mailgun.org. debian.net: 10 muffat.debian.org. debian.net: 10 mailly.debian.org. dedyn.io: 10 mail.a4a.de. dnshome.de: 10 freilandhaltung.gelitten.com. dreamhosters.com: 0 mx1.sub5.homie.mail.dreamhost.com. dreamhosters.com: 0 mx2.sub5.homie.mail.dreamhost.com. mydrobo.com: 10 mon.b5p.us. drud.io: 1 aspmx.l.google.com. drud.io: 10 aspmx2.googlemail.com. drud.io: 10 aspmx3.googlemail.com. drud.io: 5 alt1.aspmx.l.google.com. drud.io: 5 alt2.aspmx.l.google.com. duckdns.org: 10 mx.duckdns.org. dy.fi: 10 he.fi. tunk.org: 10 offline.dy.fi. dyndns-at-home.com: 10 mx1.mailhop.org. dyndns-at-home.com: 20 mx2.mailhop.org. dyndns-at-work.com: 20 mx2.mailhop.org. dyndns-at-work.com: 10 mx1.mailhop.org. dyndns-blog.com: 20 mx2.mailhop.org. dyndns-blog.com: 10 mx1.mailhop.org. dyndns-free.com: 20 mx2.mailhop.org. dyndns-free.com: 10 mx1.mailhop.org. dyndns-home.com: 20 mx2.mailhop.org. dyndns-home.com: 10 mx1.mailhop.org. dyndns-ip.com: 20 mx2.mailhop.org. dyndns-ip.com: 10 mx1.mailhop.org. dyndns-mail.com: 20 mx2.mailhop.org. dyndns-mail.com: 10 mx1.mailhop.org. dyndns-office.com: 10 mx1.mailhop.org. dyndns-office.com: 20 mx2.mailhop.org. dyndns-pics.com: 20 mx2.mailhop.org. dyndns-pics.com: 10 mx1.mailhop.org. dyndns-remote.com: 20 mx2.mailhop.org. dyndns-remote.com: 10 mx1.mailhop.org. dyndns-server.com: 20 mx2.mailhop.org. dyndns-server.com: 10 mx1.mailhop.org. dyndns-web.com: 10 mx1.mailhop.org. dyndns-web.com: 20 mx2.mailhop.org. dyndns-wiki.com: 10 mx1.mailhop.org. dyndns-wiki.com: 20 mx2.mailhop.org. dyndns-work.com: 10 mx1.mailhop.org. dyndns-work.com: 20 mx2.mailhop.org. dyndns.biz: 1 ASPMX.L.GOOGLE.COM. dyndns.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. dyndns.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. dyndns.biz: 10 ASPMX2.GOOGLEMAIL.COM. dyndns.biz: 10 ASPMX3.GOOGLEMAIL.COM. dyndns.info: 10 ASPMX3.GOOGLEMAIL.COM. dyndns.info: 10 ASPMX2.GOOGLEMAIL.COM. dyndns.info: 1 ASPMX.L.GOOGLE.COM. dyndns.info: 5 ALT1.ASPMX.L.GOOGLE.COM. dyndns.info: 5 ALT2.ASPMX.L.GOOGLE.COM. dyndns.org: 10 ASPMX2.GOOGLEMAIL.COM. dyndns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dyndns.org: 1 ASPMX.L.GOOGLE.COM. dyndns.org: 10 ASPMX3.GOOGLEMAIL.COM. dyndns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. dyndns.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. dyndns.tv: 1 ASPMX.L.GOOGLE.COM. dyndns.tv: 10 ASPMX3.GOOGLEMAIL.COM. dyndns.tv: 10 ASPMX2.GOOGLEMAIL.COM. dyndns.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. at-band-camp.net: 10 ASPMX2.GOOGLEMAIL.COM. at-band-camp.net: 1 ASPMX.L.GOOGLE.COM. at-band-camp.net: 5 ALT1.ASPMX.L.GOOGLE.COM. at-band-camp.net: 10 ASPMX3.GOOGLEMAIL.COM. at-band-camp.net: 5 ALT2.ASPMX.L.GOOGLE.COM. ath.cx: 10 ASPMX3.GOOGLEMAIL.COM. ath.cx: 10 ASPMX2.GOOGLEMAIL.COM. ath.cx: 5 ALT1.ASPMX.L.GOOGLE.COM. ath.cx: 5 ALT2.ASPMX.L.GOOGLE.COM. ath.cx: 1 ASPMX.L.GOOGLE.COM. barrel-of-knowledge.info: 10 ASPMX2.GOOGLEMAIL.COM. barrel-of-knowledge.info: 10 ASPMX3.GOOGLEMAIL.COM. barrel-of-knowledge.info: 5 ALT1.ASPMX.L.GOOGLE.COM. barrel-of-knowledge.info: 1 ASPMX.L.GOOGLE.COM. barrel-of-knowledge.info: 5 ALT2.ASPMX.L.GOOGLE.COM. barrell-of-knowledge.info: 10 ASPMX2.GOOGLEMAIL.COM. barrell-of-knowledge.info: 1 ASPMX.L.GOOGLE.COM. barrell-of-knowledge.info: 5 ALT2.ASPMX.L.GOOGLE.COM. barrell-of-knowledge.info: 5 ALT1.ASPMX.L.GOOGLE.COM. barrell-of-knowledge.info: 10 ASPMX3.GOOGLEMAIL.COM. better-than.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. better-than.tv: 10 ASPMX3.GOOGLEMAIL.COM. better-than.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. better-than.tv: 1 ASPMX.L.GOOGLE.COM. better-than.tv: 10 ASPMX2.GOOGLEMAIL.COM. blogdns.com: 5 ALT1.ASPMX.L.GOOGLE.com. blogdns.com: 5 ALT2.ASPMX.L.GOOGLE.com. blogdns.com: 10 ASPMX2.GOOGLEMAIL.com. blogdns.com: 1 ASPMX.L.GOOGLE.com. blogdns.com: 10 ASPMX3.GOOGLEMAIL.com. blogdns.net: 10 ASPMX3.GOOGLEMAIL.COM. blogdns.net: 5 ALT1.ASPMX.L.GOOGLE.COM. blogdns.net: 5 ALT2.ASPMX.L.GOOGLE.COM. blogdns.net: 10 ASPMX2.GOOGLEMAIL.COM. blogdns.net: 1 ASPMX.L.GOOGLE.COM. blogdns.org: 10 ASPMX2.GOOGLEMAIL.COM. blogdns.org: 10 ASPMX3.GOOGLEMAIL.COM. blogdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. blogdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. blogdns.org: 1 ASPMX.L.GOOGLE.COM. blogsite.org: 1 ASPMX.L.GOOGLE.COM. blogsite.org: 5 ALT1.ASPMX.L.GOOGLE.COM. blogsite.org: 5 ALT2.ASPMX.L.GOOGLE.COM. blogsite.org: 10 ASPMX3.GOOGLEMAIL.COM. blogsite.org: 10 ASPMX2.GOOGLEMAIL.COM. boldlygoingnowhere.org: 10 ASPMX2.GOOGLEMAIL.COM. boldlygoingnowhere.org: 5 ALT1.ASPMX.L.GOOGLE.COM. boldlygoingnowhere.org: 1 ASPMX.L.GOOGLE.COM. boldlygoingnowhere.org: 10 ASPMX3.GOOGLEMAIL.COM. boldlygoingnowhere.org: 5 ALT2.ASPMX.L.GOOGLE.COM. broke-it.net: 1 ASPMX.L.GOOGLE.COM. broke-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. broke-it.net: 10 ASPMX3.GOOGLEMAIL.COM. broke-it.net: 10 ASPMX2.GOOGLEMAIL.COM. broke-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. buyshouses.net: 5 ALT2.ASPMX.L.GOOGLE.COM. buyshouses.net: 1 ASPMX.L.GOOGLE.COM. buyshouses.net: 10 ASPMX2.GOOGLEMAIL.COM. buyshouses.net: 10 ASPMX3.GOOGLEMAIL.COM. buyshouses.net: 5 ALT1.ASPMX.L.GOOGLE.COM. cechire.com: 10 mx1.mailhop.org. cechire.com: 20 mx2.mailhop.org. dnsalias.com: 10 ASPMX2.GOOGLEMAIL.com. dnsalias.com: 10 ASPMX3.GOOGLEMAIL.com. dnsalias.com: 1 ASPMX.L.GOOGLE.com. dnsalias.com: 5 ALT2.ASPMX.L.GOOGLE.com. dnsalias.com: 5 ALT1.ASPMX.L.GOOGLE.com. dnsalias.net: 5 ALT2.ASPMX.L.GOOGLE.COM. dnsalias.net: 1 ASPMX.L.GOOGLE.COM. dnsalias.net: 10 ASPMX2.GOOGLEMAIL.COM. dnsalias.net: 10 ASPMX3.GOOGLEMAIL.COM. dnsalias.net: 5 ALT1.ASPMX.L.GOOGLE.COM. dnsalias.org: 10 ASPMX3.GOOGLEMAIL.COM. dnsalias.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dnsalias.org: 10 ASPMX2.GOOGLEMAIL.COM. dnsalias.org: 1 ASPMX.L.GOOGLE.COM. dnsalias.org: 5 ALT1.ASPMX.L.GOOGLE.COM. dnsdojo.com: 5 ALT1.ASPMX.L.GOOGLE.com. dnsdojo.com: 5 ALT2.ASPMX.L.GOOGLE.com. dnsdojo.com: 10 ASPMX2.GOOGLEMAIL.com. dnsdojo.com: 1 ASPMX.L.GOOGLE.com. dnsdojo.com: 10 ASPMX3.GOOGLEMAIL.com. dnsdojo.net: 5 ALT1.ASPMX.L.GOOGLE.COM. dnsdojo.net: 10 ASPMX2.GOOGLEMAIL.COM. dnsdojo.net: 5 ALT2.ASPMX.L.GOOGLE.COM. dnsdojo.net: 10 ASPMX3.GOOGLEMAIL.COM. dnsdojo.net: 1 ASPMX.L.GOOGLE.COM. dnsdojo.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dnsdojo.org: 5 ALT1.ASPMX.L.GOOGLE.COM. dnsdojo.org: 10 ASPMX3.GOOGLEMAIL.COM. dnsdojo.org: 1 ASPMX.L.GOOGLE.COM. dnsdojo.org: 10 ASPMX2.GOOGLEMAIL.COM. does-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. does-it.net: 10 ASPMX3.GOOGLEMAIL.COM. does-it.net: 10 ASPMX2.GOOGLEMAIL.COM. does-it.net: 1 ASPMX.L.GOOGLE.COM. does-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. doesntexist.com: 1 ASPMX.L.GOOGLE.com. doesntexist.com: 10 ASPMX3.GOOGLEMAIL.com. doesntexist.com: 5 ALT2.ASPMX.L.GOOGLE.com. doesntexist.com: 5 ALT1.ASPMX.L.GOOGLE.com. doesntexist.com: 10 ASPMX2.GOOGLEMAIL.com. doesntexist.org: 10 ASPMX2.GOOGLEMAIL.COM. doesntexist.org: 10 ASPMX3.GOOGLEMAIL.COM. doesntexist.org: 1 ASPMX.L.GOOGLE.COM. doesntexist.org: 5 ALT1.ASPMX.L.GOOGLE.COM. doesntexist.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dontexist.com: 5 ALT1.ASPMX.L.GOOGLE.com. dontexist.com: 5 ALT2.ASPMX.L.GOOGLE.com. dontexist.com: 1 ASPMX.L.GOOGLE.com. dontexist.com: 10 ASPMX3.GOOGLEMAIL.com. dontexist.com: 10 ASPMX2.GOOGLEMAIL.com. dontexist.net: 5 ALT1.ASPMX.L.GOOGLE.COM. dontexist.net: 1 ASPMX.L.GOOGLE.COM. dontexist.net: 10 ASPMX3.GOOGLEMAIL.COM. dontexist.net: 5 ALT2.ASPMX.L.GOOGLE.COM. dontexist.net: 10 ASPMX2.GOOGLEMAIL.COM. dontexist.org: 5 ALT1.ASPMX.L.GOOGLE.COM. dontexist.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dontexist.org: 10 ASPMX2.GOOGLEMAIL.COM. dontexist.org: 1 ASPMX.L.GOOGLE.COM. dontexist.org: 10 ASPMX3.GOOGLEMAIL.COM. doomdns.com: 5 ALT1.ASPMX.L.GOOGLE.com. doomdns.com: 10 ASPMX3.GOOGLEMAIL.com. doomdns.com: 10 ASPMX2.GOOGLEMAIL.com. doomdns.com: 1 ASPMX.L.GOOGLE.com. doomdns.com: 5 ALT2.ASPMX.L.GOOGLE.com. doomdns.org: 10 ASPMX3.GOOGLEMAIL.COM. doomdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. doomdns.org: 1 ASPMX.L.GOOGLE.COM. doomdns.org: 10 ASPMX2.GOOGLEMAIL.COM. doomdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dvrdns.org: 10 ASPMX3.GOOGLEMAIL.COM. dvrdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dvrdns.org: 1 ASPMX.L.GOOGLE.COM. dvrdns.org: 10 ASPMX2.GOOGLEMAIL.COM. dvrdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. dyn-o-saur.com: 5 ALT2.ASPMX.L.GOOGLE.com. dyn-o-saur.com: 10 ASPMX3.GOOGLEMAIL.com. dyn-o-saur.com: 1 ASPMX.L.GOOGLE.com. dyn-o-saur.com: 10 ASPMX2.GOOGLEMAIL.com. dyn-o-saur.com: 5 ALT1.ASPMX.L.GOOGLE.com. dynalias.com: 10 ASPMX2.GOOGLEMAIL.com. dynalias.com: 10 ASPMX3.GOOGLEMAIL.com. dynalias.com: 1 ASPMX.L.GOOGLE.com. dynalias.com: 5 ALT2.ASPMX.L.GOOGLE.com. dynalias.com: 5 ALT1.ASPMX.L.GOOGLE.com. dynalias.net: 1 ASPMX.L.GOOGLE.COM. dynalias.net: 5 ALT2.ASPMX.L.GOOGLE.COM. dynalias.net: 10 ASPMX3.GOOGLEMAIL.COM. dynalias.net: 10 ASPMX2.GOOGLEMAIL.COM. dynalias.net: 5 ALT1.ASPMX.L.GOOGLE.COM. dynalias.org: 10 ASPMX2.GOOGLEMAIL.COM. dynalias.org: 5 ALT2.ASPMX.L.GOOGLE.COM. dynalias.org: 10 ASPMX3.GOOGLEMAIL.COM. dynalias.org: 1 ASPMX.L.GOOGLE.COM. dynalias.org: 5 ALT1.ASPMX.L.GOOGLE.COM. dynathome.net: 10 ASPMX3.GOOGLEMAIL.COM. dynathome.net: 1 ASPMX.L.GOOGLE.COM. dynathome.net: 5 ALT2.ASPMX.L.GOOGLE.COM. dynathome.net: 10 ASPMX2.GOOGLEMAIL.COM. dynathome.net: 5 ALT1.ASPMX.L.GOOGLE.COM. dyndns.ws: 1 ASPMX.L.GOOGLE.COM. dyndns.ws: 5 ALT2.ASPMX.L.GOOGLE.COM. dyndns.ws: 10 ASPMX3.GOOGLEMAIL.COM. dyndns.ws: 10 ASPMX2.GOOGLEMAIL.COM. dyndns.ws: 5 ALT1.ASPMX.L.GOOGLE.COM. endofinternet.net: 5 ALT1.ASPMX.L.GOOGLE.COM. endofinternet.net: 1 ASPMX.L.GOOGLE.COM. endofinternet.net: 10 ASPMX2.GOOGLEMAIL.COM. endofinternet.net: 10 ASPMX3.GOOGLEMAIL.COM. endofinternet.net: 5 ALT2.ASPMX.L.GOOGLE.COM. endofinternet.org: 10 ASPMX3.GOOGLEMAIL.COM. endofinternet.org: 5 ALT2.ASPMX.L.GOOGLE.COM. endofinternet.org: 1 ASPMX.L.GOOGLE.COM. endofinternet.org: 10 ASPMX2.GOOGLEMAIL.COM. endofinternet.org: 5 ALT1.ASPMX.L.GOOGLE.COM. endoftheinternet.org: 10 ASPMX3.GOOGLEMAIL.COM. endoftheinternet.org: 5 ALT2.ASPMX.L.GOOGLE.COM. endoftheinternet.org: 1 ASPMX.L.GOOGLE.COM. endoftheinternet.org: 5 ALT1.ASPMX.L.GOOGLE.COM. endoftheinternet.org: 10 ASPMX2.GOOGLEMAIL.COM. est-a-la-maison.com: 5 ALT1.ASPMX.L.GOOGLE.com. est-a-la-maison.com: 10 ASPMX2.GOOGLEMAIL.com. est-a-la-maison.com: 1 ASPMX.L.GOOGLE.com. est-a-la-maison.com: 5 ALT2.ASPMX.L.GOOGLE.com. est-a-la-maison.com: 10 ASPMX3.GOOGLEMAIL.com. est-a-la-masion.com: 20 mx2.mailhop.org. est-a-la-masion.com: 10 mx1.mailhop.org. est-le-patron.com: 20 mx2.mailhop.org. est-le-patron.com: 10 mx1.mailhop.org. est-mon-blogueur.com: 10 mx1.mailhop.org. est-mon-blogueur.com: 20 mx2.mailhop.org. for-better.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. for-better.biz: 10 ASPMX3.GOOGLEMAIL.COM. for-better.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. for-better.biz: 1 ASPMX.L.GOOGLE.COM. for-better.biz: 10 ASPMX2.GOOGLEMAIL.COM. for-more.biz: 10 ASPMX3.GOOGLEMAIL.COM. for-more.biz: 1 ASPMX.L.GOOGLE.COM. for-more.biz: 10 ASPMX2.GOOGLEMAIL.COM. for-more.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. for-more.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. for-our.info: 1 ASPMX.L.GOOGLE.COM. for-our.info: 5 ALT2.ASPMX.L.GOOGLE.COM. for-our.info: 10 ASPMX2.GOOGLEMAIL.COM. for-our.info: 10 ASPMX3.GOOGLEMAIL.COM. for-our.info: 5 ALT1.ASPMX.L.GOOGLE.COM. for-some.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. for-some.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. for-some.biz: 10 ASPMX3.GOOGLEMAIL.COM. for-some.biz: 10 ASPMX2.GOOGLEMAIL.COM. for-some.biz: 1 ASPMX.L.GOOGLE.COM. for-the.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. for-the.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. for-the.biz: 10 ASPMX3.GOOGLEMAIL.COM. for-the.biz: 1 ASPMX.L.GOOGLE.COM. for-the.biz: 10 ASPMX2.GOOGLEMAIL.COM. forgot.her.name: 10 ASPMX3.GOOGLEMAIL.COM. forgot.her.name: 10 ASPMX2.GOOGLEMAIL.COM. forgot.her.name: 5 ALT1.ASPMX.L.GOOGLE.COM. forgot.her.name: 1 ASPMX.L.GOOGLE.COM. forgot.her.name: 5 ALT2.ASPMX.L.GOOGLE.COM. forgot.his.name: 1 ASPMX.L.GOOGLE.COM. forgot.his.name: 10 ASPMX2.GOOGLEMAIL.COM. forgot.his.name: 10 ASPMX3.GOOGLEMAIL.COM. forgot.his.name: 5 ALT1.ASPMX.L.GOOGLE.COM. forgot.his.name: 5 ALT2.ASPMX.L.GOOGLE.COM. from-ak.com: 1 ASPMX.L.GOOGLE.com. from-ak.com: 10 ASPMX3.GOOGLEMAIL.com. from-ak.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ak.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ak.com: 10 ASPMX2.GOOGLEMAIL.com. from-al.com: 1 ASPMX.L.GOOGLE.com. from-al.com: 10 ASPMX3.GOOGLEMAIL.com. from-al.com: 10 ASPMX2.GOOGLEMAIL.com. from-al.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-al.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ar.com: 10 ASPMX2.GOOGLEMAIL.com. from-ar.com: 1 ASPMX.L.GOOGLE.com. from-ar.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ar.com: 10 ASPMX3.GOOGLEMAIL.com. from-ar.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-az.net: 5 ALT2.ASPMX.L.GOOGLE.COM. from-az.net: 5 ALT1.ASPMX.L.GOOGLE.COM. from-az.net: 10 ASPMX2.GOOGLEMAIL.COM. from-az.net: 10 ASPMX3.GOOGLEMAIL.COM. from-az.net: 1 ASPMX.L.GOOGLE.COM. from-ca.com: 10 ASPMX3.GOOGLEMAIL.com. from-ca.com: 1 ASPMX.L.GOOGLE.com. from-ca.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ca.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ca.com: 10 ASPMX2.GOOGLEMAIL.com. from-co.net: 10 ASPMX2.GOOGLEMAIL.COM. from-co.net: 5 ALT2.ASPMX.L.GOOGLE.COM. from-co.net: 10 ASPMX3.GOOGLEMAIL.COM. from-co.net: 5 ALT1.ASPMX.L.GOOGLE.COM. from-co.net: 1 ASPMX.L.GOOGLE.COM. from-ct.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ct.com: 10 ASPMX2.GOOGLEMAIL.com. from-ct.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ct.com: 10 ASPMX3.GOOGLEMAIL.com. from-ct.com: 1 ASPMX.L.GOOGLE.com. from-dc.com: 10 ASPMX3.GOOGLEMAIL.com. from-dc.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-dc.com: 10 ASPMX2.GOOGLEMAIL.com. from-dc.com: 1 ASPMX.L.GOOGLE.com. from-dc.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-de.com: 10 ASPMX3.GOOGLEMAIL.com. from-de.com: 1 ASPMX.L.GOOGLE.com. from-de.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-de.com: 10 ASPMX2.GOOGLEMAIL.com. from-de.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-fl.com: 10 ASPMX3.GOOGLEMAIL.com. from-fl.com: 10 ASPMX2.GOOGLEMAIL.com. from-fl.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-fl.com: 1 ASPMX.L.GOOGLE.com. from-fl.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ga.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ga.com: 10 ASPMX3.GOOGLEMAIL.com. from-ga.com: 1 ASPMX.L.GOOGLE.com. from-ga.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ga.com: 10 ASPMX2.GOOGLEMAIL.com. from-hi.com: 10 ASPMX2.GOOGLEMAIL.com. from-hi.com: 1 ASPMX.L.GOOGLE.com. from-hi.com: 10 ASPMX3.GOOGLEMAIL.com. from-hi.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-hi.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ia.com: 10 ASPMX3.GOOGLEMAIL.com. from-ia.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ia.com: 1 ASPMX.L.GOOGLE.com. from-ia.com: 10 ASPMX2.GOOGLEMAIL.com. from-ia.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-id.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-id.com: 10 ASPMX3.GOOGLEMAIL.com. from-id.com: 10 ASPMX2.GOOGLEMAIL.com. from-id.com: 1 ASPMX.L.GOOGLE.com. from-id.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-il.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-il.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-il.com: 1 ASPMX.L.GOOGLE.com. from-il.com: 10 ASPMX2.GOOGLEMAIL.com. from-il.com: 10 ASPMX3.GOOGLEMAIL.com. from-in.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-in.com: 10 ASPMX2.GOOGLEMAIL.com. from-in.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-in.com: 10 ASPMX3.GOOGLEMAIL.com. from-in.com: 1 ASPMX.L.GOOGLE.com. from-ks.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ks.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ks.com: 1 ASPMX.L.GOOGLE.com. from-ks.com: 10 ASPMX3.GOOGLEMAIL.com. from-ks.com: 10 ASPMX2.GOOGLEMAIL.com. from-ky.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ky.com: 10 ASPMX2.GOOGLEMAIL.com. from-ky.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ky.com: 1 ASPMX.L.GOOGLE.com. from-ky.com: 10 ASPMX3.GOOGLEMAIL.com. from-la.net: 5 ALT2.ASPMX.L.GOOGLE.COM. from-la.net: 5 ALT1.ASPMX.L.GOOGLE.COM. from-la.net: 10 ASPMX2.GOOGLEMAIL.COM. from-la.net: 10 ASPMX3.GOOGLEMAIL.COM. from-la.net: 1 ASPMX.L.GOOGLE.COM. from-ma.com: 10 ASPMX2.GOOGLEMAIL.com. from-ma.com: 10 ASPMX3.GOOGLEMAIL.com. from-ma.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ma.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ma.com: 1 ASPMX.L.GOOGLE.com. from-md.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-md.com: 1 ASPMX.L.GOOGLE.com. from-md.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-md.com: 10 ASPMX3.GOOGLEMAIL.com. from-md.com: 10 ASPMX2.GOOGLEMAIL.com. from-me.org: 5 ALT2.ASPMX.L.GOOGLE.COM. from-me.org: 10 ASPMX2.GOOGLEMAIL.COM. from-me.org: 10 ASPMX3.GOOGLEMAIL.COM. from-me.org: 5 ALT1.ASPMX.L.GOOGLE.COM. from-me.org: 1 ASPMX.L.GOOGLE.COM. from-mi.com: 10 ASPMX3.GOOGLEMAIL.com. from-mi.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-mi.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-mi.com: 1 ASPMX.L.GOOGLE.com. from-mi.com: 10 ASPMX2.GOOGLEMAIL.com. from-mn.com: 10 ASPMX3.GOOGLEMAIL.com. from-mn.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-mn.com: 1 ASPMX.L.GOOGLE.com. from-mn.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-mn.com: 10 ASPMX2.GOOGLEMAIL.com. from-mo.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-mo.com: 10 ASPMX3.GOOGLEMAIL.com. from-mo.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-mo.com: 10 ASPMX2.GOOGLEMAIL.com. from-mo.com: 1 ASPMX.L.GOOGLE.com. from-ms.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ms.com: 10 ASPMX3.GOOGLEMAIL.com. from-ms.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ms.com: 1 ASPMX.L.GOOGLE.com. from-ms.com: 10 ASPMX2.GOOGLEMAIL.com. from-mt.com: 1 ASPMX.L.GOOGLE.com. from-mt.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-mt.com: 10 ASPMX2.GOOGLEMAIL.com. from-mt.com: 10 ASPMX3.GOOGLEMAIL.com. from-mt.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nc.com: 1 ASPMX.L.GOOGLE.com. from-nc.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nc.com: 10 ASPMX3.GOOGLEMAIL.com. from-nc.com: 10 ASPMX2.GOOGLEMAIL.com. from-nc.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-nd.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nd.com: 10 ASPMX2.GOOGLEMAIL.com. from-nd.com: 1 ASPMX.L.GOOGLE.com. from-nd.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-nd.com: 10 ASPMX3.GOOGLEMAIL.com. from-ne.com: 10 ASPMX2.GOOGLEMAIL.com. from-ne.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ne.com: 10 ASPMX3.GOOGLEMAIL.com. from-ne.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ne.com: 1 ASPMX.L.GOOGLE.com. from-nh.com: 1 ASPMX.L.GOOGLE.com. from-nh.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nh.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-nh.com: 10 ASPMX2.GOOGLEMAIL.com. from-nh.com: 10 ASPMX3.GOOGLEMAIL.com. from-nj.com: 10 ASPMX3.GOOGLEMAIL.com. from-nj.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nj.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-nj.com: 10 ASPMX2.GOOGLEMAIL.com. from-nj.com: 1 ASPMX.L.GOOGLE.com. from-nm.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nm.com: 10 ASPMX3.GOOGLEMAIL.com. from-nm.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-nm.com: 1 ASPMX.L.GOOGLE.com. from-nm.com: 10 ASPMX2.GOOGLEMAIL.com. from-nv.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-nv.com: 10 ASPMX2.GOOGLEMAIL.com. from-nv.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-nv.com: 1 ASPMX.L.GOOGLE.com. from-nv.com: 10 ASPMX3.GOOGLEMAIL.com. from-ny.net: 10 ASPMX3.GOOGLEMAIL.COM. from-ny.net: 10 ASPMX2.GOOGLEMAIL.COM. from-ny.net: 1 ASPMX.L.GOOGLE.COM. from-ny.net: 5 ALT1.ASPMX.L.GOOGLE.COM. from-ny.net: 5 ALT2.ASPMX.L.GOOGLE.COM. from-oh.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-oh.com: 10 ASPMX2.GOOGLEMAIL.com. from-oh.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-oh.com: 1 ASPMX.L.GOOGLE.com. from-oh.com: 10 ASPMX3.GOOGLEMAIL.com. from-ok.com: 10 ASPMX2.GOOGLEMAIL.com. from-ok.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ok.com: 1 ASPMX.L.GOOGLE.com. from-ok.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ok.com: 10 ASPMX3.GOOGLEMAIL.com. from-or.com: 10 ASPMX3.GOOGLEMAIL.com. from-or.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-or.com: 1 ASPMX.L.GOOGLE.com. from-or.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-or.com: 10 ASPMX2.GOOGLEMAIL.com. from-pa.com: 1 ASPMX.L.GOOGLE.com. from-pa.com: 10 ASPMX3.GOOGLEMAIL.com. from-pa.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-pa.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-pa.com: 10 ASPMX2.GOOGLEMAIL.com. from-pr.com: 10 ASPMX2.GOOGLEMAIL.com. from-pr.com: 1 ASPMX.L.GOOGLE.com. from-pr.com: 10 ASPMX3.GOOGLEMAIL.com. from-pr.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-pr.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ri.com: 10 ASPMX3.GOOGLEMAIL.com. from-ri.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-ri.com: 1 ASPMX.L.GOOGLE.com. from-ri.com: 10 ASPMX2.GOOGLEMAIL.com. from-ri.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-sc.com: 10 ASPMX2.GOOGLEMAIL.com. from-sc.com: 1 ASPMX.L.GOOGLE.com. from-sc.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-sc.com: 10 ASPMX3.GOOGLEMAIL.com. from-sc.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-sd.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-sd.com: 10 ASPMX3.GOOGLEMAIL.com. from-sd.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-sd.com: 10 ASPMX2.GOOGLEMAIL.com. from-sd.com: 1 ASPMX.L.GOOGLE.com. from-tn.com: 10 ASPMX2.GOOGLEMAIL.com. from-tn.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-tn.com: 10 ASPMX3.GOOGLEMAIL.com. from-tn.com: 1 ASPMX.L.GOOGLE.com. from-tn.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-tx.com: 1 ASPMX.L.GOOGLE.com. from-tx.com: 10 ASPMX2.GOOGLEMAIL.com. from-tx.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-tx.com: 10 ASPMX3.GOOGLEMAIL.com. from-tx.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ut.com: 10 ASPMX3.GOOGLEMAIL.com. from-ut.com: 10 ASPMX2.GOOGLEMAIL.com. from-ut.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-ut.com: 1 ASPMX.L.GOOGLE.com. from-ut.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-va.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-va.com: 10 ASPMX2.GOOGLEMAIL.com. from-va.com: 10 ASPMX3.GOOGLEMAIL.com. from-va.com: 1 ASPMX.L.GOOGLE.com. from-va.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-vt.com: 1 ASPMX.L.GOOGLE.com. from-vt.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-vt.com: 10 ASPMX3.GOOGLEMAIL.com. from-vt.com: 10 ASPMX2.GOOGLEMAIL.com. from-vt.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-wa.com: 10 ASPMX3.GOOGLEMAIL.com. from-wa.com: 10 ASPMX2.GOOGLEMAIL.com. from-wa.com: 1 ASPMX.L.GOOGLE.com. from-wa.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-wa.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-wi.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-wi.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-wi.com: 10 ASPMX3.GOOGLEMAIL.com. from-wi.com: 10 ASPMX2.GOOGLEMAIL.com. from-wi.com: 1 ASPMX.L.GOOGLE.com. from-wv.com: 10 ASPMX3.GOOGLEMAIL.com. from-wv.com: 5 ALT1.ASPMX.L.GOOGLE.com. from-wv.com: 1 ASPMX.L.GOOGLE.com. from-wv.com: 10 ASPMX2.GOOGLEMAIL.com. from-wv.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-wy.com: 1 ASPMX.L.GOOGLE.com. from-wy.com: 10 ASPMX3.GOOGLEMAIL.com. from-wy.com: 5 ALT2.ASPMX.L.GOOGLE.com. from-wy.com: 10 ASPMX2.GOOGLEMAIL.com. from-wy.com: 5 ALT1.ASPMX.L.GOOGLE.com. ftpaccess.cc: 10 ASPMX2.GOOGLEMAIL.COM. ftpaccess.cc: 1 ASPMX.L.GOOGLE.COM. ftpaccess.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. ftpaccess.cc: 10 ASPMX3.GOOGLEMAIL.COM. ftpaccess.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. fuettertdasnetz.de: 20 mx2.mailhop.org. fuettertdasnetz.de: 10 mx1.mailhop.org. game-host.org: 5 ALT2.ASPMX.L.GOOGLE.COM. game-host.org: 5 ALT1.ASPMX.L.GOOGLE.COM. game-host.org: 1 ASPMX.L.GOOGLE.COM. game-host.org: 10 ASPMX3.GOOGLEMAIL.COM. game-host.org: 10 ASPMX2.GOOGLEMAIL.COM. game-server.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. game-server.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. game-server.cc: 1 ASPMX.L.GOOGLE.COM. game-server.cc: 10 ASPMX3.GOOGLEMAIL.COM. game-server.cc: 10 ASPMX2.GOOGLEMAIL.COM. getmyip.com: 5 ALT2.ASPMX.L.GOOGLE.com. getmyip.com: 10 ASPMX2.GOOGLEMAIL.com. getmyip.com: 5 ALT1.ASPMX.L.GOOGLE.com. getmyip.com: 1 ASPMX.L.GOOGLE.com. getmyip.com: 10 ASPMX3.GOOGLEMAIL.com. gets-it.net: 1 ASPMX.L.GOOGLE.COM. gets-it.net: 10 ASPMX2.GOOGLEMAIL.COM. gets-it.net: 10 ASPMX3.GOOGLEMAIL.COM. gets-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. gets-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. gotdns.com: 5 ALT1.ASPMX.L.GOOGLE.com. gotdns.com: 5 ALT2.ASPMX.L.GOOGLE.com. gotdns.com: 1 ASPMX.L.GOOGLE.com. gotdns.com: 10 ASPMX3.GOOGLEMAIL.com. gotdns.com: 10 ASPMX2.GOOGLEMAIL.com. gotdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. gotdns.org: 10 ASPMX3.GOOGLEMAIL.COM. gotdns.org: 10 ASPMX2.GOOGLEMAIL.COM. gotdns.org: 1 ASPMX.L.GOOGLE.COM. gotdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. groks-the.info: 10 ASPMX2.GOOGLEMAIL.COM. groks-the.info: 1 ASPMX.L.GOOGLE.COM. groks-the.info: 10 ASPMX3.GOOGLEMAIL.COM. groks-the.info: 5 ALT2.ASPMX.L.GOOGLE.COM. groks-the.info: 5 ALT1.ASPMX.L.GOOGLE.COM. groks-this.info: 5 ALT2.ASPMX.L.GOOGLE.COM. groks-this.info: 5 ALT1.ASPMX.L.GOOGLE.COM. groks-this.info: 1 ASPMX.L.GOOGLE.COM. groks-this.info: 10 ASPMX3.GOOGLEMAIL.COM. groks-this.info: 10 ASPMX2.GOOGLEMAIL.COM. ham-radio-op.net: 10 ASPMX3.GOOGLEMAIL.COM. ham-radio-op.net: 1 ASPMX.L.GOOGLE.COM. ham-radio-op.net: 5 ALT1.ASPMX.L.GOOGLE.COM. ham-radio-op.net: 10 ASPMX2.GOOGLEMAIL.COM. ham-radio-op.net: 5 ALT2.ASPMX.L.GOOGLE.COM. here-for-more.info: 5 ALT1.ASPMX.L.GOOGLE.COM. here-for-more.info: 10 ASPMX2.GOOGLEMAIL.COM. here-for-more.info: 10 ASPMX3.GOOGLEMAIL.COM. here-for-more.info: 5 ALT2.ASPMX.L.GOOGLE.COM. here-for-more.info: 1 ASPMX.L.GOOGLE.COM. hobby-site.com: 1 ASPMX.L.GOOGLE.com. hobby-site.com: 10 ASPMX3.GOOGLEMAIL.com. hobby-site.com: 5 ALT2.ASPMX.L.GOOGLE.com. hobby-site.com: 10 ASPMX2.GOOGLEMAIL.com. hobby-site.com: 5 ALT1.ASPMX.L.GOOGLE.com. hobby-site.org: 10 ASPMX2.GOOGLEMAIL.COM. hobby-site.org: 10 ASPMX3.GOOGLEMAIL.COM. hobby-site.org: 5 ALT1.ASPMX.L.GOOGLE.COM. hobby-site.org: 1 ASPMX.L.GOOGLE.COM. hobby-site.org: 5 ALT2.ASPMX.L.GOOGLE.COM. homedns.org: 10 ASPMX2.GOOGLEMAIL.COM. homedns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. homedns.org: 1 ASPMX.L.GOOGLE.COM. homedns.org: 10 ASPMX3.GOOGLEMAIL.COM. homedns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. homeftp.net: 5 ALT2.ASPMX.L.GOOGLE.COM. homeftp.net: 5 ALT1.ASPMX.L.GOOGLE.COM. homeftp.net: 1 ASPMX.L.GOOGLE.COM. homeftp.net: 10 ASPMX3.GOOGLEMAIL.COM. homeftp.net: 10 ASPMX2.GOOGLEMAIL.COM. homeftp.org: 5 ALT2.ASPMX.L.GOOGLE.COM. homeftp.org: 10 ASPMX2.GOOGLEMAIL.COM. homeftp.org: 1 ASPMX.L.GOOGLE.COM. homeftp.org: 5 ALT1.ASPMX.L.GOOGLE.COM. homeftp.org: 10 ASPMX3.GOOGLEMAIL.COM. homeip.net: 10 ASPMX3.GOOGLEMAIL.COM. homeip.net: 5 ALT1.ASPMX.L.GOOGLE.COM. homeip.net: 5 ALT2.ASPMX.L.GOOGLE.COM. homeip.net: 1 ASPMX.L.GOOGLE.COM. homeip.net: 10 ASPMX2.GOOGLEMAIL.COM. homelinux.com: 10 ASPMX3.GOOGLEMAIL.com. homelinux.com: 10 ASPMX2.GOOGLEMAIL.com. homelinux.com: 5 ALT1.ASPMX.L.GOOGLE.com. homelinux.com: 1 ASPMX.L.GOOGLE.com. homelinux.com: 5 ALT2.ASPMX.L.GOOGLE.com. homelinux.net: 10 ASPMX3.GOOGLEMAIL.COM. homelinux.net: 5 ALT1.ASPMX.L.GOOGLE.COM. homelinux.net: 1 ASPMX.L.GOOGLE.COM. homelinux.net: 5 ALT2.ASPMX.L.GOOGLE.COM. homelinux.net: 10 ASPMX2.GOOGLEMAIL.COM. homelinux.org: 10 ASPMX3.GOOGLEMAIL.COM. homelinux.org: 5 ALT1.ASPMX.L.GOOGLE.COM. homelinux.org: 1 ASPMX.L.GOOGLE.COM. homelinux.org: 5 ALT2.ASPMX.L.GOOGLE.COM. homelinux.org: 10 ASPMX2.GOOGLEMAIL.COM. homeunix.com: 10 ASPMX2.GOOGLEMAIL.com. homeunix.com: 10 ASPMX3.GOOGLEMAIL.com. homeunix.com: 1 ASPMX.L.GOOGLE.com. homeunix.com: 5 ALT1.ASPMX.L.GOOGLE.com. homeunix.com: 5 ALT2.ASPMX.L.GOOGLE.com. homeunix.net: 5 ALT1.ASPMX.L.GOOGLE.COM. homeunix.net: 5 ALT2.ASPMX.L.GOOGLE.COM. homeunix.net: 10 ASPMX3.GOOGLEMAIL.COM. homeunix.net: 1 ASPMX.L.GOOGLE.COM. homeunix.net: 10 ASPMX2.GOOGLEMAIL.COM. homeunix.org: 5 ALT1.ASPMX.L.GOOGLE.COM. homeunix.org: 10 ASPMX3.GOOGLEMAIL.COM. homeunix.org: 1 ASPMX.L.GOOGLE.COM. homeunix.org: 10 ASPMX2.GOOGLEMAIL.COM. homeunix.org: 5 ALT2.ASPMX.L.GOOGLE.COM. iamallama.com: 10 ASPMX3.GOOGLEMAIL.com. iamallama.com: 5 ALT1.ASPMX.L.GOOGLE.com. iamallama.com: 10 ASPMX2.GOOGLEMAIL.com. iamallama.com: 5 ALT2.ASPMX.L.GOOGLE.com. iamallama.com: 1 ASPMX.L.GOOGLE.com. in-the-band.net: 10 ASPMX3.GOOGLEMAIL.COM. in-the-band.net: 5 ALT2.ASPMX.L.GOOGLE.COM. in-the-band.net: 5 ALT1.ASPMX.L.GOOGLE.COM. in-the-band.net: 10 ASPMX2.GOOGLEMAIL.COM. in-the-band.net: 1 ASPMX.L.GOOGLE.COM. is-a-anarchist.com: 1 ASPMX.L.GOOGLE.com. is-a-anarchist.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-anarchist.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-anarchist.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-anarchist.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-blogger.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-blogger.com: 1 ASPMX.L.GOOGLE.com. is-a-blogger.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-blogger.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-blogger.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-bookkeeper.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-bookkeeper.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-bookkeeper.com: 1 ASPMX.L.GOOGLE.com. is-a-bookkeeper.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-bookkeeper.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-bruinsfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-bruinsfan.org: 1 ASPMX.L.GOOGLE.COM. is-a-bruinsfan.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-bruinsfan.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-bruinsfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-bulls-fan.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-bulls-fan.com: 1 ASPMX.L.GOOGLE.com. is-a-bulls-fan.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-bulls-fan.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-bulls-fan.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-candidate.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-candidate.org: 1 ASPMX.L.GOOGLE.COM. is-a-candidate.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-candidate.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-candidate.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-caterer.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-caterer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-caterer.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-caterer.com: 1 ASPMX.L.GOOGLE.com. is-a-caterer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-celticsfan.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-celticsfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-celticsfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-celticsfan.org: 1 ASPMX.L.GOOGLE.COM. is-a-celticsfan.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-chef.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-chef.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-chef.com: 1 ASPMX.L.GOOGLE.com. is-a-chef.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-chef.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-chef.net: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-chef.net: 10 ASPMX2.GOOGLEMAIL.COM. is-a-chef.net: 10 ASPMX3.GOOGLEMAIL.COM. is-a-chef.net: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-chef.net: 1 ASPMX.L.GOOGLE.COM. is-a-chef.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-chef.org: 1 ASPMX.L.GOOGLE.COM. is-a-chef.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-chef.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-chef.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-conservative.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-conservative.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-conservative.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-conservative.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-conservative.com: 1 ASPMX.L.GOOGLE.com. is-a-cpa.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-cpa.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-cpa.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-cpa.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-cpa.com: 1 ASPMX.L.GOOGLE.com. is-a-cubicle-slave.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-cubicle-slave.com: 1 ASPMX.L.GOOGLE.com. is-a-cubicle-slave.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-cubicle-slave.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-cubicle-slave.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-democrat.com: 1 ASPMX.L.GOOGLE.com. is-a-democrat.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-democrat.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-democrat.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-democrat.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-designer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-designer.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-designer.com: 1 ASPMX.L.GOOGLE.com. is-a-designer.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-designer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-doctor.com: 1 ASPMX.L.GOOGLE.com. is-a-doctor.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-doctor.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-doctor.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-doctor.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-financialadvisor.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-financialadvisor.com: 1 ASPMX.L.GOOGLE.com. is-a-financialadvisor.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-financialadvisor.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-financialadvisor.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-geek.com: 1 ASPMX.L.GOOGLE.com. is-a-geek.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-geek.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-geek.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-geek.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-geek.net: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-geek.net: 1 ASPMX.L.GOOGLE.COM. is-a-geek.net: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-geek.net: 10 ASPMX2.GOOGLEMAIL.COM. is-a-geek.net: 10 ASPMX3.GOOGLEMAIL.COM. is-a-geek.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-geek.org: 1 ASPMX.L.GOOGLE.COM. is-a-geek.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-geek.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-geek.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-green.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-green.com: 1 ASPMX.L.GOOGLE.com. is-a-green.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-green.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-green.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-guru.com: 1 ASPMX.L.GOOGLE.com. is-a-guru.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-guru.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-guru.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-guru.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-hard-worker.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-hard-worker.com: 1 ASPMX.L.GOOGLE.com. is-a-hard-worker.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-hard-worker.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-hard-worker.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-hunter.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-hunter.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-hunter.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-hunter.com: 1 ASPMX.L.GOOGLE.com. is-a-hunter.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-knight.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-knight.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-knight.org: 1 ASPMX.L.GOOGLE.COM. is-a-knight.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-knight.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-landscaper.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-landscaper.com: 1 ASPMX.L.GOOGLE.com. is-a-landscaper.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-landscaper.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-landscaper.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-lawyer.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-lawyer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-lawyer.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-lawyer.com: 1 ASPMX.L.GOOGLE.com. is-a-lawyer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-liberal.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-liberal.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-liberal.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-liberal.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-liberal.com: 1 ASPMX.L.GOOGLE.com. is-a-libertarian.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-libertarian.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-libertarian.com: 1 ASPMX.L.GOOGLE.com. is-a-libertarian.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-libertarian.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-linux-user.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-linux-user.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-linux-user.org: 1 ASPMX.L.GOOGLE.COM. is-a-linux-user.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-linux-user.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-llama.com: 1 ASPMX.L.GOOGLE.com. is-a-llama.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-llama.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-llama.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-llama.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-musician.com: 1 ASPMX.L.GOOGLE.com. is-a-musician.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-musician.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-musician.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-musician.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-nascarfan.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-nascarfan.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-nascarfan.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-nascarfan.com: 1 ASPMX.L.GOOGLE.com. is-a-nascarfan.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-nurse.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-nurse.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-nurse.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-nurse.com: 1 ASPMX.L.GOOGLE.com. is-a-nurse.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-painter.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-painter.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-painter.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-painter.com: 1 ASPMX.L.GOOGLE.com. is-a-painter.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-patsfan.org: 1 ASPMX.L.GOOGLE.COM. is-a-patsfan.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-patsfan.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-patsfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-patsfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-personaltrainer.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-personaltrainer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-personaltrainer.com: 1 ASPMX.L.GOOGLE.com. is-a-personaltrainer.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-personaltrainer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-photographer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-photographer.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-photographer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-photographer.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-photographer.com: 1 ASPMX.L.GOOGLE.com. is-a-player.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-player.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-player.com: 1 ASPMX.L.GOOGLE.com. is-a-player.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-player.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-republican.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-republican.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-republican.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-republican.com: 1 ASPMX.L.GOOGLE.com. is-a-republican.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-rockstar.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-rockstar.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-rockstar.com: 1 ASPMX.L.GOOGLE.com. is-a-rockstar.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-rockstar.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-socialist.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-socialist.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-socialist.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-socialist.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-socialist.com: 1 ASPMX.L.GOOGLE.com. is-a-soxfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-a-soxfan.org: 1 ASPMX.L.GOOGLE.COM. is-a-soxfan.org: 10 ASPMX3.GOOGLEMAIL.COM. is-a-soxfan.org: 10 ASPMX2.GOOGLEMAIL.COM. is-a-soxfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-a-student.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-student.com: 1 ASPMX.L.GOOGLE.com. is-a-student.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-student.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-student.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-teacher.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-teacher.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-teacher.com: 1 ASPMX.L.GOOGLE.com. is-a-teacher.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-teacher.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-techie.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-techie.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-a-techie.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-techie.com: 1 ASPMX.L.GOOGLE.com. is-a-techie.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-therapist.com: 10 ASPMX2.GOOGLEMAIL.com. is-a-therapist.com: 10 ASPMX3.GOOGLEMAIL.com. is-a-therapist.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-a-therapist.com: 1 ASPMX.L.GOOGLE.com. is-a-therapist.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-accountant.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-an-accountant.com: 10 ASPMX3.GOOGLEMAIL.com. is-an-accountant.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-accountant.com: 1 ASPMX.L.GOOGLE.com. is-an-accountant.com: 10 ASPMX2.GOOGLEMAIL.com. is-an-actor.com: 1 ASPMX.L.GOOGLE.com. is-an-actor.com: 10 ASPMX2.GOOGLEMAIL.com. is-an-actor.com: 10 ASPMX3.GOOGLEMAIL.com. is-an-actor.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-actor.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-an-actress.com: 10 ASPMX3.GOOGLEMAIL.com. is-an-actress.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-actress.com: 1 ASPMX.L.GOOGLE.com. is-an-actress.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-an-actress.com: 10 ASPMX2.GOOGLEMAIL.com. is-an-anarchist.com: 20 mx2.mailhop.org. is-an-anarchist.com: 10 mx1.mailhop.org. is-an-artist.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-artist.com: 1 ASPMX.L.GOOGLE.com. is-an-artist.com: 10 ASPMX2.GOOGLEMAIL.com. is-an-artist.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-an-artist.com: 10 ASPMX3.GOOGLEMAIL.com. is-an-engineer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-engineer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-an-engineer.com: 1 ASPMX.L.GOOGLE.com. is-an-engineer.com: 10 ASPMX3.GOOGLEMAIL.com. is-an-engineer.com: 10 ASPMX2.GOOGLEMAIL.com. is-an-entertainer.com: 1 ASPMX.L.GOOGLE.com. is-an-entertainer.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-an-entertainer.com: 10 ASPMX3.GOOGLEMAIL.com. is-an-entertainer.com: 10 ASPMX2.GOOGLEMAIL.com. is-an-entertainer.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-by.us: 1 ASPMX.L.GOOGLE.COM. is-by.us: 10 ASPMX2.GOOGLEMAIL.COM. is-by.us: 5 ALT1.ASPMX.L.GOOGLE.COM. is-by.us: 10 ASPMX3.GOOGLEMAIL.COM. is-by.us: 5 ALT2.ASPMX.L.GOOGLE.COM. is-certified.com: 10 ASPMX2.GOOGLEMAIL.com. is-certified.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-certified.com: 1 ASPMX.L.GOOGLE.com. is-certified.com: 10 ASPMX3.GOOGLEMAIL.com. is-certified.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-found.org: 1 ASPMX.L.GOOGLE.COM. is-found.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-found.org: 10 ASPMX2.GOOGLEMAIL.COM. is-found.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-found.org: 10 ASPMX3.GOOGLEMAIL.COM. is-gone.com: 10 ASPMX3.GOOGLEMAIL.com. is-gone.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-gone.com: 1 ASPMX.L.GOOGLE.com. is-gone.com: 10 ASPMX2.GOOGLEMAIL.com. is-gone.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-into-anime.com: 10 ASPMX2.GOOGLEMAIL.com. is-into-anime.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-into-anime.com: 10 ASPMX3.GOOGLEMAIL.com. is-into-anime.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-into-anime.com: 1 ASPMX.L.GOOGLE.com. is-into-cars.com: 10 ASPMX3.GOOGLEMAIL.com. is-into-cars.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-into-cars.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-into-cars.com: 10 ASPMX2.GOOGLEMAIL.com. is-into-cars.com: 1 ASPMX.L.GOOGLE.com. is-into-cartoons.com: 10 ASPMX3.GOOGLEMAIL.com. is-into-cartoons.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-into-cartoons.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-into-cartoons.com: 1 ASPMX.L.GOOGLE.com. is-into-cartoons.com: 10 ASPMX2.GOOGLEMAIL.com. is-into-games.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-into-games.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-into-games.com: 1 ASPMX.L.GOOGLE.com. is-into-games.com: 10 ASPMX2.GOOGLEMAIL.com. is-into-games.com: 10 ASPMX3.GOOGLEMAIL.com. is-leet.com: 10 ASPMX2.GOOGLEMAIL.com. is-leet.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-leet.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-leet.com: 10 ASPMX3.GOOGLEMAIL.com. is-leet.com: 1 ASPMX.L.GOOGLE.com. is-lost.org: 1 ASPMX.L.GOOGLE.COM. is-lost.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-lost.org: 10 ASPMX2.GOOGLEMAIL.COM. is-lost.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-lost.org: 10 ASPMX3.GOOGLEMAIL.COM. is-not-certified.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-not-certified.com: 10 ASPMX3.GOOGLEMAIL.com. is-not-certified.com: 10 ASPMX2.GOOGLEMAIL.com. is-not-certified.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-not-certified.com: 1 ASPMX.L.GOOGLE.com. is-saved.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-saved.org: 10 ASPMX2.GOOGLEMAIL.COM. is-saved.org: 10 ASPMX3.GOOGLEMAIL.COM. is-saved.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-saved.org: 1 ASPMX.L.GOOGLE.COM. is-slick.com: 10 ASPMX2.GOOGLEMAIL.com. is-slick.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-slick.com: 10 ASPMX3.GOOGLEMAIL.com. is-slick.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-slick.com: 1 ASPMX.L.GOOGLE.com. is-uberleet.com: 10 ASPMX2.GOOGLEMAIL.com. is-uberleet.com: 10 ASPMX3.GOOGLEMAIL.com. is-uberleet.com: 1 ASPMX.L.GOOGLE.com. is-uberleet.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-uberleet.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-very-bad.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-very-bad.org: 1 ASPMX.L.GOOGLE.COM. is-very-bad.org: 10 ASPMX3.GOOGLEMAIL.COM. is-very-bad.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-very-bad.org: 10 ASPMX2.GOOGLEMAIL.COM. is-very-evil.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-very-evil.org: 10 ASPMX3.GOOGLEMAIL.COM. is-very-evil.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-very-evil.org: 1 ASPMX.L.GOOGLE.COM. is-very-evil.org: 10 ASPMX2.GOOGLEMAIL.COM. is-very-good.org: 10 ASPMX2.GOOGLEMAIL.COM. is-very-good.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-very-good.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-very-good.org: 1 ASPMX.L.GOOGLE.COM. is-very-good.org: 10 ASPMX3.GOOGLEMAIL.COM. is-very-nice.org: 1 ASPMX.L.GOOGLE.COM. is-very-nice.org: 10 ASPMX2.GOOGLEMAIL.COM. is-very-nice.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-very-nice.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-very-nice.org: 10 ASPMX3.GOOGLEMAIL.COM. is-very-sweet.org: 10 ASPMX2.GOOGLEMAIL.COM. is-very-sweet.org: 1 ASPMX.L.GOOGLE.COM. is-very-sweet.org: 5 ALT2.ASPMX.L.GOOGLE.COM. is-very-sweet.org: 5 ALT1.ASPMX.L.GOOGLE.COM. is-very-sweet.org: 10 ASPMX3.GOOGLEMAIL.COM. is-with-theband.com: 1 ASPMX.L.GOOGLE.com. is-with-theband.com: 10 ASPMX3.GOOGLEMAIL.com. is-with-theband.com: 5 ALT1.ASPMX.L.GOOGLE.com. is-with-theband.com: 5 ALT2.ASPMX.L.GOOGLE.com. is-with-theband.com: 10 ASPMX2.GOOGLEMAIL.com. isa-geek.com: 10 ASPMX3.GOOGLEMAIL.com. isa-geek.com: 1 ASPMX.L.GOOGLE.com. isa-geek.com: 5 ALT2.ASPMX.L.GOOGLE.com. isa-geek.com: 10 ASPMX2.GOOGLEMAIL.com. isa-geek.com: 5 ALT1.ASPMX.L.GOOGLE.com. isa-geek.net: 10 ASPMX3.GOOGLEMAIL.COM. isa-geek.net: 10 ASPMX2.GOOGLEMAIL.COM. isa-geek.net: 5 ALT1.ASPMX.L.GOOGLE.COM. isa-geek.net: 5 ALT2.ASPMX.L.GOOGLE.COM. isa-geek.net: 1 ASPMX.L.GOOGLE.COM. isa-geek.org: 10 ASPMX2.GOOGLEMAIL.COM. isa-geek.org: 10 ASPMX3.GOOGLEMAIL.COM. isa-geek.org: 1 ASPMX.L.GOOGLE.COM. isa-geek.org: 5 ALT2.ASPMX.L.GOOGLE.COM. isa-geek.org: 5 ALT1.ASPMX.L.GOOGLE.COM. isa-hockeynut.com: 1 ASPMX.L.GOOGLE.com. isa-hockeynut.com: 10 ASPMX3.GOOGLEMAIL.com. isa-hockeynut.com: 5 ALT2.ASPMX.L.GOOGLE.com. isa-hockeynut.com: 10 ASPMX2.GOOGLEMAIL.com. isa-hockeynut.com: 5 ALT1.ASPMX.L.GOOGLE.com. issmarterthanyou.com: 10 ASPMX3.GOOGLEMAIL.com. issmarterthanyou.com: 5 ALT2.ASPMX.L.GOOGLE.com. issmarterthanyou.com: 5 ALT1.ASPMX.L.GOOGLE.com. issmarterthanyou.com: 10 ASPMX2.GOOGLEMAIL.com. issmarterthanyou.com: 1 ASPMX.L.GOOGLE.com. isteingeek.de: 10 mx1.mailhop.org. isteingeek.de: 20 mx2.mailhop.org. istmein.de: 20 mx2.mailhop.org. istmein.de: 10 mx1.mailhop.org. kicks-ass.net: 10 ASPMX3.GOOGLEMAIL.COM. kicks-ass.net: 1 ASPMX.L.GOOGLE.COM. kicks-ass.net: 5 ALT2.ASPMX.L.GOOGLE.COM. kicks-ass.net: 5 ALT1.ASPMX.L.GOOGLE.COM. kicks-ass.net: 10 ASPMX2.GOOGLEMAIL.COM. kicks-ass.org: 10 ASPMX2.GOOGLEMAIL.COM. kicks-ass.org: 10 ASPMX3.GOOGLEMAIL.COM. kicks-ass.org: 1 ASPMX.L.GOOGLE.COM. kicks-ass.org: 5 ALT2.ASPMX.L.GOOGLE.COM. kicks-ass.org: 5 ALT1.ASPMX.L.GOOGLE.COM. knowsitall.info: 5 ALT1.ASPMX.L.GOOGLE.COM. knowsitall.info: 10 ASPMX3.GOOGLEMAIL.COM. knowsitall.info: 5 ALT2.ASPMX.L.GOOGLE.COM. knowsitall.info: 10 ASPMX2.GOOGLEMAIL.COM. knowsitall.info: 1 ASPMX.L.GOOGLE.COM. land-4-sale.us: 5 ALT1.ASPMX.L.GOOGLE.COM. land-4-sale.us: 1 ASPMX.L.GOOGLE.COM. land-4-sale.us: 10 ASPMX3.GOOGLEMAIL.COM. land-4-sale.us: 5 ALT2.ASPMX.L.GOOGLE.COM. land-4-sale.us: 10 ASPMX2.GOOGLEMAIL.COM. lebtimnetz.de: 10 mx1.mailhop.org. lebtimnetz.de: 20 mx2.mailhop.org. leitungsen.de: 20 mx2.mailhop.org. leitungsen.de: 10 mx1.mailhop.org. likes-pie.com: 5 ALT1.ASPMX.L.GOOGLE.com. likes-pie.com: 10 ASPMX2.GOOGLEMAIL.com. likes-pie.com: 1 ASPMX.L.GOOGLE.com. likes-pie.com: 10 ASPMX3.GOOGLEMAIL.com. likes-pie.com: 5 ALT2.ASPMX.L.GOOGLE.com. likescandy.com: 10 ASPMX2.GOOGLEMAIL.com. likescandy.com: 5 ALT2.ASPMX.L.GOOGLE.com. likescandy.com: 10 ASPMX3.GOOGLEMAIL.com. likescandy.com: 5 ALT1.ASPMX.L.GOOGLE.com. likescandy.com: 1 ASPMX.L.GOOGLE.com. mine.nu: 10 ASPMX2.GOOGLEMAIL.COM. mine.nu: 1 ASPMX.L.GOOGLE.COM. mine.nu: 5 ALT1.ASPMX.L.GOOGLE.COM. mine.nu: 5 ALT2.ASPMX.L.GOOGLE.COM. mine.nu: 10 ASPMX3.GOOGLEMAIL.COM. misconfused.org: 1 ASPMX.L.GOOGLE.COM. misconfused.org: 10 ASPMX3.GOOGLEMAIL.COM. misconfused.org: 5 ALT1.ASPMX.L.GOOGLE.COM. misconfused.org: 5 ALT2.ASPMX.L.GOOGLE.COM. misconfused.org: 10 ASPMX2.GOOGLEMAIL.COM. mypets.ws: 5 ALT2.ASPMX.L.GOOGLE.COM. mypets.ws: 1 ASPMX.L.GOOGLE.COM. mypets.ws: 10 ASPMX3.GOOGLEMAIL.COM. mypets.ws: 10 ASPMX2.GOOGLEMAIL.COM. mypets.ws: 5 ALT1.ASPMX.L.GOOGLE.COM. myphotos.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. myphotos.cc: 10 ASPMX2.GOOGLEMAIL.COM. myphotos.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. myphotos.cc: 10 ASPMX3.GOOGLEMAIL.COM. myphotos.cc: 1 ASPMX.L.GOOGLE.COM. neat-url.com: 10 ASPMX2.GOOGLEMAIL.com. neat-url.com: 5 ALT1.ASPMX.L.GOOGLE.com. neat-url.com: 1 ASPMX.L.GOOGLE.com. neat-url.com: 5 ALT2.ASPMX.L.GOOGLE.com. neat-url.com: 10 ASPMX3.GOOGLEMAIL.com. office-on-the.net: 10 ASPMX2.GOOGLEMAIL.COM. office-on-the.net: 1 ASPMX.L.GOOGLE.COM. office-on-the.net: 5 ALT2.ASPMX.L.GOOGLE.COM. office-on-the.net: 5 ALT1.ASPMX.L.GOOGLE.COM. office-on-the.net: 10 ASPMX3.GOOGLEMAIL.COM. on-the-web.tv: 10 ASPMX2.GOOGLEMAIL.COM. on-the-web.tv: 1 ASPMX.L.GOOGLE.COM. on-the-web.tv: 10 ASPMX3.GOOGLEMAIL.COM. on-the-web.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. on-the-web.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. podzone.net: 5 ALT1.ASPMX.L.GOOGLE.COM. podzone.net: 10 ASPMX2.GOOGLEMAIL.COM. podzone.net: 10 ASPMX3.GOOGLEMAIL.COM. podzone.net: 1 ASPMX.L.GOOGLE.COM. podzone.net: 5 ALT2.ASPMX.L.GOOGLE.COM. podzone.org: 10 ASPMX2.GOOGLEMAIL.COM. podzone.org: 1 ASPMX.L.GOOGLE.COM. podzone.org: 5 ALT2.ASPMX.L.GOOGLE.COM. podzone.org: 10 ASPMX3.GOOGLEMAIL.COM. podzone.org: 5 ALT1.ASPMX.L.GOOGLE.COM. readmyblog.org: 1 ASPMX.L.GOOGLE.COM. readmyblog.org: 10 ASPMX2.GOOGLEMAIL.COM. readmyblog.org: 5 ALT2.ASPMX.L.GOOGLE.COM. readmyblog.org: 10 ASPMX3.GOOGLEMAIL.COM. readmyblog.org: 5 ALT1.ASPMX.L.GOOGLE.COM. saves-the-whales.com: 1 ASPMX.L.GOOGLE.com. saves-the-whales.com: 10 ASPMX3.GOOGLEMAIL.com. saves-the-whales.com: 10 ASPMX2.GOOGLEMAIL.com. saves-the-whales.com: 5 ALT2.ASPMX.L.GOOGLE.com. saves-the-whales.com: 5 ALT1.ASPMX.L.GOOGLE.com. scrapper-site.net: 10 ASPMX3.GOOGLEMAIL.COM. scrapper-site.net: 10 ASPMX2.GOOGLEMAIL.COM. scrapper-site.net: 1 ASPMX.L.GOOGLE.COM. scrapper-site.net: 5 ALT1.ASPMX.L.GOOGLE.COM. scrapper-site.net: 5 ALT2.ASPMX.L.GOOGLE.COM. scrapping.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. scrapping.cc: 10 ASPMX2.GOOGLEMAIL.COM. scrapping.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. scrapping.cc: 10 ASPMX3.GOOGLEMAIL.COM. scrapping.cc: 1 ASPMX.L.GOOGLE.COM. selfip.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. selfip.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. selfip.biz: 1 ASPMX.L.GOOGLE.COM. selfip.biz: 10 ASPMX3.GOOGLEMAIL.COM. selfip.biz: 10 ASPMX2.GOOGLEMAIL.COM. selfip.com: 10 ASPMX3.GOOGLEMAIL.com. selfip.com: 10 ASPMX2.GOOGLEMAIL.com. selfip.com: 5 ALT1.ASPMX.L.GOOGLE.com. selfip.com: 1 ASPMX.L.GOOGLE.com. selfip.com: 5 ALT2.ASPMX.L.GOOGLE.com. selfip.info: 10 ASPMX3.GOOGLEMAIL.COM. selfip.info: 1 ASPMX.L.GOOGLE.COM. selfip.info: 5 ALT1.ASPMX.L.GOOGLE.COM. selfip.info: 5 ALT2.ASPMX.L.GOOGLE.COM. selfip.info: 10 ASPMX2.GOOGLEMAIL.COM. selfip.net: 10 ASPMX3.GOOGLEMAIL.COM. selfip.net: 1 ASPMX.L.GOOGLE.COM. selfip.net: 5 ALT2.ASPMX.L.GOOGLE.COM. selfip.net: 10 ASPMX2.GOOGLEMAIL.COM. selfip.net: 5 ALT1.ASPMX.L.GOOGLE.COM. selfip.org: 1 ASPMX.L.GOOGLE.COM. selfip.org: 5 ALT1.ASPMX.L.GOOGLE.COM. selfip.org: 10 ASPMX2.GOOGLEMAIL.COM. selfip.org: 10 ASPMX3.GOOGLEMAIL.COM. selfip.org: 5 ALT2.ASPMX.L.GOOGLE.COM. sells-for-less.com: 10 ASPMX2.GOOGLEMAIL.com. sells-for-less.com: 5 ALT1.ASPMX.L.GOOGLE.com. sells-for-less.com: 10 ASPMX3.GOOGLEMAIL.com. sells-for-less.com: 1 ASPMX.L.GOOGLE.com. sells-for-less.com: 5 ALT2.ASPMX.L.GOOGLE.com. sells-for-u.com: 5 ALT2.ASPMX.L.GOOGLE.com. sells-for-u.com: 1 ASPMX.L.GOOGLE.com. sells-for-u.com: 10 ASPMX3.GOOGLEMAIL.com. sells-for-u.com: 10 ASPMX2.GOOGLEMAIL.com. sells-for-u.com: 5 ALT1.ASPMX.L.GOOGLE.com. sells-it.net: 1 ASPMX.L.GOOGLE.COM. sells-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. sells-it.net: 10 ASPMX2.GOOGLEMAIL.COM. sells-it.net: 10 ASPMX3.GOOGLEMAIL.COM. sells-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. sellsyourhome.org: 5 ALT2.ASPMX.L.GOOGLE.COM. sellsyourhome.org: 1 ASPMX.L.GOOGLE.COM. sellsyourhome.org: 5 ALT1.ASPMX.L.GOOGLE.COM. sellsyourhome.org: 10 ASPMX3.GOOGLEMAIL.COM. sellsyourhome.org: 10 ASPMX2.GOOGLEMAIL.COM. servebbs.com: 10 ASPMX2.GOOGLEMAIL.com. servebbs.com: 1 ASPMX.L.GOOGLE.com. servebbs.com: 5 ALT2.ASPMX.L.GOOGLE.com. servebbs.com: 5 ALT1.ASPMX.L.GOOGLE.com. servebbs.com: 10 ASPMX3.GOOGLEMAIL.com. servebbs.net: 1 ASPMX.L.GOOGLE.COM. servebbs.net: 5 ALT1.ASPMX.L.GOOGLE.COM. servebbs.net: 10 ASPMX3.GOOGLEMAIL.COM. servebbs.net: 5 ALT2.ASPMX.L.GOOGLE.COM. servebbs.net: 10 ASPMX2.GOOGLEMAIL.COM. servebbs.org: 5 ALT2.ASPMX.L.GOOGLE.COM. servebbs.org: 5 ALT1.ASPMX.L.GOOGLE.COM. servebbs.org: 10 ASPMX2.GOOGLEMAIL.COM. servebbs.org: 10 ASPMX3.GOOGLEMAIL.COM. servebbs.org: 1 ASPMX.L.GOOGLE.COM. serveftp.net: 5 ALT2.ASPMX.L.GOOGLE.COM. serveftp.net: 1 ASPMX.L.GOOGLE.COM. serveftp.net: 5 ALT1.ASPMX.L.GOOGLE.COM. serveftp.net: 10 ASPMX2.GOOGLEMAIL.COM. serveftp.net: 10 ASPMX3.GOOGLEMAIL.COM. serveftp.org: 5 ALT1.ASPMX.L.GOOGLE.COM. serveftp.org: 1 ASPMX.L.GOOGLE.COM. serveftp.org: 10 ASPMX2.GOOGLEMAIL.COM. serveftp.org: 10 ASPMX3.GOOGLEMAIL.COM. serveftp.org: 5 ALT2.ASPMX.L.GOOGLE.COM. servegame.org: 5 ALT1.ASPMX.L.GOOGLE.COM. servegame.org: 10 ASPMX3.GOOGLEMAIL.COM. servegame.org: 1 ASPMX.L.GOOGLE.COM. servegame.org: 10 ASPMX2.GOOGLEMAIL.COM. servegame.org: 5 ALT2.ASPMX.L.GOOGLE.COM. simple-url.com: 5 ALT1.ASPMX.L.GOOGLE.com. simple-url.com: 10 ASPMX3.GOOGLEMAIL.com. simple-url.com: 1 ASPMX.L.GOOGLE.com. simple-url.com: 5 ALT2.ASPMX.L.GOOGLE.com. simple-url.com: 10 ASPMX2.GOOGLEMAIL.com. space-to-rent.com: 5 ALT2.ASPMX.L.GOOGLE.com. space-to-rent.com: 5 ALT1.ASPMX.L.GOOGLE.com. space-to-rent.com: 1 ASPMX.L.GOOGLE.com. space-to-rent.com: 10 ASPMX2.GOOGLEMAIL.com. space-to-rent.com: 10 ASPMX3.GOOGLEMAIL.com. stuff-4-sale.org: 10 ASPMX3.GOOGLEMAIL.COM. stuff-4-sale.org: 10 ASPMX2.GOOGLEMAIL.COM. stuff-4-sale.org: 5 ALT1.ASPMX.L.GOOGLE.COM. stuff-4-sale.org: 5 ALT2.ASPMX.L.GOOGLE.COM. stuff-4-sale.org: 1 ASPMX.L.GOOGLE.COM. stuff-4-sale.us: 5 ALT1.ASPMX.L.GOOGLE.COM. stuff-4-sale.us: 10 ASPMX2.GOOGLEMAIL.COM. stuff-4-sale.us: 10 ASPMX3.GOOGLEMAIL.COM. stuff-4-sale.us: 5 ALT2.ASPMX.L.GOOGLE.COM. stuff-4-sale.us: 1 ASPMX.L.GOOGLE.COM. teaches-yoga.com: 10 ASPMX3.GOOGLEMAIL.com. teaches-yoga.com: 5 ALT1.ASPMX.L.GOOGLE.com. teaches-yoga.com: 10 ASPMX2.GOOGLEMAIL.com. teaches-yoga.com: 1 ASPMX.L.GOOGLE.com. teaches-yoga.com: 5 ALT2.ASPMX.L.GOOGLE.com. thruhere.net: 10 ASPMX3.GOOGLEMAIL.COM. thruhere.net: 5 ALT2.ASPMX.L.GOOGLE.COM. thruhere.net: 10 ASPMX2.GOOGLEMAIL.COM. thruhere.net: 1 ASPMX.L.GOOGLE.COM. thruhere.net: 5 ALT1.ASPMX.L.GOOGLE.COM. traeumtgerade.de: 10 mx1.mailhop.org. traeumtgerade.de: 20 mx2.mailhop.org. webhop.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. webhop.biz: 10 ASPMX2.GOOGLEMAIL.COM. webhop.biz: 10 ASPMX3.GOOGLEMAIL.COM. webhop.biz: 1 ASPMX.L.GOOGLE.COM. webhop.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. webhop.info: 1 ASPMX.L.GOOGLE.COM. webhop.info: 10 ASPMX2.GOOGLEMAIL.COM. webhop.info: 5 ALT1.ASPMX.L.GOOGLE.COM. webhop.info: 10 ASPMX3.GOOGLEMAIL.COM. webhop.info: 5 ALT2.ASPMX.L.GOOGLE.COM. webhop.net: 5 ALT1.ASPMX.L.GOOGLE.COM. webhop.net: 5 ALT2.ASPMX.L.GOOGLE.COM. webhop.net: 10 ASPMX2.GOOGLEMAIL.COM. webhop.net: 10 ASPMX3.GOOGLEMAIL.COM. webhop.net: 1 ASPMX.L.GOOGLE.COM. webhop.org: 5 ALT2.ASPMX.L.GOOGLE.COM. webhop.org: 1 ASPMX.L.GOOGLE.COM. webhop.org: 10 ASPMX3.GOOGLEMAIL.COM. webhop.org: 10 ASPMX2.GOOGLEMAIL.COM. webhop.org: 5 ALT1.ASPMX.L.GOOGLE.COM. worse-than.tv: 10 ASPMX3.GOOGLEMAIL.COM. worse-than.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. worse-than.tv: 1 ASPMX.L.GOOGLE.COM. worse-than.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. worse-than.tv: 10 ASPMX2.GOOGLEMAIL.COM. writesthisblog.com: 5 ALT2.ASPMX.L.GOOGLE.com. writesthisblog.com: 5 ALT1.ASPMX.L.GOOGLE.com. writesthisblog.com: 10 ASPMX3.GOOGLEMAIL.com. writesthisblog.com: 10 ASPMX2.GOOGLEMAIL.com. writesthisblog.com: 1 ASPMX.L.GOOGLE.com. ddnss.de: 10 mail.mc-p.de. ddnss.de: 20 mail.ddnss.de. dyn.ddnss.de: 10 mail.mc-p.de. dyndns.ddnss.de: 10 mail.mc-p.de. dyndns1.de: 10 mail.mc-p.de. dyn-ip24.de: 10 mail.mc-p.de. home-webserver.de: 10 mail.mc-p.de. dyn.home-webserver.de: 10 mail.mc-p.de. myhome-server.de: 10 mail.mc-p.de. ddnss.org: 10 mail.mc-p.de. definima.net: 5 aspmx2.googlemail.com. definima.net: 5 aspmx3.googlemail.com. definima.net: 5 aspmx4.googlemail.com. definima.net: 5 aspmx5.googlemail.com. definima.net: 1 aspmx.l.google.com. definima.net: 3 alt1.aspmx.l.google.com. definima.net: 3 alt2.aspmx.l.google.com. definima.io: 0 definima.io. definima.io: 10 mail2.definima.com. e4.cz: 5 smtp.smartweb.cz. e4.cz: 500 slave.smartweb.cz. enonic.io: 10 aspmx2.googlemail.com. enonic.io: 5 alt2.aspmx.l.google.com. enonic.io: 1 aspmx.l.google.com. enonic.io: 10 aspmx3.googlemail.com. enonic.io: 5 alt1.aspmx.l.google.com. eu.org: 10 SMTP.eu.org. cy.eu.org: 100 asterix.tee.gr. de.eu.org: 30 fb-mx.LF.net. de.eu.org: 20 pmx01.mail.LF.net. gr.eu.org: 100 asterix.tee.gr. nl.eu.org: 200 mx1.elm.net. eu-1.evennode.com: ec2-52-18-91-8.eu-west-1.compute.amazonaws.com. url.tw: hosting.url.com.tw. apps.fbsbx.com: star.c10r.facebook.com. apps.fbsbx.com: 10 msgin.vvv.facebook.com. ru.net: 90 relay2.relcom.ru. ru.net: 80 relay1.relcom.ru. fedorainfracloud.org: 10 mx1.redhat.com. fedorainfracloud.org: 20 mx2.redhat.com. filegear.me: 10 mailstore1.secureserver.net. filegear.me: 0 smtp.secureserver.net. myfusion.cloud: 5 alt2.aspmx.l.google.com. myfusion.cloud: 10 aspmx3.googlemail.com. myfusion.cloud: 0 aspmx.l.google.com. myfusion.cloud: 5 alt1.aspmx.l.google.com. myfusion.cloud: 10 aspmx2.googlemail.com. futurehosting.at: 100 mx2.futureweb.at. futurehosting.at: 200 mx1.futureweb.at. futurehosting.at: 100 mx4.futureweb.org. futurehosting.at: 100 mx3.futureweb.org. futuremailing.at: 100 mx4.futureweb.org. futuremailing.at: 100 mx3.futureweb.org. futuremailing.at: 200 mx1.futureweb.at. futuremailing.at: 100 mx2.futureweb.at. gitlab.io: 10 mxa.mailgun.org. gitlab.io: 10 mxb.mailgun.org. homeoffice.gov.uk: 0 homeoffice-gov-uk.mail.protection.outlook.com. ro.im: 0 mail.ro.im. goip.de: 10 genesis.poulter.de. appspot.com: 5 gmr-smtp-in.l.google.com. appspot.com: 10 alt1.gmr-smtp-in.l.google.com. appspot.com: 30 alt3.gmr-smtp-in.l.google.com. appspot.com: 40 alt4.gmr-smtp-in.l.google.com. appspot.com: 20 alt2.gmr-smtp-in.l.google.com. blogspot.bj: 10 alt1.gmr-smtp-in.l.google.com. blogspot.bj: 10 alt2.gmr-smtp-in.l.google.com. blogspot.bj: 5 gmr-smtp-in.l.google.com. blogspot.cf: 10 alt2.gmr-smtp-in.l.google.com. blogspot.cf: 10 alt1.gmr-smtp-in.l.google.com. blogspot.cf: 5 gmr-smtp-in.l.google.com. blogspot.cv: 10 alt2.gmr-smtp-in.l.google.com. blogspot.cv: 10 alt1.gmr-smtp-in.l.google.com. blogspot.cv: 5 gmr-smtp-in.l.google.com. blogspot.re: 10 alt1.gmr-smtp-in.l.google.com. blogspot.re: 10 alt2.gmr-smtp-in.l.google.com. blogspot.re: 5 gmr-smtp-in.l.google.com. blogspot.td: 5 gmr-smtp-in.l.google.com. blogspot.td: 10 alt1.gmr-smtp-in.l.google.com. blogspot.td: 10 alt2.gmr-smtp-in.l.google.com. codespot.com: 5 gmr-smtp-in.l.google.com. codespot.com: 10 alt1.gmr-smtp-in.l.google.com. codespot.com: 10 alt2.gmr-smtp-in.l.google.com. googlecode.com: 10 alt1.gmr-smtp-in.l.google.com. googlecode.com: 5 gmr-smtp-in.l.google.com. googlecode.com: 10 alt2.gmr-smtp-in.l.google.com. withgoogle.com: 30 alt2.aspmx.l.google.com. withgoogle.com: 10 aspmx.l.google.com. withgoogle.com: 40 alt3.aspmx.l.google.com. withgoogle.com: 50 alt4.aspmx.l.google.com. withgoogle.com: 20 alt1.aspmx.l.google.com. withyoutube.com: 20 alt1.aspmx.l.google.com. withyoutube.com: 10 aspmx.l.google.com. withyoutube.com: 30 alt2.aspmx.l.google.com. withyoutube.com: 50 alt4.aspmx.l.google.com. withyoutube.com: 40 alt3.aspmx.l.google.com. hashbang.sh: 10 mail.hashbang.sh. hasura-app.io: 10 mailstore1.secureserver.net. hasura-app.io: 0 smtp.secureserver.net. hepforge.org: 4 mailrelay4.dur.ac.uk. hepforge.org: 4 mailrelay5.dur.ac.uk. hepforge.org: 5 mailrelay1.dur.ac.uk. hepforge.org: 5 mailrelay2.dur.ac.uk. iki.fi: 10 mail3.iki.fi. iki.fi: 10 mail.iki.fi. biz.at: 10 proteus.info.at. info.at: 10 proteus.info.at. info.cx: 10 mx.igloo.to. pixolino.com: 10 mail.pixolino.com. js.org: 0 mail.js.org. keymachine.de: 10 mail.keyweb.de. git-repos.de: 10 mail.lcube-mail.de. lcube-server.de: 10 mail.lcube-mail.de. svn-repos.de: 10 mail.lcube-mail.de. we.bs: 10 mx1uk.supremebox.com. barsy.bg: 10 mail.lukanet.com. barsyonline.com: 10 mail.lukanet.com. barsy.de: 0 barsy.de. barsy.eu: 0 barsy.eu. barsy.in: 10 mail.lukanet.com. barsy.net: 0 barsy.net. barsy.online: 0 barsy.online. barsy.support: 10 mail.lukanet.com. eu.meteorapp.com: galaxy-ingress.meteor.com. co.pl: 1 ASPMX.L.GOOGLE.COM. bitballoon.com: 1 aspmx.l.google.com. bitballoon.com: 5 alt1.aspmx.l.google.com. bitballoon.com: 5 alt2.aspmx.l.google.com. bitballoon.com: 10 aspmx2.googlemail.com. bitballoon.com: 10 aspmx3.googlemail.com. netlify.com: 5 ALT1.ASPMX.L.GOOGLE.com. netlify.com: 1 ASPMX.L.GOOGLE.com. netlify.com: 5 ALT2.ASPMX.L.GOOGLE.com. netlify.com: 10 ASPMX2.GOOGLEMAIL.com. netlify.com: 10 ASPMX3.GOOGLEMAIL.com. ngrok.io: 1 aspmx.l.google.com. ngrok.io: 10 aspmx2.googlemail.com. ngrok.io: 10 aspmx3.googlemail.com. ngrok.io: 5 alt1.aspmx.l.google.com. ngrok.io: 5 alt2.aspmx.l.google.com. nfshost.com: 0 mail.nearlyfreespeech.net. nsupdate.info: 10 mx.thinkmo.de. blogsyte.com: 5 mail1.no-ip.com. blogsyte.com: 10 mail2.no-ip.com. brasilia.me: 5 mail1.no-ip.com. brasilia.me: 10 mail2.no-ip.com. cable-modem.org: 10 mail2.no-ip.com. ciscofreak.com: 5 mail1.no-ip.com. ciscofreak.com: 10 mail2.no-ip.com. collegefan.org: 5 mail.collegefan.org. couchpotatofries.org: 5 mail.couchpotatofries.org. damnserver.com: 5 mail1.no-ip.com. damnserver.com: 10 mail2.no-ip.com. ddns.me: 5 mail.ddns.me. ditchyourip.com: 5 mail1.no-ip.com. ditchyourip.com: 10 mail2.no-ip.com. dnsfor.me: 5 mail.dnsfor.me. dnsiskinky.com: 5 mail1.no-ip.com. dnsiskinky.com: 10 mail2.no-ip.com. dvrcam.info: 5 mail.dvrcam.info. dynns.com: 5 mail.dynns.com. eating-organic.net: 5 mail.eating-organic.net. fantasyleague.cc: 5 mail.fantasyleague.cc. geekgalaxy.com: 5 mail1.no-ip.com. geekgalaxy.com: 10 mail2.no-ip.com. golffan.us: 5 mail.golffan.us. health-carereform.com: 5 mail.health-carereform.com. homesecuritymac.com: 5 mail1.no-ip.com. homesecuritymac.com: 10 mail2.no-ip.com. homesecuritypc.com: 10 mail2.no-ip.com. hopto.me: 5 mail.hopto.me. ilovecollege.info: 5 mail.ilovecollege.info. loginto.me: 5 mail.loginto.me. mlbfan.org: 5 mail.mlbfan.org. mmafan.biz: 5 mail.mmafan.biz. myactivedirectory.com: 5 mail1.no-ip.com. myactivedirectory.com: 10 mail2.no-ip.com. mydissent.net: 5 mail.mydissent.net. myeffect.net: 5 mail.myeffect.net. mymediapc.net: 5 mail1.no-ip.com. mymediapc.net: 10 mail2.no-ip.com. mypsx.net: 10 mail2.no-ip.com. mysecuritycamera.com: 5 mail.mysecuritycamera.com. mysecuritycamera.net: 5 mail.mysecuritycamera.net. mysecuritycamera.org: 5 mail.mysecuritycamera.org. net-freaks.com: 5 mail1.no-ip.com. net-freaks.com: 10 mail2.no-ip.com. nflfan.org: 5 mail.nflfan.org. nhlfan.net: 5 mail.nhlfan.net. no-ip.co.uk: 5 mail1.no-ip.com. no-ip.co.uk: 10 mail2.no-ip.com. no-ip.net: 5 mail1.no-ip.com. no-ip.net: 10 mail2.no-ip.com. noip.us: 5 mail.noip.us. onthewifi.com: 5 mail1.no-ip.com. onthewifi.com: 10 mail2.no-ip.com. pgafan.net: 5 mail.pgafan.net. point2this.com: 5 mail1.no-ip.com. point2this.com: 10 mail2.no-ip.com. pointto.us: 5 mail1.no-ip.com. pointto.us: 10 mail2.no-ip.com. privatizehealthinsurance.net: 5 mail.privatizehealthinsurance.net. quicksytes.com: 5 mail1.no-ip.com. quicksytes.com: 10 mail2.no-ip.com. read-books.org: 5 mail.read-books.org. securitytactics.com: 5 mail1.no-ip.com. securitytactics.com: 10 mail2.no-ip.com. serveexchange.com: 5 mail1.no-ip.com. servehumour.com: 5 mail1.no-ip.com. servehumour.com: 10 mail2.no-ip.com. servep2p.com: 5 mail1.no-ip.com. servep2p.com: 10 mail2.no-ip.com. servesarcasm.com: 5 mail1.no-ip.com. servesarcasm.com: 10 mail2.no-ip.com. stufftoread.com: 5 mail1.no-ip.com. stufftoread.com: 10 mail2.no-ip.com. ufcfan.org: 5 mail.ufcfan.org. unusualperson.com: 5 mail1.no-ip.com. unusualperson.com: 10 mail2.no-ip.com. workisboring.com: 5 mail1.no-ip.com. workisboring.com: 10 mail2.no-ip.com. ddns.net: 5 mail.ddns.net. ddnsking.com: 5 mail1.no-ip.com. ddnsking.com: 10 mail1.no-ip.com. ddnsking.com: 15 mail2.no-ip.com. gotdns.ch: 5 mail1.no-ip.com. gotdns.ch: 10 mail2.no-ip.com. hopto.org: 5 mail1.no-ip.com. hopto.org: 10 mail2.no-ip.com. myftp.biz: 5 mail1.no-ip.com. myftp.biz: 10 mail2.no-ip.com. myvnc.com: 5 mail1.no-ip.com. myvnc.com: 10 mail2.no-ip.com. no-ip.biz: 5 mail1.no-ip.com. no-ip.biz: 10 mail2.no-ip.com. no-ip.info: 5 mail1.no-ip.com. no-ip.info: 10 mail2.no-ip.com. no-ip.org: 5 mail1.no-ip.com. no-ip.org: 10 mail2.no-ip.com. noip.me: 5 mail1.no-ip.com. noip.me: 10 mail2.no-ip.com. redirectme.net: 5 mail1.no-ip.com. redirectme.net: 10 mail2.no-ip.com. servebeer.com: 5 mail1.no-ip.com. servebeer.com: 10 mail2.no-ip.com. serveblog.net: 10 mail2.no-ip.com. servecounterstrike.com: 5 mail1.no-ip.com. servecounterstrike.com: 10 mail2.no-ip.com. serveftp.com: 5 mail1.no-ip.com. serveftp.com: 10 mail2.no-ip.com. servegame.com: 5 mail1.no-ip.com. servegame.com: 10 mail2.no-ip.com. servehalflife.com: 5 mail1.no-ip.com. servehalflife.com: 10 mail2.no-ip.com. serveirc.com: 5 mail1.no-ip.com. serveirc.com: 10 mail2.no-ip.com. serveminecraft.net: 5 mail.serveminecraft.net. servepics.com: 5 mail1.no-ip.com. servepics.com: 10 mail2.no-ip.com. sytes.net: 10 mail2.no-ip.com. webhop.me: 5 mail.webhop.me. zapto.org: 5 mail1.no-ip.com. zapto.org: 10 mail2.no-ip.com. nodum.co: 10 alt3.aspmx.l.google.com. nodum.co: 1 aspmx.l.google.com. nodum.co: 10 alt4.aspmx.l.google.com. nodum.co: 5 alt2.aspmx.l.google.com. nodum.co: 5 alt1.aspmx.l.google.com. nodum.io: 5 alt1.aspmx.l.google.com. nodum.io: 1 aspmx.l.google.com. nodum.io: 10 alt4.aspmx.l.google.com. nodum.io: 5 alt2.aspmx.l.google.com. nodum.io: 10 alt3.aspmx.l.google.com. nid.io: 0 nid.io. opencraft.hosting: 50 mail.plebia.org. outsystemscloud.com: 10 relay2.outsystems.net. ownprovider.com: 10 cloud.moennich.ownprovider.com. oy.lc: 10 oy.lc. pgfog.com: 1 aspmx.l.google.com. pgfog.com: 5 alt1.aspmx.l.google.com. pgfog.com: 5 alt2.aspmx.l.google.com. pgfog.com: 10 aspmx2.googlemail.com. pgfog.com: 10 aspmx3.googlemail.com. pagefrontapp.com: 1 aspmx.l.google.com. pagefrontapp.com: 10 aspmx2.googlemail.com. pagefrontapp.com: 10 aspmx3.googlemail.com. pagefrontapp.com: 5 alt1.aspmx.l.google.com. pagefrontapp.com: 5 alt2.aspmx.l.google.com. art.pl: 5 mail.net.icm.edu.pl. gliwice.pl: 10 mx.silweb.pl. krakow.pl: 5 mx4.cyf-kr.edu.pl. poznan.pl: 1 aspmx.l.google.com. zakopane.pl: 5 mx4.cyf-kr.edu.pl. on-web.fr: 10 mx2.planet-work.com. on-web.fr: 10 mx3.planet-work.com. on-web.fr: 10 mx1.planet-work.com. protonet.io: 15 eforward4.registrar-servers.com. protonet.io: 10 eforward2.registrar-servers.com. protonet.io: 10 eforward3.registrar-servers.com. protonet.io: 10 eforward1.registrar-servers.com. protonet.io: 20 eforward5.registrar-servers.com. chirurgiens-dentistes-en-france.fr: 1 ASPMX.L.GOOGLE.COM. chirurgiens-dentistes-en-france.fr: 3 ALT2.ASPMX.L.GOOGLE.COM. chirurgiens-dentistes-en-france.fr: 5 ASPMX3.GOOGLEMAIL.COM. chirurgiens-dentistes-en-france.fr: 5 ASPMX2.GOOGLEMAIL.COM. chirurgiens-dentistes-en-france.fr: 3 ALT1.ASPMX.L.GOOGLE.COM. byen.site: 3 ALT1.ASPMX.L.GOOGLE.COM. byen.site: 1 ASPMX.L.GOOGLE.COM. byen.site: 5 ASPMX3.GOOGLEMAIL.COM. byen.site: 3 ALT2.ASPMX.L.GOOGLE.COM. byen.site: 5 ASPMX2.GOOGLEMAIL.COM. alpha-myqnapcloud.com: qcloud-alpha-fronted-841689676.us-east-1.elb.amazonaws.com. myqnapcloud.com: aws-portal-1002075996.us-east-1.elb.amazonaws.com. vapor.cloud: 1 aspmx.l.google.com. vapor.cloud: 10 aspmx2.googlemail.com. vapor.cloud: 10 aspmx3.googlemail.com. vapor.cloud: 5 alt1.aspmx.l.google.com. vapor.cloud: 5 alt2.aspmx.l.google.com. rackmaze.com: 1 aspmx.l.google.com. rackmaze.com: 10 aspmx2.googlemail.com. rackmaze.com: 10 aspmx3.googlemail.com. rackmaze.com: 10 aspmx4.googlemail.com. rackmaze.com: 10 aspmx5.googlemail.com. rackmaze.com: 5 alt1.aspmx.l.google.com. rackmaze.com: 5 alt2.aspmx.l.google.com. rhcloud.com: 10 use-mailrelay1.prod.rhcloud.com. ptplus.fit: 20 mx1.123-reg.co.uk. ptplus.fit: 10 mx0.123-reg.co.uk. wellbeingzone.co.uk: 5 wellbeingzone-co-uk.mail.protection.outlook.com. logoip.de: 10 mail.myshn.com. logoip.com: 10 mail.myshn.com. firewall-gateway.de: 10 mail.spdns.de. spdns.de: 10 mx0.securepoint.de. spdns.eu: 10 mail.spdns.eu. firewall-gateway.net: 10 mail.spdns.de. spdns.org: 10 mail.spdns.org. biz.ua: 20 mx2.biz.ua.uadns.com. biz.ua: 30 mx3.biz.ua.uadns.com. biz.ua: 10 mx1.biz.ua.uadns.com. co.ua: 30 mx3.co.ua.uadns.com. co.ua: 10 mx1.co.ua.uadns.com. co.ua: 20 mx2.co.ua.uadns.com. pp.ua: 10 mx1.pp.ua.uadns.com. pp.ua: 20 mx2.pp.ua.uadns.com. pp.ua: 30 mx3.pp.ua.uadns.com. myshopblocks.com: 20 mx2.improvmx.com. myshopblocks.com: 10 mx1.improvmx.com. static.land: 10 spool.mail.gandi.net. static.land: 50 fb.mail.gandi.net. apps.lair.io: mytikas.servers.lair.io. storj.farm: 10 eforward1.registrar-servers.com. storj.farm: 10 eforward3.registrar-servers.com. storj.farm: 10 eforward2.registrar-servers.com. storj.farm: 20 eforward5.registrar-servers.com. storj.farm: 15 eforward4.registrar-servers.com. temp-dns.com: 5 mx2.email-cluster.com. temp-dns.com: 10 failover1.email-cluster.com. temp-dns.com: 5 mx1.email-cluster.com. gda.pl: 0 hmail.task.gda.pl. gdansk.pl: 10 ASPMX2.GOOGLEMAIL.COM. gdansk.pl: 1 ASPMX.L.GOOGLE.COM. gdansk.pl: 10 ASPMX3.GOOGLEMAIL.COM. gdansk.pl: 5 ALT2.ASPMX.L.GOOGLE.COM. gdansk.pl: 5 ALT1.ASPMX.L.GOOGLE.COM. gdynia.pl: 0 server.miasto.gdynia.pl. med.pl: 1 hmail.task.gda.pl. sopot.pl: 10 mx2.um.sopot.pl. bloxcms.com: 10 mail.chicago2.vip.townnews.com. lima-city.at: 10 mail.lima-city.de. lima-city.ch: 10 mail.lima-city.de. trafficplex.cloud: 0 mail.lima-city.de. de.cool: 10 mail.lima-city.de. lima-city.de: 10 mail.lima-city.de. clan.rip: 10 mail.lima-city.de. lima-city.rocks: 10 mail.lima-city.de. webspace.rocks: 10 mail.lima-city.de. lima.zone: 10 mail.lima-city.de. tuxfamily.org: 10 mx1.tuxfamily.net. tuxfamily.org: 15 mx2.tuxfamily.net. uber.space: 0 mx01.mailproxy.uberspace.de. uber.space: 0 mx02.mailproxy.uberspace.de. hk.com: 10 mailme.hk.com. lib.de.us: 20 mail.lib.de.us. v-info.info: 0 v-info.info. wmflabs.org: 50 mx2001.wikimedia.org. wmflabs.org: 10 mx1001.wikimedia.org. cistron.nl: 100 mx.cistron.nl. cistron.nl: 50 primx.cistron.nl. demon.nl: 0 . xs4all.space: 100 mx3.xs4all.nl. xs4all.space: 100 mx1.xs4all.nl. xs4all.space: 100 mx4.xs4all.nl. xs4all.space: 100 mx2.xs4all.nl. za.net: 5 virt.plig.net. za.org: 5 virt.plig.net. -- Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Sat Dec 16 12:11:33 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314B81270A7 for ; Sat, 16 Dec 2017 12:11:32 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.464 X-Spam-Level: X-Spam-Status: No, score=0.464 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, NUMERIC_HTTP_ADDR=1.242, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_HEX=1.122] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=yitter.info header.b=Bs4/krXA; dkim=pass (1024-bit key) header.d=yitter.info header.b=ZjkihihM Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ki54-pJaDia5 for ; Sat, 16 Dec 2017 12:11:25 -0800 (PST) Received: from mx4.yitter.info (mx4.yitter.info [159.203.56.111]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E383B126CC7 for ; Sat, 16 Dec 2017 12:11:24 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mx4.yitter.info (Postfix) with ESMTP id C9A4CC195E for ; Sat, 16 Dec 2017 20:11:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1513455083; bh=9TwCSMZztXmwa30aVpRgk+wssWCl3nyhLC/qjL6tSvw=; h=From:To:Date:In-Reply-To:References:Subject:From; b=Bs4/krXAPg9f8rNqbweUIeiIud5CHbzNbNxcQ1b7nn/t7+nlLcL09tin2yQNvBzp2 kNpDSLbljxQGdsi3jNON10jcSBYvTuJuslL65y3zyFvKCpvlpDQnzOc8vz8Fbo5Lp7 DSXs7EkBu2GSmzzlz9+gItIHEaLdwogi0pFOOOng= X-Virus-Scanned: Debian amavisd-new at crankycanuck.ca Received: from mx4.yitter.info ([127.0.0.1]) by localhost (mx4.yitter.info [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWn6T2OXE0Cy; Sat, 16 Dec 2017 20:11:18 +0000 (UTC) From: Andrew Sullivan DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yitter.info; s=default; t=1513455078; bh=9TwCSMZztXmwa30aVpRgk+wssWCl3nyhLC/qjL6tSvw=; h=From:To:Date:In-Reply-To:References:Subject:From; b=ZjkihihMpmVHrgNXEcJ2D88rQ3Z8gIBufm58eFRpkI+2CfcOCxUoau/runIrclpgT f83QfE7k69uIphgJglF1YBV9oz82m22taxlMAbaDdIKHK5T3qn3NFSHWJoE1jldjh4 dG6m4sYRpot2iuC+37IkXjbaTfXjOVX7DVUAlZ2w= To: Date: Sat, 16 Dec 2017 21:11:11 +0100 Message-ID: <16060f3af18.2772.9bc7627f4bf0daf95da66808f3dcb332@crankycanuck.ca> In-Reply-To: <20171216183227.6BCDE180B57B@ary.qy> References: <20171216183227.6BCDE180B57B@ary.qy> MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="utf-8" Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2017 20:11:32 -0000 But if course, it isn't necessarily the domain admin who puts things in the PSL, which has always been one of the problems with the PSL. It was why we set up the dbound WG. Pity we couldn't get that to consensus. A -- Please excuse my clumbsy thums ---------- On December 16, 2017 7:32:48 PM "John Levine" wrote: > In article > you write: >>I've heard from one of my contacts that country-level TLDs like gov.za are >>being used for attacks and that there is not a particularly effective way >>to protect against that or to protect against non-existent subdomains being >>abused. (It's even worse if those public suffix level domains are being >>used to send mail, but if they aren't, how do you protect it?) > > I was about to say that surely nobody would be foolish enough to put a > name in the PSL that has live MX records and used for mail. Silly me. > > The obvious response is that if they can publish A and MX and SPF > records for gov.za, which they do, they can publish DMARC, too. It > also suggests that putting gov.za in the PSL was not a very good idea. > > R's, > John > > > ================ > > freight.aero: 10 mx1.champ.aero. > freight.aero: 10 mx3.champ.aero. > freight.aero: 10 mx2.champ.aero. > freight.aero: 10 mx4.champ.aero. > ai: 10 mail.offshore.ai. > off.ai: 10 mail.offshore.ai. > net.ai: 10 mail.net.ai. > uri.arpa: 10 pechora.icann.org. > urn.arpa: 10 pechora.icann.org. > sa.edu.au: 10 sadie.tafe.sa.edu.au. > sa.edu.au: 10 sadie-2.tafe.sa.edu.au. > qld.gov.au: 50 mx01.citec.com.au. > qld.gov.au: 50 mx02.citec.com.au. > qld.gov.au: 10 mailer3.mail.qld.gov.au. > qld.gov.au: 10 mailer4.mail.qld.gov.au. > sa.gov.au: 10 au-smtp-inbound-1.mimecast.com. > sa.gov.au: 10 au-smtp-inbound-2.mimecast.com. > tas.gov.au: 10 mx001.mgs.nettas.com. > vic.gov.au: 10 mxa-001fc401.gslb.pphosted.com. > vic.gov.au: 10 mxb-001fc401.gslb.pphosted.com. > wa.gov.au: 100 mailgw.bs.wa.gov.au. > ax: 5 mail.aland.net. > gov.az: 0 mx.mail.gov.az. > com.ba: 10 mail.com.ba. > gov.bf: 10 pmg.gov.bf. > gov.bf: 40 mx2.gov.bf. > gov.bf: 20 mg01.gov.bf. > gov.bf: 30 mg02.gov.bf. > bh: 10 mail2.batelco.com.bh. > gouv.bj: 10 pop.gouv.bj. > gov.bm: 5 mail2.gov.bm. > gov.bm: 10 mail.gov.bm. > gob.bo: 10 smtp.agetic.gob.bo. > ac.gov.br: 0 mail.ac.gov.br. > ba.gov.br: 0 ba-gov-br.mail.protection.outlook.com. > df.gov.br: 5 320sv100.gdfnet.df.gov.br. > es.gov.br: 10 ironport.mail.es.gov.br. > ma.gov.br: 20 mail3.seati.ma.gov.br. > mg.gov.br: 1 mx1.antispammg.mg.gov.br. > mg.gov.br: 1 mx2.antispammg.mg.gov.br. > ms.gov.br: 10 assp.ms.gov.br. > mt.gov.br: 1 ASPMX.L.GOOGLE.COM. > mt.gov.br: 5 ALT1.ASPMX.L.GOOGLE.COM. > mt.gov.br: 5 ALT2.ASPMX.L.GOOGLE.COM. > mt.gov.br: 10 ASPMX2.GOOGLEMAIL.COM. > mt.gov.br: 10 ASPMX3.GOOGLEMAIL.COM. > pa.gov.br: 10 colab-antispam-02.pa.gov.br. > pa.gov.br: 10 colab-antispam-01.pa.gov.br. > pa.gov.br: 10 colab-antispam-03.pa.gov.br. > pb.gov.br: 100 mx1.pb.gov.br. > pb.gov.br: 100 mx2.pb.gov.br. > pe.gov.br: 0 as.pe.gov.br. > pi.gov.br: 0 zmta.pi.gov.br. > pr.gov.br: 5 smtp01.pr.gov.br. > pr.gov.br: 5 smtp02.pr.gov.br. > pr.gov.br: 5 smtp03.pr.gov.br. > pr.gov.br: 5 smtp04.pr.gov.br. > pr.gov.br: 5 smtp05.pr.gov.br. > pr.gov.br: 10 smtpfilter01.pr.gov.br. > pr.gov.br: 10 smtpfilter02.pr.gov.br. > pr.gov.br: 10 smtpfilter03.pr.gov.br. > pr.gov.br: 10 smtpfilter04.pr.gov.br. > pr.gov.br: 10 smtpfilter05.pr.gov.br. > pr.gov.br: 15 ssmtp002.pr.gov.br. > pr.gov.br: 15 ssmtp003.pr.gov.br. > pr.gov.br: 15 ssmtp004.pr.gov.br. > pr.gov.br: 15 ssmtp005.pr.gov.br. > pr.gov.br: 15 ssmtp006.pr.gov.br. > rj.gov.br: 10 mx.rj.gov.br. > rn.gov.br: 1 pratico.rn.gov.br. > rr.gov.br: 5 mail.rr.gov.br. > rs.gov.br: 10 mx.via-rs.com.br. > rs.gov.br: 20 mxbkp.via-rs.com.br. > sc.gov.br: 10 smtp.sc.gov.br. > se.gov.br: 10 mxs2.se.gov.br. > se.gov.br: 5 mxs.se.gov.br. > sp.gov.br: 10 mx2.sp.gov.br. > sp.gov.br: 10 mx1.sp.gov.br. > to.gov.br: 10 mail.to.gov.br. > gov.bt: 5 ALT2.ASPMX.L.GOOGLE.COM. > gov.bt: 1 ASPMX.L.GOOGLE.COM. > gov.bt: 5 ALT1.ASPMX.L.GOOGLE.COM. > gov.bt: 10 ASPMX2.GOOGLEMAIL.COM. > gov.bt: 10 ASPMX3.GOOGLEMAIL.COM. > of.by: 0 fe01.mail.hoster.by. > gc.ca: 10 newman.srv.gc.ca. > gc.ca: 20 clavin.srv.gc.ca. > cf: 0 mail.intnet.cf. > gouv.ci: 40 mx1.gouv.ci. > gouv.ci: 40 mx3.gouv.ci. > gouv.ci: 40 mx4.gouv.ci. > gouv.ci: 10 mail.sndi.ci. > gov.cl: 10 smtp3.gov.cl. > gov.cl: 20 smtp4.gov.cl. > gob.cl: 10 smtp3.gob.cl. > gob.cl: 20 smtp4.gob.cl. > mil.cn: 10 mx.mail.mil.cn. > gov.cy: 10 mail03.gov.cy. > parliament.cy: 10 mail03.gov.cy. > dm: 10 mail.nic.dm. > com.dm: 10 mail.nic.dm. > net.dm: 10 mail.nic.dm. > org.dm: 10 mail.nic.dm. > edu.dm: 10 mail.nic.dm. > gov.dm: 10 mail.nic.dm. > pol.dz: 0 mail.eldjazair.net.dz. > art.dz: 0 mail.eldjazair.net.dz. > edu.ee: 10 mail.edu.ee. > gov.ee: 10 mail.gov.ee. > riik.ee: 20 smtp.aso.ee. > eun.eg: 10 NEWMAILER.eun.eg. > aland.fi: 0 mail.regeringen.ax. > assedic.fr: 10 smtp1.pole-emploi.fr. > avoues.fr: 10 spool.mail.gandi.net. > avoues.fr: 50 fb.mail.gandi.net. > cci.fr: 10 cci-mail.entreprise.cci.fr. > chirurgiens-dentistes.fr: 10 mail.chirurgiens-dentistes.fr. > experts-comptables.fr: 10 mx-ec.mutu.shrd.fr. > geometre-expert.fr: 10 relay-mx2.ecritel.net. > huissier-justice.fr: 10 mx-1.huissier-justice.fr. > medecin.fr: 20 mx01.medecin.fr. > notaires.fr: 10 smtp.adsn.gmessaging.net. > port.fr: 10 mail.avancenet.net. > veterinaire.fr: 50 ecisnet242.ec-is.net. > gov.ge: 5 mail.gov.ge. > gp: 10 ns1.nic.gp. > com.gp: 10 manta.outremer.com. > net.gp: 10 manta.outremer.com. > mobi.gp: 10 manta.outremer.com. > edu.gp: 10 manta.outremer.com. > org.gp: 10 manta.outremer.com. > asso.gp: 10 manta.outremer.com. > gt: 20 ALT2.ASPMX.L.GOOGLE.COM. > gt: 30 ASPMX2.GOOGLEMAIL.COM. > gt: 30 ASPMX3.GOOGLEMAIL.COM. > gt: 20 ALT1.ASPMX.L.GOOGLE.COM. > gt: 30 ASPMX4.GOOGLEMAIL.COM. > gt: 10 ASPMX.L.GOOGLE.COM. > gt: 30 ASPMX5.GOOGLEMAIL.COM. > hr: 5 alpha.carnet.hr. > iz.hr: 0 cornu.carnet.hr. > from.hr: 0 cornu.carnet.hr. > name.hr: 0 cornu.carnet.hr. > my.id: 10 mx.mail.my.id. > gov.ie: 10 gbext.gn.gov.ie. > gov.ie: 10 cwext.gn.gov.ie. > gov.il: 5 mail.tehila.gov.il. > nic.in: 0 mailgw.nic.in. > gov.in: 5 mailgw.nic.in. > eu.int: 10 s-dc-edg007-q.mail.ec.europa.eu. > eu.int: 10 s-dc-edg032-Z.mail.ec.europa.eu. > eu.int: 10 s-dc-edg006-q.mail.ec.europa.eu. > eu.int: 10 s-dc-edg008-q.mail.ec.europa.eu. > eu.int: 10 s-dc-edg031-Z.mail.ec.europa.eu. > eu.int: 10 s-dc-edg030-Z.mail.ec.europa.eu. > gov.it: 10 mail.rupa.it. > gov.it: 20 mx1.rupa.it. > gov.it: 20 mx2.rupa.it. > trentinosudtirol.it: 10 in.arubabusiness.it. > altoadige.it: 0 altoadige-it.mail.protection.outlook.com. > aquila.it: 5 mail.h-email.net. > uto.kumamoto.jp: 10 mail11.ksc.kumamoto.jp. > chichibu.saitama.jp: 10 mail01.sc.pref.saitama.jp. > gov.kg: 10 relay.whitehouse.gov.kg. > gov.kg: 20 relay2.whitehouse.gov.kg. > gov.kg: 30 mail.elcat.kg. > mil.kg: 5 mail.mil.kg. > km: 100 mail1.comorestelecom.km. > gov.km: 100 mail1.comorestelecom.km. > edu.km: 10 mail1.comorestelecom.km. > gouv.km: 100 mail2.comorestelecom.km. > gouv.km: 10 mail1.comorestelecom.km. > gov.kn: 20 mx2.emailsrvr.com. > gov.kn: 0 gov-kn.mail.protection.outlook.com. > gov.kn: 10 mx1.emailsrvr.com. > gov.ky: 10 mail.gov.ky. > gov.ky: 15 mail2.gov.ky. > lk: 20 malithi-lc.nic.lk. > lk: 10 malithi-slt.nic.lk. > gov.lk: 10 mx1.gov.lk. > gov.lk: 20 mx2.gov.lk. > sch.lk: 10 mgsch.schoolnet.lk. > ac.lk: 50 in-relay.ac.lk. > ac.lk: 60 in-relay-t.ac.lk. > gov.lv: 5 mail.gov.lv. > mil.lv: 10 mx.mil.lv. > edu.me: 10 mail.edu.me. > ac.me: 10 mail.ac.me. > gov.me: 10 smtp2.gov.me. > gov.me: 10 smtp1.gov.me. > gov.mg: 10 mail.gov.mg. > gouv.ml: 0 domino4.gouv.ml. > gouv.ml: 5 domino3.gouv.ml. > gouv.ml: 10 domino1.gouv.ml. > presse.ml: 10 mx-host.dot.tk. > gov.mn: 0 mail.gov.mn. > edu.mn: 10 ocm.edu.mn. > gov.mo: 10 mailscan.gov.mo. > mq: 10 mx1-mq.mediaserv.net. > gov.ms: 40 mx1.mailhop.co.uk. > gov.ms: 30 mx2.mailhop.co. > gov.ms: 20 mx2.mailhop.us. > gov.ms: 40 mx2.mailhop.co.uk. > gov.ms: 20 mx1.mailhop.us. > gov.ms: 10 a923756.mx.mailhop.org. > gov.ms: 30 mx1.mailhop.co. > gov.mu: 20 mx2.improvmx.com. > gov.mu: 10 mx1.improvmx.com. > computerhistory.museum: 0 . > versailles.museum: 10 mailfront1.oxyd.fr. > versailles.museum: 10 mailfront2.oxyd.fr. > pro.mv: 10 mail.pro.mv. > name.my: 5 mf.mynic.net.my. > gov.mz: 10 mx01.gov.mz. > gov.mz: 20 mx02.gov.mz. > info.na: 10 ASPMX.L.GOOGLE.COM. > info.na: 20 ALT1.ASPMX.L.GOOGLE.COM. > info.na: 20 ALT2.ASPMX.L.GOOGLE.COM. > info.na: 30 ASPMX2.GOOGLEMAIL.COM. > info.na: 30 ASPMX4.GOOGLEMAIL.COM. > info.na: 30 ASPMX3.GOOGLEMAIL.COM. > info.na: 30 ASPMX5.GOOGLEMAIL.COM. > school.na: 10 ASPMX.L.GOOGLE.COM. > school.na: 20 ALT1.ASPMX.L.GOOGLE.COM. > school.na: 20 ALT2.ASPMX.L.GOOGLE.COM. > school.na: 30 ASPMX2.GOOGLEMAIL.COM. > school.na: 30 ASPMX4.GOOGLEMAIL.COM. > school.na: 30 ASPMX3.GOOGLEMAIL.COM. > school.na: 30 ASPMX5.GOOGLEMAIL.COM. > cc.na: 10 ASPMX.L.GOOGLE.COM. > cc.na: 20 ALT2.ASPMX.L.GOOGLE.COM. > cc.na: 20 ALT1.ASPMX.L.GOOGLE.COM. > cc.na: 30 ASPMX5.GOOGLEMAIL.COM. > cc.na: 30 ASPMX4.GOOGLEMAIL.COM. > cc.na: 30 ASPMX3.GOOGLEMAIL.COM. > cc.na: 30 ASPMX2.GOOGLEMAIL.COM. > bv.nl: 20 mx.lowvoice.nl. > mil.no: 10 mail2.mil.no. > mil.no: 10 mail1.mil.no. > dep.no: 10 mx.u.dep.no. > gov.nr: 10 mail.naurugov.nr. > pa: 5 ns.pa. > gov.ph: 20 ce-mail2.gov.ph. > gov.ph: 30 mail2.asti.dost.gov.ph. > gov.ph: 10 ce-mail1.gov.ph. > est.pr: 0 mail2.est.pr. > gov.ps: 10 mail01.gov.ps. > plo.ps: 5 mail.plo.ps. > ac.rs: 10 afrodita.rcub.bg.ac.rs. > gov.rs: 10 smtp.gov.rs. > edu.ru: 10 mgate.runnet.ru. > edu.ru: 50 ns3.runnet.ru. > gov.ru: 20 mx4.gov.ru. > gov.ru: 10 mx3.gov.ru. > int.ru: 5 relay.macomnet.ru. > mil.ru: 20 mail2.mil.ru. > mil.ru: 10 mail1.mil.ru. > gov.rw: 10 mailgateway.bsc.rw. > gov.sc: 20 mx2.egov.sc. > gov.sc: 10 mx1.egov.sc. > gouv.sn: 20 smtp-appli.gouv.sn. > gouv.sn: 10 smtp.gouv.sn. > gov.st: 10 mail.gov.st. > org.st: 10 mail.org.st. > org.st: 20 mail.org.st. > saotome.st: 10 mx.saotome.st. > net.sy: 10 mail.tarassul.sy. > nic.tj: 10 oxmail.registrar-servers.com. > co.tm: 10 mail.co.tm. > co.tm: 20 mail.co.tm. > net.tm: 20 mail.net.tm. > net.tm: 10 mail.net.tm. > gov.tm: 20 mail.gov.tm. > gov.tm: 10 mail.gov.tm. > mil.tm: 10 mail.mil.tm. > mil.tm: 20 mail.mil.tm. > edu.tm: 10 mail.edu.tm. > edu.tm: 20 mail.edu.tm. > gov.tn: 50 mx2email.ingw.tn. > gov.tn: 10 mx1email.ingw.tn. > edunet.tn: 10 mx1inbmi.ingw.tn. > edunet.tn: 50 mx2inbmi.ingw.tn. > rns.tn: 10 mx1cimsp.ingw.tn. > rns.tn: 50 mx2cimsp.ingw.tn. > mincom.tn: 50 mx2email.ingw.tn. > mincom.tn: 10 mx1email.ingw.tn. > agrinet.tn: 10 mx1agrinet.ingw.tn. > agrinet.tn: 50 mx2agrinet.ingw.tn. > defense.tn: 10 mx1defense.ingw.tn. > defense.tn: 50 mx2defense.ingw.tn. > tt: 10 ALT1.ASPMX.L.GOOGLE.COM. > tt: 1 ASPMX.L.GOOGLE.COM. > jobs.tt: 0 . > gov.tt: 10 smtp10.gov.tt. > gov.tt: 40 smtp2.gov.tt. > gov.tt: 40 smtp1.gov.tt. > gov.tt: 20 smtp20.gov.tt. > edu.tt: 1 mail.edu.tt. > mil.tw: 10 smtp.mil.tw. > ua: 10 mr.kolo.net. > in.ua: 5 inua-mx.alefhost.od.ua. > net.ua: 10 relay1.net.ua. > net.ua: 30 relay2.hostmaster.net.ua. > cherkassy.ua: 10 ns.ck.ua. > cherkassy.ua: 20 ns3.ck.ua. > cherkassy.ua: 0 smtp.ctsense.net. > cherkasy.ua: 0 smtp.ctsense.net. > cherkasy.ua: 10 ns.ck.ua. > cherkasy.ua: 20 ns3.ck.ua. > chernivtsi.ua: 5 relay.cv.ua. > chernovtsy.ua: 5 relay.cv.ua. > ck.ua: 20 ns3.ck.ua. > ck.ua: 0 smtp.ctsense.net. > ck.ua: 10 ns.ck.ua. > cn.ua: 10 relay2.cn.ua. > crimea.ua: 10 relay0.crimea.ua. > cv.ua: 10 relay.cv.ua. > dn.ua: 10 dn.ua. > dnepropetrovsk.ua: 20 relay2.trifle.net. > dnepropetrovsk.ua: 10 mail.nic.dp.ua. > dnipropetrovsk.ua: 20 relay2.trifle.net. > dnipropetrovsk.ua: 10 mail.nic.dp.ua. > dominic.ua: 30 aspmx3.googlemail.com. > dominic.ua: 30 aspmx4.googlemail.com. > dominic.ua: 30 aspmx5.googlemail.com. > dominic.ua: 10 dominic.ua. > dominic.ua: 10 aspmx.l.google.com. > dominic.ua: 20 alt1.aspmx.l.google.com. > dominic.ua: 20 alt2.aspmx.l.google.com. > dominic.ua: 30 aspmx2.googlemail.com. > dp.ua: 20 relay2.trifle.net. > dp.ua: 10 mail.nic.dp.ua. > kh.ua: 0 relay.kh.ua. > kharkiv.ua: 0 relay.kh.ua. > kharkov.ua: 0 relay.kharkov.ua. > kherson.ua: 10 relay.kherson.ua. > khmelnitskiy.ua: 10 relay-in.ic.km.ua. > km.ua: 10 relay-in.ic.km.ua. > ks.ua: 10 relay.ks.ua. > lutsk.ua: 10 smtp.vizor.lutsk.ua. > lutsk.ua: 20 mail.vizor.lutsk.ua. > lviv.ua: 30 Alpha.UAR.Net. > lviv.ua: 90 Relay2.UAR.Net. > mk.ua: 1 4friends.od.ua. > nikolaev.ua: 1 4friends.od.ua. > od.ua: 1 mx.ns.od.ua. > odessa.ua: 1 mx.ns.od.ua. > sm.ua: 10 sm.ua. > sumy.ua: 10 sumy.ua. > te.ua: 5 relay.cv.ua. > ternopil.ua: 5 relay.cv.ua. > vn.ua: 10 relay1.nest.vinnica.ua. > yalta.ua: 10 relay0.cris.net. > zhitomir.ua: 20 ns2.trifle.net. > zhitomir.ua: 10 impuls.zhitomir.ua. > zp.ua: 20 mx1.zssm.zp.ua. > zp.ua: 1 zp.eunic.net.ua. > zt.ua: 10 impuls.zhitomir.ua. > zt.ua: 20 relay2.carrier.kiev.ua. > ac.uk: 1 rimmer.ja.net. > ac.uk: 2 kryten.ja.net. > nhs.uk: 50 mail.nhs.uk. > k12.al.us: 0 mailscanner.asc.edu. > k12.ar.us: 10 dns1.state.ar.us. > k12.az.us: 10 k12-az-us.mail.protection.outlook.com. > k12.az.us: 5 k12-az-us.mail.protection.outlook.com. > k12.dc.us: 20 smtp3b.dc.gov. > k12.dc.us: 10 smtp3.dc.gov. > k12.de.us: 10 dovereip001.k12.de.us. > k12.de.us: 10 dovereip002.k12.de.us. > k12.ga.us: 20 wilson.bor.usg.edu. > k12.ga.us: 0 k12-ga-us.mail.protection.outlook.com. > k12.ga.us: 10 heart.bor.usg.edu. > k12.ia.us: 10 dmzjhngw06.iowa.gov. > k12.ky.us: 10 412707362.mail.outlook.com. > k12.ma.us: 10 sidehack.sat.gweep.net. > k12.md.us: 20 mx2.umd.iphmx.com. > k12.md.us: 20 mx1.umd.iphmx.com. > k12.me.us: 0 mail-relay.msln.net. > k12.ne.us: 50 mx50.gnenc.org. > k12.ne.us: 10 mx10.gnenc.org. > k12.ne.us: 30 mx30a.esu10.org. > k12.nm.us: 5 smtp1.mail.osogrande.com. > k12.nm.us: 5 smtp4.mail.osogrande.com. > k12.or.us: 10 mgw1.clackesd.k12.or.us. > k12.wa.us: 10 k12-wa-us.mail.protection.outlook.com. > k12.wi.us: 10 warden.wiscnet.net. > k12.wy.us: 10 janus.k12.wy.us. > cc.al.us: 0 mailscanner.asc.edu. > cc.ca.us: 10 mx1.cccco.edu. > cc.ca.us: 20 mx2.cccco.edu. > cc.ia.us: 10 dmzjhngw06.iowa.gov. > lib.al.us: 0 mailscanner.asc.edu. > lib.az.us: 10 mail.azsos.gov. > lib.ia.us: 10 dmzjhngw06.iowa.gov. > lib.md.us: 10 yawl.soc.lib.md.us. > lib.nj.us: 120 mx4c28.concentric.com. > lib.nj.us: 110 mx3c28.concentric.com. > lib.nj.us: 100 mx2c28.concentric.com. > lib.nj.us: 10 mx1c28.concentric.com. > lib.oh.us: 10 av.lib.oh.us. > lib.wi.us: 10 warden.wiscnet.net. > co.uz: 10 mail.reg.uz. > com.uz: 10 mail.reg.uz. > net.uz: 10 reg.uz. > gov.vc: 10 mail.gov.vc. > ws: 10 mail.worldsite.ws. > ac.za: 10 protea.tenet.ac.za. > agric.za: 10 gwsmtp1.agric.za. > alt.za: 0 ln1.cequrux.com. > co.za: 10 mx2.coza.net.za. > gov.za: 100 mta.gov.za. > grondar.za: 0 gromit.grondar.org. > law.za: 20 luke.voffice.co.za. > law.za: 30 mail.attorneys.law.za. > law.za: 10 mailfirewall.voffice.co.za. > mil.za: 10 fm-mail-in.voxtelecom.co.za. > ngo.za: 10 mxc01.mxrc.co.za. > ngo.za: 10 mxc02.mxrc.co.za. > nis.za: 0 nis.za. > nom.za: 20 secdns1.posix.co.za. > nom.za: 10 mail.nom.za. > org.za: 10 mx2.coza.net.za. > school.za: 10 ochre.school.za. > school.za: 20 mopani.school.za. > tm.za: 20 alt1.aspmx.l.google.com. > tm.za: 20 alt2.aspmx.l.google.com. > tm.za: 30 aspmx2.googlemail.com. > tm.za: 30 aspmx3.googlemail.com. > tm.za: 30 aspmx4.googlemail.com. > tm.za: 30 aspmx5.googlemail.com. > tm.za: 10 aspmx.l.google.com. > cc.ua: 8 mail-u4.1gb.ua. > inf.ua: 8 mail-u4.1gb.ua. > ltd.ua: 8 mail-u4.1gb.ua. > beep.pl: 10 mx01.agnat.pl. > cn-north-1.eb.amazonaws.com.cn: www.amazonaws.cn. > s3.amazonaws.com: s3-1.amazonaws.com. > s3-ap-northeast-2.amazonaws.com: s3.ap-northeast-2.amazonaws.com. > s3-ap-south-1.amazonaws.com: s3.ap-south-1.amazonaws.com. > s3-ca-central-1.amazonaws.com: s3.ca-central-1.amazonaws.com. > s3-eu-central-1.amazonaws.com: s3.eu-central-1.amazonaws.com. > s3-eu-west-2.amazonaws.com: s3.eu-west-2.amazonaws.com. > s3-us-east-2.amazonaws.com: s3.us-east-2.amazonaws.com. > pimienta.org: 10 mail.poivron.org. > poivron.org: 10 mail.poivron.org. > potager.org: 10 mail.potager.org. > sweetpepper.org: 10 mail.poivron.org. > myfritz.net: 5 mail1.myfritz.net. > myfritz.net: 5 mail2.myfritz.net. > betainabox.com: 30 aspmx3.googlemail.com. > betainabox.com: 20 alt2.aspmx.l.google.com. > betainabox.com: 10 aspmx.l.google.com. > betainabox.com: 30 aspmx2.googlemail.com. > betainabox.com: 20 alt1.aspmx.l.google.com. > bnr.la: 1 aspmx.l.google.com. > bnr.la: 5 alt1.aspmx.l.google.com. > bnr.la: 5 alt2.aspmx.l.google.com. > bnr.la: 10 aspmx2.googlemail.com. > bnr.la: 10 aspmx3.googlemail.com. > bplaced.net: 10 mx.bplaced.net. > mycd.eu: 10 luke.callidomus.com. > mycd.eu: 20 leia.callidomus.com. > ae.org: 10 cluster8.eu.messagelabs.com. > ae.org: 10 cluster8a.eu.messagelabs.com. > br.com: 0 mx-01.emailme.com. > cn.com: 0 mx-01.emailme.com. > com.de: 10 mx203.inbound-mx.org. > com.de: 10 mx203.inbound-mx.net. > com.se: 0 mx01.glesys.se. > com.se: 0 mx02.glesys.se. > de.com: 10 cluster8.eu.messagelabs.com. > de.com: 10 cluster8a.eu.messagelabs.com. > eu.com: 0 mx-01.emailme.com. > gb.net: 10 cluster8.eu.messagelabs.com. > gb.net: 10 cluster8a.eu.messagelabs.com. > hu.net: 10 cluster8.eu.messagelabs.com. > hu.net: 10 cluster8a.eu.messagelabs.com. > jp.net: 0 jp-net-null-mx.centralnic.net. > jpn.com: 10 cluster8.eu.messagelabs.com. > jpn.com: 10 cluster8a.eu.messagelabs.com. > mex.com: 10 cluster8.eu.messagelabs.com. > mex.com: 10 cluster8a.eu.messagelabs.com. > ru.com: 10 cluster8.eu.messagelabs.com. > ru.com: 10 cluster8a.eu.messagelabs.com. > sa.com: 0 . > se.com: 20 cluster3a.eu.messagelabs.com. > se.com: 10 cluster3.eu.messagelabs.com. > se.net: 10 cluster8.eu.messagelabs.com. > se.net: 10 cluster8a.eu.messagelabs.com. > uk.com: 0 mx-01.emailme.com. > uk.net: 0 mx-01.emailme.com. > us.com: 0 mx-01.emailme.com. > za.bz: 0 mail.za.bz. > za.com: 10 cluster8.eu.messagelabs.com. > za.com: 10 cluster8a.eu.messagelabs.com. > africa.com: 20 alt1.aspmx.l.google.com. > africa.com: 10 aspmx.l.google.com. > africa.com: 40 aspmx2.googlemail.com. > africa.com: 50 aspmx3.googlemail.com. > africa.com: 30 alt2.aspmx.l.google.com. > gr.com: 20 aspmx5.googlemail.com. > gr.com: 10 aspmx2.googlemail.com. > gr.com: 1 aspmx.l.google.com. > gr.com: 10 aspmx3.googlemail.com. > gr.com: 5 alt2.aspmx.l.google.com. > gr.com: 5 alt1.aspmx.l.google.com. > gr.com: 20 aspmx4.googlemail.com. > in.net: 1 aspmx.l.google.com. > in.net: 5 alt1.aspmx.l.google.com. > in.net: 5 alt2.aspmx.l.google.com. > in.net: 10 alt3.aspmx.l.google.com. > in.net: 10 alt4.aspmx.l.google.com. > us.org: 20 alt1.aspmx.l.google.com. > us.org: 20 alt2.aspmx.l.google.com. > us.org: 30 aspmx3.googlemail.com. > us.org: 10 aspmx.l.google.com. > us.org: 30 aspmx4.googlemail.com. > us.org: 30 aspmx2.googlemail.com. > us.org: 30 aspmx5.googlemail.com. > co.com: 10 mx.spamexperts.com. > co.com: 20 fallbackmx.spamexperts.eu. > co.com: 30 lastmx.spamexperts.net. > c.la: 10 mail.c.la. > jdevcloud.com: 5 mx1.cloudaccess.net. > jdevcloud.com: 10 mx2.cloudaccess.net. > wpdevcloud.com: 5 mx1.cloudaccess.net. > wpdevcloud.com: 10 mx2.cloudaccess.net. > cloudaccess.host: 10 mx2.cloudaccess.net. > cloudaccess.host: 5 mx1.cloudaccess.net. > freesite.host: 5 mx1.cloudaccess.net. > freesite.host: 10 mx2.cloudaccess.net. > cloudaccess.net: 10 aspmx2.googlemail.com. > cloudaccess.net: 5 alt1.aspmx.l.google.com. > cloudaccess.net: 10 aspmx3.googlemail.com. > cloudaccess.net: 1 aspmx.l.google.com. > cloudaccess.net: 10 aspmx5.googlemail.com. > cloudaccess.net: 5 alt2.aspmx.l.google.com. > cloudaccess.net: 10 aspmx4.googlemail.com. > cloudns.asia: 10 mailforward102.cloudns.net. > cloudns.asia: 5 mailforward101.cloudns.net. > cloudns.biz: 5 mailforward1.cloudns.net. > cloudns.biz: 10 mailforward2.cloudns.net. > cloudns.cc: 10 mailforward21.cloudns.net. > cloudns.eu: 5 mailforward1.cloudns.net. > cloudns.eu: 10 mailforward2.cloudns.net. > cloudns.in: 10 mailforward2.cloudns.net. > cloudns.in: 5 mailforward1.cloudns.net. > cloudns.info: 5 mailforward1.cloudns.net. > cloudns.info: 10 mailforward2.cloudns.net. > cloudns.org: 10 mailforward2.cloudns.net. > cloudns.org: 5 mailforward1.cloudns.net. > cloudns.us: 10 mailforward2.cloudns.net. > cloudns.us: 5 mailforward1.cloudns.net. > dyn.cosidns.de: 20 mailgate2.isp-cosimo.de. > dyn.cosidns.de: 10 mailgate1.isp-cosimo.de. > dynamisches-dns.de: 10 mailgate1.isp-cosimo.de. > dynamisches-dns.de: 20 mailgate2.isp-cosimo.de. > dnsupdater.de: 10 mailgate1.isp-cosimo.de. > dnsupdater.de: 20 mailgate2.isp-cosimo.de. > internet-dns.de: 20 mailgate2.isp-cosimo.de. > internet-dns.de: 10 mailgate1.isp-cosimo.de. > l-o-g-i-n.de: 20 mailgate2.isp-cosimo.de. > l-o-g-i-n.de: 10 mailgate1.isp-cosimo.de. > dynamic-dns.info: 10 mailgate1.isp-cosimo.de. > dynamic-dns.info: 20 mailgate2.isp-cosimo.de. > feste-ip.net: 10 mailgate1.isp-cosimo.de. > feste-ip.net: 20 mailgate2.isp-cosimo.de. > knx-server.net: 20 mailgate2.isp-cosimo.de. > knx-server.net: 10 mailgate1.isp-cosimo.de. > static-access.net: 20 mailgate2.isp-cosimo.de. > static-access.net: 10 mailgate1.isp-cosimo.de. > realm.cz: 10 mx.realm.cz. > cupcake.is: 10 in1.smtp.messagingengine.com. > cupcake.is: 20 in2.smtp.messagingengine.com. > daplie.me: 10 mxa.mailgun.org. > daplie.me: 10 mxb.mailgun.org. > debian.net: 10 muffat.debian.org. > debian.net: 10 mailly.debian.org. > dedyn.io: 10 mail.a4a.de. > dnshome.de: 10 freilandhaltung.gelitten.com. > dreamhosters.com: 0 mx1.sub5.homie.mail.dreamhost.com. > dreamhosters.com: 0 mx2.sub5.homie.mail.dreamhost.com. > mydrobo.com: 10 mon.b5p.us. > drud.io: 1 aspmx.l.google.com. > drud.io: 10 aspmx2.googlemail.com. > drud.io: 10 aspmx3.googlemail.com. > drud.io: 5 alt1.aspmx.l.google.com. > drud.io: 5 alt2.aspmx.l.google.com. > duckdns.org: 10 mx.duckdns.org. > dy.fi: 10 he.fi. > tunk.org: 10 offline.dy.fi. > dyndns-at-home.com: 10 mx1.mailhop.org. > dyndns-at-home.com: 20 mx2.mailhop.org. > dyndns-at-work.com: 20 mx2.mailhop.org. > dyndns-at-work.com: 10 mx1.mailhop.org. > dyndns-blog.com: 20 mx2.mailhop.org. > dyndns-blog.com: 10 mx1.mailhop.org. > dyndns-free.com: 20 mx2.mailhop.org. > dyndns-free.com: 10 mx1.mailhop.org. > dyndns-home.com: 20 mx2.mailhop.org. > dyndns-home.com: 10 mx1.mailhop.org. > dyndns-ip.com: 20 mx2.mailhop.org. > dyndns-ip.com: 10 mx1.mailhop.org. > dyndns-mail.com: 20 mx2.mailhop.org. > dyndns-mail.com: 10 mx1.mailhop.org. > dyndns-office.com: 10 mx1.mailhop.org. > dyndns-office.com: 20 mx2.mailhop.org. > dyndns-pics.com: 20 mx2.mailhop.org. > dyndns-pics.com: 10 mx1.mailhop.org. > dyndns-remote.com: 20 mx2.mailhop.org. > dyndns-remote.com: 10 mx1.mailhop.org. > dyndns-server.com: 20 mx2.mailhop.org. > dyndns-server.com: 10 mx1.mailhop.org. > dyndns-web.com: 10 mx1.mailhop.org. > dyndns-web.com: 20 mx2.mailhop.org. > dyndns-wiki.com: 10 mx1.mailhop.org. > dyndns-wiki.com: 20 mx2.mailhop.org. > dyndns-work.com: 10 mx1.mailhop.org. > dyndns-work.com: 20 mx2.mailhop.org. > dyndns.biz: 1 ASPMX.L.GOOGLE.COM. > dyndns.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > dyndns.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > dyndns.biz: 10 ASPMX2.GOOGLEMAIL.COM. > dyndns.biz: 10 ASPMX3.GOOGLEMAIL.COM. > dyndns.info: 10 ASPMX3.GOOGLEMAIL.COM. > dyndns.info: 10 ASPMX2.GOOGLEMAIL.COM. > dyndns.info: 1 ASPMX.L.GOOGLE.COM. > dyndns.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > dyndns.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > dyndns.org: 10 ASPMX2.GOOGLEMAIL.COM. > dyndns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dyndns.org: 1 ASPMX.L.GOOGLE.COM. > dyndns.org: 10 ASPMX3.GOOGLEMAIL.COM. > dyndns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > dyndns.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. > dyndns.tv: 1 ASPMX.L.GOOGLE.COM. > dyndns.tv: 10 ASPMX3.GOOGLEMAIL.COM. > dyndns.tv: 10 ASPMX2.GOOGLEMAIL.COM. > dyndns.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. > at-band-camp.net: 10 ASPMX2.GOOGLEMAIL.COM. > at-band-camp.net: 1 ASPMX.L.GOOGLE.COM. > at-band-camp.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > at-band-camp.net: 10 ASPMX3.GOOGLEMAIL.COM. > at-band-camp.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > ath.cx: 10 ASPMX3.GOOGLEMAIL.COM. > ath.cx: 10 ASPMX2.GOOGLEMAIL.COM. > ath.cx: 5 ALT1.ASPMX.L.GOOGLE.COM. > ath.cx: 5 ALT2.ASPMX.L.GOOGLE.COM. > ath.cx: 1 ASPMX.L.GOOGLE.COM. > barrel-of-knowledge.info: 10 ASPMX2.GOOGLEMAIL.COM. > barrel-of-knowledge.info: 10 ASPMX3.GOOGLEMAIL.COM. > barrel-of-knowledge.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > barrel-of-knowledge.info: 1 ASPMX.L.GOOGLE.COM. > barrel-of-knowledge.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > barrell-of-knowledge.info: 10 ASPMX2.GOOGLEMAIL.COM. > barrell-of-knowledge.info: 1 ASPMX.L.GOOGLE.COM. > barrell-of-knowledge.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > barrell-of-knowledge.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > barrell-of-knowledge.info: 10 ASPMX3.GOOGLEMAIL.COM. > better-than.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. > better-than.tv: 10 ASPMX3.GOOGLEMAIL.COM. > better-than.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. > better-than.tv: 1 ASPMX.L.GOOGLE.COM. > better-than.tv: 10 ASPMX2.GOOGLEMAIL.COM. > blogdns.com: 5 ALT1.ASPMX.L.GOOGLE.com. > blogdns.com: 5 ALT2.ASPMX.L.GOOGLE.com. > blogdns.com: 10 ASPMX2.GOOGLEMAIL.com. > blogdns.com: 1 ASPMX.L.GOOGLE.com. > blogdns.com: 10 ASPMX3.GOOGLEMAIL.com. > blogdns.net: 10 ASPMX3.GOOGLEMAIL.COM. > blogdns.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > blogdns.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > blogdns.net: 10 ASPMX2.GOOGLEMAIL.COM. > blogdns.net: 1 ASPMX.L.GOOGLE.COM. > blogdns.org: 10 ASPMX2.GOOGLEMAIL.COM. > blogdns.org: 10 ASPMX3.GOOGLEMAIL.COM. > blogdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > blogdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > blogdns.org: 1 ASPMX.L.GOOGLE.COM. > blogsite.org: 1 ASPMX.L.GOOGLE.COM. > blogsite.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > blogsite.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > blogsite.org: 10 ASPMX3.GOOGLEMAIL.COM. > blogsite.org: 10 ASPMX2.GOOGLEMAIL.COM. > boldlygoingnowhere.org: 10 ASPMX2.GOOGLEMAIL.COM. > boldlygoingnowhere.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > boldlygoingnowhere.org: 1 ASPMX.L.GOOGLE.COM. > boldlygoingnowhere.org: 10 ASPMX3.GOOGLEMAIL.COM. > boldlygoingnowhere.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > broke-it.net: 1 ASPMX.L.GOOGLE.COM. > broke-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > broke-it.net: 10 ASPMX3.GOOGLEMAIL.COM. > broke-it.net: 10 ASPMX2.GOOGLEMAIL.COM. > broke-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > buyshouses.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > buyshouses.net: 1 ASPMX.L.GOOGLE.COM. > buyshouses.net: 10 ASPMX2.GOOGLEMAIL.COM. > buyshouses.net: 10 ASPMX3.GOOGLEMAIL.COM. > buyshouses.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > cechire.com: 10 mx1.mailhop.org. > cechire.com: 20 mx2.mailhop.org. > dnsalias.com: 10 ASPMX2.GOOGLEMAIL.com. > dnsalias.com: 10 ASPMX3.GOOGLEMAIL.com. > dnsalias.com: 1 ASPMX.L.GOOGLE.com. > dnsalias.com: 5 ALT2.ASPMX.L.GOOGLE.com. > dnsalias.com: 5 ALT1.ASPMX.L.GOOGLE.com. > dnsalias.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > dnsalias.net: 1 ASPMX.L.GOOGLE.COM. > dnsalias.net: 10 ASPMX2.GOOGLEMAIL.COM. > dnsalias.net: 10 ASPMX3.GOOGLEMAIL.COM. > dnsalias.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > dnsalias.org: 10 ASPMX3.GOOGLEMAIL.COM. > dnsalias.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dnsalias.org: 10 ASPMX2.GOOGLEMAIL.COM. > dnsalias.org: 1 ASPMX.L.GOOGLE.COM. > dnsalias.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > dnsdojo.com: 5 ALT1.ASPMX.L.GOOGLE.com. > dnsdojo.com: 5 ALT2.ASPMX.L.GOOGLE.com. > dnsdojo.com: 10 ASPMX2.GOOGLEMAIL.com. > dnsdojo.com: 1 ASPMX.L.GOOGLE.com. > dnsdojo.com: 10 ASPMX3.GOOGLEMAIL.com. > dnsdojo.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > dnsdojo.net: 10 ASPMX2.GOOGLEMAIL.COM. > dnsdojo.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > dnsdojo.net: 10 ASPMX3.GOOGLEMAIL.COM. > dnsdojo.net: 1 ASPMX.L.GOOGLE.COM. > dnsdojo.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dnsdojo.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > dnsdojo.org: 10 ASPMX3.GOOGLEMAIL.COM. > dnsdojo.org: 1 ASPMX.L.GOOGLE.COM. > dnsdojo.org: 10 ASPMX2.GOOGLEMAIL.COM. > does-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > does-it.net: 10 ASPMX3.GOOGLEMAIL.COM. > does-it.net: 10 ASPMX2.GOOGLEMAIL.COM. > does-it.net: 1 ASPMX.L.GOOGLE.COM. > does-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > doesntexist.com: 1 ASPMX.L.GOOGLE.com. > doesntexist.com: 10 ASPMX3.GOOGLEMAIL.com. > doesntexist.com: 5 ALT2.ASPMX.L.GOOGLE.com. > doesntexist.com: 5 ALT1.ASPMX.L.GOOGLE.com. > doesntexist.com: 10 ASPMX2.GOOGLEMAIL.com. > doesntexist.org: 10 ASPMX2.GOOGLEMAIL.COM. > doesntexist.org: 10 ASPMX3.GOOGLEMAIL.COM. > doesntexist.org: 1 ASPMX.L.GOOGLE.COM. > doesntexist.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > doesntexist.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dontexist.com: 5 ALT1.ASPMX.L.GOOGLE.com. > dontexist.com: 5 ALT2.ASPMX.L.GOOGLE.com. > dontexist.com: 1 ASPMX.L.GOOGLE.com. > dontexist.com: 10 ASPMX3.GOOGLEMAIL.com. > dontexist.com: 10 ASPMX2.GOOGLEMAIL.com. > dontexist.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > dontexist.net: 1 ASPMX.L.GOOGLE.COM. > dontexist.net: 10 ASPMX3.GOOGLEMAIL.COM. > dontexist.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > dontexist.net: 10 ASPMX2.GOOGLEMAIL.COM. > dontexist.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > dontexist.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dontexist.org: 10 ASPMX2.GOOGLEMAIL.COM. > dontexist.org: 1 ASPMX.L.GOOGLE.COM. > dontexist.org: 10 ASPMX3.GOOGLEMAIL.COM. > doomdns.com: 5 ALT1.ASPMX.L.GOOGLE.com. > doomdns.com: 10 ASPMX3.GOOGLEMAIL.com. > doomdns.com: 10 ASPMX2.GOOGLEMAIL.com. > doomdns.com: 1 ASPMX.L.GOOGLE.com. > doomdns.com: 5 ALT2.ASPMX.L.GOOGLE.com. > doomdns.org: 10 ASPMX3.GOOGLEMAIL.COM. > doomdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > doomdns.org: 1 ASPMX.L.GOOGLE.COM. > doomdns.org: 10 ASPMX2.GOOGLEMAIL.COM. > doomdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dvrdns.org: 10 ASPMX3.GOOGLEMAIL.COM. > dvrdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dvrdns.org: 1 ASPMX.L.GOOGLE.COM. > dvrdns.org: 10 ASPMX2.GOOGLEMAIL.COM. > dvrdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > dyn-o-saur.com: 5 ALT2.ASPMX.L.GOOGLE.com. > dyn-o-saur.com: 10 ASPMX3.GOOGLEMAIL.com. > dyn-o-saur.com: 1 ASPMX.L.GOOGLE.com. > dyn-o-saur.com: 10 ASPMX2.GOOGLEMAIL.com. > dyn-o-saur.com: 5 ALT1.ASPMX.L.GOOGLE.com. > dynalias.com: 10 ASPMX2.GOOGLEMAIL.com. > dynalias.com: 10 ASPMX3.GOOGLEMAIL.com. > dynalias.com: 1 ASPMX.L.GOOGLE.com. > dynalias.com: 5 ALT2.ASPMX.L.GOOGLE.com. > dynalias.com: 5 ALT1.ASPMX.L.GOOGLE.com. > dynalias.net: 1 ASPMX.L.GOOGLE.COM. > dynalias.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > dynalias.net: 10 ASPMX3.GOOGLEMAIL.COM. > dynalias.net: 10 ASPMX2.GOOGLEMAIL.COM. > dynalias.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > dynalias.org: 10 ASPMX2.GOOGLEMAIL.COM. > dynalias.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > dynalias.org: 10 ASPMX3.GOOGLEMAIL.COM. > dynalias.org: 1 ASPMX.L.GOOGLE.COM. > dynalias.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > dynathome.net: 10 ASPMX3.GOOGLEMAIL.COM. > dynathome.net: 1 ASPMX.L.GOOGLE.COM. > dynathome.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > dynathome.net: 10 ASPMX2.GOOGLEMAIL.COM. > dynathome.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > dyndns.ws: 1 ASPMX.L.GOOGLE.COM. > dyndns.ws: 5 ALT2.ASPMX.L.GOOGLE.COM. > dyndns.ws: 10 ASPMX3.GOOGLEMAIL.COM. > dyndns.ws: 10 ASPMX2.GOOGLEMAIL.COM. > dyndns.ws: 5 ALT1.ASPMX.L.GOOGLE.COM. > endofinternet.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > endofinternet.net: 1 ASPMX.L.GOOGLE.COM. > endofinternet.net: 10 ASPMX2.GOOGLEMAIL.COM. > endofinternet.net: 10 ASPMX3.GOOGLEMAIL.COM. > endofinternet.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > endofinternet.org: 10 ASPMX3.GOOGLEMAIL.COM. > endofinternet.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > endofinternet.org: 1 ASPMX.L.GOOGLE.COM. > endofinternet.org: 10 ASPMX2.GOOGLEMAIL.COM. > endofinternet.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > endoftheinternet.org: 10 ASPMX3.GOOGLEMAIL.COM. > endoftheinternet.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > endoftheinternet.org: 1 ASPMX.L.GOOGLE.COM. > endoftheinternet.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > endoftheinternet.org: 10 ASPMX2.GOOGLEMAIL.COM. > est-a-la-maison.com: 5 ALT1.ASPMX.L.GOOGLE.com. > est-a-la-maison.com: 10 ASPMX2.GOOGLEMAIL.com. > est-a-la-maison.com: 1 ASPMX.L.GOOGLE.com. > est-a-la-maison.com: 5 ALT2.ASPMX.L.GOOGLE.com. > est-a-la-maison.com: 10 ASPMX3.GOOGLEMAIL.com. > est-a-la-masion.com: 20 mx2.mailhop.org. > est-a-la-masion.com: 10 mx1.mailhop.org. > est-le-patron.com: 20 mx2.mailhop.org. > est-le-patron.com: 10 mx1.mailhop.org. > est-mon-blogueur.com: 10 mx1.mailhop.org. > est-mon-blogueur.com: 20 mx2.mailhop.org. > for-better.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > for-better.biz: 10 ASPMX3.GOOGLEMAIL.COM. > for-better.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > for-better.biz: 1 ASPMX.L.GOOGLE.COM. > for-better.biz: 10 ASPMX2.GOOGLEMAIL.COM. > for-more.biz: 10 ASPMX3.GOOGLEMAIL.COM. > for-more.biz: 1 ASPMX.L.GOOGLE.COM. > for-more.biz: 10 ASPMX2.GOOGLEMAIL.COM. > for-more.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > for-more.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > for-our.info: 1 ASPMX.L.GOOGLE.COM. > for-our.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > for-our.info: 10 ASPMX2.GOOGLEMAIL.COM. > for-our.info: 10 ASPMX3.GOOGLEMAIL.COM. > for-our.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > for-some.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > for-some.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > for-some.biz: 10 ASPMX3.GOOGLEMAIL.COM. > for-some.biz: 10 ASPMX2.GOOGLEMAIL.COM. > for-some.biz: 1 ASPMX.L.GOOGLE.COM. > for-the.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > for-the.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > for-the.biz: 10 ASPMX3.GOOGLEMAIL.COM. > for-the.biz: 1 ASPMX.L.GOOGLE.COM. > for-the.biz: 10 ASPMX2.GOOGLEMAIL.COM. > forgot.her.name: 10 ASPMX3.GOOGLEMAIL.COM. > forgot.her.name: 10 ASPMX2.GOOGLEMAIL.COM. > forgot.her.name: 5 ALT1.ASPMX.L.GOOGLE.COM. > forgot.her.name: 1 ASPMX.L.GOOGLE.COM. > forgot.her.name: 5 ALT2.ASPMX.L.GOOGLE.COM. > forgot.his.name: 1 ASPMX.L.GOOGLE.COM. > forgot.his.name: 10 ASPMX2.GOOGLEMAIL.COM. > forgot.his.name: 10 ASPMX3.GOOGLEMAIL.COM. > forgot.his.name: 5 ALT1.ASPMX.L.GOOGLE.COM. > forgot.his.name: 5 ALT2.ASPMX.L.GOOGLE.COM. > from-ak.com: 1 ASPMX.L.GOOGLE.com. > from-ak.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ak.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ak.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ak.com: 10 ASPMX2.GOOGLEMAIL.com. > from-al.com: 1 ASPMX.L.GOOGLE.com. > from-al.com: 10 ASPMX3.GOOGLEMAIL.com. > from-al.com: 10 ASPMX2.GOOGLEMAIL.com. > from-al.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-al.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ar.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ar.com: 1 ASPMX.L.GOOGLE.com. > from-ar.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ar.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ar.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-az.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > from-az.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > from-az.net: 10 ASPMX2.GOOGLEMAIL.COM. > from-az.net: 10 ASPMX3.GOOGLEMAIL.COM. > from-az.net: 1 ASPMX.L.GOOGLE.COM. > from-ca.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ca.com: 1 ASPMX.L.GOOGLE.com. > from-ca.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ca.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ca.com: 10 ASPMX2.GOOGLEMAIL.com. > from-co.net: 10 ASPMX2.GOOGLEMAIL.COM. > from-co.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > from-co.net: 10 ASPMX3.GOOGLEMAIL.COM. > from-co.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > from-co.net: 1 ASPMX.L.GOOGLE.COM. > from-ct.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ct.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ct.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ct.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ct.com: 1 ASPMX.L.GOOGLE.com. > from-dc.com: 10 ASPMX3.GOOGLEMAIL.com. > from-dc.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-dc.com: 10 ASPMX2.GOOGLEMAIL.com. > from-dc.com: 1 ASPMX.L.GOOGLE.com. > from-dc.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-de.com: 10 ASPMX3.GOOGLEMAIL.com. > from-de.com: 1 ASPMX.L.GOOGLE.com. > from-de.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-de.com: 10 ASPMX2.GOOGLEMAIL.com. > from-de.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-fl.com: 10 ASPMX3.GOOGLEMAIL.com. > from-fl.com: 10 ASPMX2.GOOGLEMAIL.com. > from-fl.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-fl.com: 1 ASPMX.L.GOOGLE.com. > from-fl.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ga.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ga.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ga.com: 1 ASPMX.L.GOOGLE.com. > from-ga.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ga.com: 10 ASPMX2.GOOGLEMAIL.com. > from-hi.com: 10 ASPMX2.GOOGLEMAIL.com. > from-hi.com: 1 ASPMX.L.GOOGLE.com. > from-hi.com: 10 ASPMX3.GOOGLEMAIL.com. > from-hi.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-hi.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ia.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ia.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ia.com: 1 ASPMX.L.GOOGLE.com. > from-ia.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ia.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-id.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-id.com: 10 ASPMX3.GOOGLEMAIL.com. > from-id.com: 10 ASPMX2.GOOGLEMAIL.com. > from-id.com: 1 ASPMX.L.GOOGLE.com. > from-id.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-il.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-il.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-il.com: 1 ASPMX.L.GOOGLE.com. > from-il.com: 10 ASPMX2.GOOGLEMAIL.com. > from-il.com: 10 ASPMX3.GOOGLEMAIL.com. > from-in.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-in.com: 10 ASPMX2.GOOGLEMAIL.com. > from-in.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-in.com: 10 ASPMX3.GOOGLEMAIL.com. > from-in.com: 1 ASPMX.L.GOOGLE.com. > from-ks.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ks.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ks.com: 1 ASPMX.L.GOOGLE.com. > from-ks.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ks.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ky.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ky.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ky.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ky.com: 1 ASPMX.L.GOOGLE.com. > from-ky.com: 10 ASPMX3.GOOGLEMAIL.com. > from-la.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > from-la.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > from-la.net: 10 ASPMX2.GOOGLEMAIL.COM. > from-la.net: 10 ASPMX3.GOOGLEMAIL.COM. > from-la.net: 1 ASPMX.L.GOOGLE.COM. > from-ma.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ma.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ma.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ma.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ma.com: 1 ASPMX.L.GOOGLE.com. > from-md.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-md.com: 1 ASPMX.L.GOOGLE.com. > from-md.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-md.com: 10 ASPMX3.GOOGLEMAIL.com. > from-md.com: 10 ASPMX2.GOOGLEMAIL.com. > from-me.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > from-me.org: 10 ASPMX2.GOOGLEMAIL.COM. > from-me.org: 10 ASPMX3.GOOGLEMAIL.COM. > from-me.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > from-me.org: 1 ASPMX.L.GOOGLE.COM. > from-mi.com: 10 ASPMX3.GOOGLEMAIL.com. > from-mi.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-mi.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-mi.com: 1 ASPMX.L.GOOGLE.com. > from-mi.com: 10 ASPMX2.GOOGLEMAIL.com. > from-mn.com: 10 ASPMX3.GOOGLEMAIL.com. > from-mn.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-mn.com: 1 ASPMX.L.GOOGLE.com. > from-mn.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-mn.com: 10 ASPMX2.GOOGLEMAIL.com. > from-mo.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-mo.com: 10 ASPMX3.GOOGLEMAIL.com. > from-mo.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-mo.com: 10 ASPMX2.GOOGLEMAIL.com. > from-mo.com: 1 ASPMX.L.GOOGLE.com. > from-ms.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ms.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ms.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ms.com: 1 ASPMX.L.GOOGLE.com. > from-ms.com: 10 ASPMX2.GOOGLEMAIL.com. > from-mt.com: 1 ASPMX.L.GOOGLE.com. > from-mt.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-mt.com: 10 ASPMX2.GOOGLEMAIL.com. > from-mt.com: 10 ASPMX3.GOOGLEMAIL.com. > from-mt.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nc.com: 1 ASPMX.L.GOOGLE.com. > from-nc.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nc.com: 10 ASPMX3.GOOGLEMAIL.com. > from-nc.com: 10 ASPMX2.GOOGLEMAIL.com. > from-nc.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-nd.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nd.com: 10 ASPMX2.GOOGLEMAIL.com. > from-nd.com: 1 ASPMX.L.GOOGLE.com. > from-nd.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-nd.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ne.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ne.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ne.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ne.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ne.com: 1 ASPMX.L.GOOGLE.com. > from-nh.com: 1 ASPMX.L.GOOGLE.com. > from-nh.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nh.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-nh.com: 10 ASPMX2.GOOGLEMAIL.com. > from-nh.com: 10 ASPMX3.GOOGLEMAIL.com. > from-nj.com: 10 ASPMX3.GOOGLEMAIL.com. > from-nj.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nj.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-nj.com: 10 ASPMX2.GOOGLEMAIL.com. > from-nj.com: 1 ASPMX.L.GOOGLE.com. > from-nm.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nm.com: 10 ASPMX3.GOOGLEMAIL.com. > from-nm.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-nm.com: 1 ASPMX.L.GOOGLE.com. > from-nm.com: 10 ASPMX2.GOOGLEMAIL.com. > from-nv.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-nv.com: 10 ASPMX2.GOOGLEMAIL.com. > from-nv.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-nv.com: 1 ASPMX.L.GOOGLE.com. > from-nv.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ny.net: 10 ASPMX3.GOOGLEMAIL.COM. > from-ny.net: 10 ASPMX2.GOOGLEMAIL.COM. > from-ny.net: 1 ASPMX.L.GOOGLE.COM. > from-ny.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > from-ny.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > from-oh.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-oh.com: 10 ASPMX2.GOOGLEMAIL.com. > from-oh.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-oh.com: 1 ASPMX.L.GOOGLE.com. > from-oh.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ok.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ok.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ok.com: 1 ASPMX.L.GOOGLE.com. > from-ok.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ok.com: 10 ASPMX3.GOOGLEMAIL.com. > from-or.com: 10 ASPMX3.GOOGLEMAIL.com. > from-or.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-or.com: 1 ASPMX.L.GOOGLE.com. > from-or.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-or.com: 10 ASPMX2.GOOGLEMAIL.com. > from-pa.com: 1 ASPMX.L.GOOGLE.com. > from-pa.com: 10 ASPMX3.GOOGLEMAIL.com. > from-pa.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-pa.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-pa.com: 10 ASPMX2.GOOGLEMAIL.com. > from-pr.com: 10 ASPMX2.GOOGLEMAIL.com. > from-pr.com: 1 ASPMX.L.GOOGLE.com. > from-pr.com: 10 ASPMX3.GOOGLEMAIL.com. > from-pr.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-pr.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ri.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ri.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-ri.com: 1 ASPMX.L.GOOGLE.com. > from-ri.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ri.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-sc.com: 10 ASPMX2.GOOGLEMAIL.com. > from-sc.com: 1 ASPMX.L.GOOGLE.com. > from-sc.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-sc.com: 10 ASPMX3.GOOGLEMAIL.com. > from-sc.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-sd.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-sd.com: 10 ASPMX3.GOOGLEMAIL.com. > from-sd.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-sd.com: 10 ASPMX2.GOOGLEMAIL.com. > from-sd.com: 1 ASPMX.L.GOOGLE.com. > from-tn.com: 10 ASPMX2.GOOGLEMAIL.com. > from-tn.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-tn.com: 10 ASPMX3.GOOGLEMAIL.com. > from-tn.com: 1 ASPMX.L.GOOGLE.com. > from-tn.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-tx.com: 1 ASPMX.L.GOOGLE.com. > from-tx.com: 10 ASPMX2.GOOGLEMAIL.com. > from-tx.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-tx.com: 10 ASPMX3.GOOGLEMAIL.com. > from-tx.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ut.com: 10 ASPMX3.GOOGLEMAIL.com. > from-ut.com: 10 ASPMX2.GOOGLEMAIL.com. > from-ut.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-ut.com: 1 ASPMX.L.GOOGLE.com. > from-ut.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-va.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-va.com: 10 ASPMX2.GOOGLEMAIL.com. > from-va.com: 10 ASPMX3.GOOGLEMAIL.com. > from-va.com: 1 ASPMX.L.GOOGLE.com. > from-va.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-vt.com: 1 ASPMX.L.GOOGLE.com. > from-vt.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-vt.com: 10 ASPMX3.GOOGLEMAIL.com. > from-vt.com: 10 ASPMX2.GOOGLEMAIL.com. > from-vt.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-wa.com: 10 ASPMX3.GOOGLEMAIL.com. > from-wa.com: 10 ASPMX2.GOOGLEMAIL.com. > from-wa.com: 1 ASPMX.L.GOOGLE.com. > from-wa.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-wa.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-wi.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-wi.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-wi.com: 10 ASPMX3.GOOGLEMAIL.com. > from-wi.com: 10 ASPMX2.GOOGLEMAIL.com. > from-wi.com: 1 ASPMX.L.GOOGLE.com. > from-wv.com: 10 ASPMX3.GOOGLEMAIL.com. > from-wv.com: 5 ALT1.ASPMX.L.GOOGLE.com. > from-wv.com: 1 ASPMX.L.GOOGLE.com. > from-wv.com: 10 ASPMX2.GOOGLEMAIL.com. > from-wv.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-wy.com: 1 ASPMX.L.GOOGLE.com. > from-wy.com: 10 ASPMX3.GOOGLEMAIL.com. > from-wy.com: 5 ALT2.ASPMX.L.GOOGLE.com. > from-wy.com: 10 ASPMX2.GOOGLEMAIL.com. > from-wy.com: 5 ALT1.ASPMX.L.GOOGLE.com. > ftpaccess.cc: 10 ASPMX2.GOOGLEMAIL.COM. > ftpaccess.cc: 1 ASPMX.L.GOOGLE.COM. > ftpaccess.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. > ftpaccess.cc: 10 ASPMX3.GOOGLEMAIL.COM. > ftpaccess.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. > fuettertdasnetz.de: 20 mx2.mailhop.org. > fuettertdasnetz.de: 10 mx1.mailhop.org. > game-host.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > game-host.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > game-host.org: 1 ASPMX.L.GOOGLE.COM. > game-host.org: 10 ASPMX3.GOOGLEMAIL.COM. > game-host.org: 10 ASPMX2.GOOGLEMAIL.COM. > game-server.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. > game-server.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. > game-server.cc: 1 ASPMX.L.GOOGLE.COM. > game-server.cc: 10 ASPMX3.GOOGLEMAIL.COM. > game-server.cc: 10 ASPMX2.GOOGLEMAIL.COM. > getmyip.com: 5 ALT2.ASPMX.L.GOOGLE.com. > getmyip.com: 10 ASPMX2.GOOGLEMAIL.com. > getmyip.com: 5 ALT1.ASPMX.L.GOOGLE.com. > getmyip.com: 1 ASPMX.L.GOOGLE.com. > getmyip.com: 10 ASPMX3.GOOGLEMAIL.com. > gets-it.net: 1 ASPMX.L.GOOGLE.COM. > gets-it.net: 10 ASPMX2.GOOGLEMAIL.COM. > gets-it.net: 10 ASPMX3.GOOGLEMAIL.COM. > gets-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > gets-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > gotdns.com: 5 ALT1.ASPMX.L.GOOGLE.com. > gotdns.com: 5 ALT2.ASPMX.L.GOOGLE.com. > gotdns.com: 1 ASPMX.L.GOOGLE.com. > gotdns.com: 10 ASPMX3.GOOGLEMAIL.com. > gotdns.com: 10 ASPMX2.GOOGLEMAIL.com. > gotdns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > gotdns.org: 10 ASPMX3.GOOGLEMAIL.COM. > gotdns.org: 10 ASPMX2.GOOGLEMAIL.COM. > gotdns.org: 1 ASPMX.L.GOOGLE.COM. > gotdns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > groks-the.info: 10 ASPMX2.GOOGLEMAIL.COM. > groks-the.info: 1 ASPMX.L.GOOGLE.COM. > groks-the.info: 10 ASPMX3.GOOGLEMAIL.COM. > groks-the.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > groks-the.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > groks-this.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > groks-this.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > groks-this.info: 1 ASPMX.L.GOOGLE.COM. > groks-this.info: 10 ASPMX3.GOOGLEMAIL.COM. > groks-this.info: 10 ASPMX2.GOOGLEMAIL.COM. > ham-radio-op.net: 10 ASPMX3.GOOGLEMAIL.COM. > ham-radio-op.net: 1 ASPMX.L.GOOGLE.COM. > ham-radio-op.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > ham-radio-op.net: 10 ASPMX2.GOOGLEMAIL.COM. > ham-radio-op.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > here-for-more.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > here-for-more.info: 10 ASPMX2.GOOGLEMAIL.COM. > here-for-more.info: 10 ASPMX3.GOOGLEMAIL.COM. > here-for-more.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > here-for-more.info: 1 ASPMX.L.GOOGLE.COM. > hobby-site.com: 1 ASPMX.L.GOOGLE.com. > hobby-site.com: 10 ASPMX3.GOOGLEMAIL.com. > hobby-site.com: 5 ALT2.ASPMX.L.GOOGLE.com. > hobby-site.com: 10 ASPMX2.GOOGLEMAIL.com. > hobby-site.com: 5 ALT1.ASPMX.L.GOOGLE.com. > hobby-site.org: 10 ASPMX2.GOOGLEMAIL.COM. > hobby-site.org: 10 ASPMX3.GOOGLEMAIL.COM. > hobby-site.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > hobby-site.org: 1 ASPMX.L.GOOGLE.COM. > hobby-site.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > homedns.org: 10 ASPMX2.GOOGLEMAIL.COM. > homedns.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > homedns.org: 1 ASPMX.L.GOOGLE.COM. > homedns.org: 10 ASPMX3.GOOGLEMAIL.COM. > homedns.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > homeftp.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > homeftp.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > homeftp.net: 1 ASPMX.L.GOOGLE.COM. > homeftp.net: 10 ASPMX3.GOOGLEMAIL.COM. > homeftp.net: 10 ASPMX2.GOOGLEMAIL.COM. > homeftp.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > homeftp.org: 10 ASPMX2.GOOGLEMAIL.COM. > homeftp.org: 1 ASPMX.L.GOOGLE.COM. > homeftp.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > homeftp.org: 10 ASPMX3.GOOGLEMAIL.COM. > homeip.net: 10 ASPMX3.GOOGLEMAIL.COM. > homeip.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > homeip.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > homeip.net: 1 ASPMX.L.GOOGLE.COM. > homeip.net: 10 ASPMX2.GOOGLEMAIL.COM. > homelinux.com: 10 ASPMX3.GOOGLEMAIL.com. > homelinux.com: 10 ASPMX2.GOOGLEMAIL.com. > homelinux.com: 5 ALT1.ASPMX.L.GOOGLE.com. > homelinux.com: 1 ASPMX.L.GOOGLE.com. > homelinux.com: 5 ALT2.ASPMX.L.GOOGLE.com. > homelinux.net: 10 ASPMX3.GOOGLEMAIL.COM. > homelinux.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > homelinux.net: 1 ASPMX.L.GOOGLE.COM. > homelinux.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > homelinux.net: 10 ASPMX2.GOOGLEMAIL.COM. > homelinux.org: 10 ASPMX3.GOOGLEMAIL.COM. > homelinux.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > homelinux.org: 1 ASPMX.L.GOOGLE.COM. > homelinux.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > homelinux.org: 10 ASPMX2.GOOGLEMAIL.COM. > homeunix.com: 10 ASPMX2.GOOGLEMAIL.com. > homeunix.com: 10 ASPMX3.GOOGLEMAIL.com. > homeunix.com: 1 ASPMX.L.GOOGLE.com. > homeunix.com: 5 ALT1.ASPMX.L.GOOGLE.com. > homeunix.com: 5 ALT2.ASPMX.L.GOOGLE.com. > homeunix.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > homeunix.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > homeunix.net: 10 ASPMX3.GOOGLEMAIL.COM. > homeunix.net: 1 ASPMX.L.GOOGLE.COM. > homeunix.net: 10 ASPMX2.GOOGLEMAIL.COM. > homeunix.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > homeunix.org: 10 ASPMX3.GOOGLEMAIL.COM. > homeunix.org: 1 ASPMX.L.GOOGLE.COM. > homeunix.org: 10 ASPMX2.GOOGLEMAIL.COM. > homeunix.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > iamallama.com: 10 ASPMX3.GOOGLEMAIL.com. > iamallama.com: 5 ALT1.ASPMX.L.GOOGLE.com. > iamallama.com: 10 ASPMX2.GOOGLEMAIL.com. > iamallama.com: 5 ALT2.ASPMX.L.GOOGLE.com. > iamallama.com: 1 ASPMX.L.GOOGLE.com. > in-the-band.net: 10 ASPMX3.GOOGLEMAIL.COM. > in-the-band.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > in-the-band.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > in-the-band.net: 10 ASPMX2.GOOGLEMAIL.COM. > in-the-band.net: 1 ASPMX.L.GOOGLE.COM. > is-a-anarchist.com: 1 ASPMX.L.GOOGLE.com. > is-a-anarchist.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-anarchist.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-anarchist.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-anarchist.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-blogger.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-blogger.com: 1 ASPMX.L.GOOGLE.com. > is-a-blogger.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-blogger.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-blogger.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-bookkeeper.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-bookkeeper.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-bookkeeper.com: 1 ASPMX.L.GOOGLE.com. > is-a-bookkeeper.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-bookkeeper.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-bruinsfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-bruinsfan.org: 1 ASPMX.L.GOOGLE.COM. > is-a-bruinsfan.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-bruinsfan.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-bruinsfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-bulls-fan.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-bulls-fan.com: 1 ASPMX.L.GOOGLE.com. > is-a-bulls-fan.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-bulls-fan.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-bulls-fan.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-candidate.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-candidate.org: 1 ASPMX.L.GOOGLE.COM. > is-a-candidate.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-candidate.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-candidate.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-caterer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-caterer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-caterer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-caterer.com: 1 ASPMX.L.GOOGLE.com. > is-a-caterer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-celticsfan.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-celticsfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-celticsfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-celticsfan.org: 1 ASPMX.L.GOOGLE.COM. > is-a-celticsfan.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-chef.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-chef.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-chef.com: 1 ASPMX.L.GOOGLE.com. > is-a-chef.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-chef.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-chef.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-chef.net: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-chef.net: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-chef.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-chef.net: 1 ASPMX.L.GOOGLE.COM. > is-a-chef.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-chef.org: 1 ASPMX.L.GOOGLE.COM. > is-a-chef.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-chef.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-chef.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-conservative.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-conservative.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-conservative.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-conservative.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-conservative.com: 1 ASPMX.L.GOOGLE.com. > is-a-cpa.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-cpa.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-cpa.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-cpa.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-cpa.com: 1 ASPMX.L.GOOGLE.com. > is-a-cubicle-slave.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-cubicle-slave.com: 1 ASPMX.L.GOOGLE.com. > is-a-cubicle-slave.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-cubicle-slave.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-cubicle-slave.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-democrat.com: 1 ASPMX.L.GOOGLE.com. > is-a-democrat.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-democrat.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-democrat.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-democrat.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-designer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-designer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-designer.com: 1 ASPMX.L.GOOGLE.com. > is-a-designer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-designer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-doctor.com: 1 ASPMX.L.GOOGLE.com. > is-a-doctor.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-doctor.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-doctor.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-doctor.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-financialadvisor.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-financialadvisor.com: 1 ASPMX.L.GOOGLE.com. > is-a-financialadvisor.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-financialadvisor.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-financialadvisor.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-geek.com: 1 ASPMX.L.GOOGLE.com. > is-a-geek.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-geek.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-geek.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-geek.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-geek.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-geek.net: 1 ASPMX.L.GOOGLE.COM. > is-a-geek.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-geek.net: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-geek.net: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-geek.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-geek.org: 1 ASPMX.L.GOOGLE.COM. > is-a-geek.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-geek.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-geek.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-green.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-green.com: 1 ASPMX.L.GOOGLE.com. > is-a-green.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-green.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-green.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-guru.com: 1 ASPMX.L.GOOGLE.com. > is-a-guru.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-guru.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-guru.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-guru.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-hard-worker.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-hard-worker.com: 1 ASPMX.L.GOOGLE.com. > is-a-hard-worker.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-hard-worker.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-hard-worker.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-hunter.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-hunter.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-hunter.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-hunter.com: 1 ASPMX.L.GOOGLE.com. > is-a-hunter.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-knight.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-knight.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-knight.org: 1 ASPMX.L.GOOGLE.COM. > is-a-knight.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-knight.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-landscaper.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-landscaper.com: 1 ASPMX.L.GOOGLE.com. > is-a-landscaper.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-landscaper.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-landscaper.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-lawyer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-lawyer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-lawyer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-lawyer.com: 1 ASPMX.L.GOOGLE.com. > is-a-lawyer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-liberal.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-liberal.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-liberal.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-liberal.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-liberal.com: 1 ASPMX.L.GOOGLE.com. > is-a-libertarian.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-libertarian.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-libertarian.com: 1 ASPMX.L.GOOGLE.com. > is-a-libertarian.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-libertarian.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-linux-user.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-linux-user.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-linux-user.org: 1 ASPMX.L.GOOGLE.COM. > is-a-linux-user.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-linux-user.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-llama.com: 1 ASPMX.L.GOOGLE.com. > is-a-llama.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-llama.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-llama.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-llama.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-musician.com: 1 ASPMX.L.GOOGLE.com. > is-a-musician.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-musician.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-musician.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-musician.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-nascarfan.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-nascarfan.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-nascarfan.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-nascarfan.com: 1 ASPMX.L.GOOGLE.com. > is-a-nascarfan.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-nurse.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-nurse.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-nurse.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-nurse.com: 1 ASPMX.L.GOOGLE.com. > is-a-nurse.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-painter.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-painter.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-painter.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-painter.com: 1 ASPMX.L.GOOGLE.com. > is-a-painter.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-patsfan.org: 1 ASPMX.L.GOOGLE.COM. > is-a-patsfan.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-patsfan.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-patsfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-patsfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-personaltrainer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-personaltrainer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-personaltrainer.com: 1 ASPMX.L.GOOGLE.com. > is-a-personaltrainer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-personaltrainer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-photographer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-photographer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-photographer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-photographer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-photographer.com: 1 ASPMX.L.GOOGLE.com. > is-a-player.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-player.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-player.com: 1 ASPMX.L.GOOGLE.com. > is-a-player.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-player.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-republican.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-republican.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-republican.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-republican.com: 1 ASPMX.L.GOOGLE.com. > is-a-republican.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-rockstar.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-rockstar.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-rockstar.com: 1 ASPMX.L.GOOGLE.com. > is-a-rockstar.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-rockstar.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-socialist.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-socialist.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-socialist.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-socialist.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-socialist.com: 1 ASPMX.L.GOOGLE.com. > is-a-soxfan.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-a-soxfan.org: 1 ASPMX.L.GOOGLE.COM. > is-a-soxfan.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-a-soxfan.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-a-soxfan.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-a-student.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-student.com: 1 ASPMX.L.GOOGLE.com. > is-a-student.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-student.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-student.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-teacher.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-teacher.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-teacher.com: 1 ASPMX.L.GOOGLE.com. > is-a-teacher.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-teacher.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-techie.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-techie.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-a-techie.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-techie.com: 1 ASPMX.L.GOOGLE.com. > is-a-techie.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-therapist.com: 10 ASPMX2.GOOGLEMAIL.com. > is-a-therapist.com: 10 ASPMX3.GOOGLEMAIL.com. > is-a-therapist.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-a-therapist.com: 1 ASPMX.L.GOOGLE.com. > is-a-therapist.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-accountant.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-an-accountant.com: 10 ASPMX3.GOOGLEMAIL.com. > is-an-accountant.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-accountant.com: 1 ASPMX.L.GOOGLE.com. > is-an-accountant.com: 10 ASPMX2.GOOGLEMAIL.com. > is-an-actor.com: 1 ASPMX.L.GOOGLE.com. > is-an-actor.com: 10 ASPMX2.GOOGLEMAIL.com. > is-an-actor.com: 10 ASPMX3.GOOGLEMAIL.com. > is-an-actor.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-actor.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-an-actress.com: 10 ASPMX3.GOOGLEMAIL.com. > is-an-actress.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-actress.com: 1 ASPMX.L.GOOGLE.com. > is-an-actress.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-an-actress.com: 10 ASPMX2.GOOGLEMAIL.com. > is-an-anarchist.com: 20 mx2.mailhop.org. > is-an-anarchist.com: 10 mx1.mailhop.org. > is-an-artist.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-artist.com: 1 ASPMX.L.GOOGLE.com. > is-an-artist.com: 10 ASPMX2.GOOGLEMAIL.com. > is-an-artist.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-an-artist.com: 10 ASPMX3.GOOGLEMAIL.com. > is-an-engineer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-engineer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-an-engineer.com: 1 ASPMX.L.GOOGLE.com. > is-an-engineer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-an-engineer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-an-entertainer.com: 1 ASPMX.L.GOOGLE.com. > is-an-entertainer.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-an-entertainer.com: 10 ASPMX3.GOOGLEMAIL.com. > is-an-entertainer.com: 10 ASPMX2.GOOGLEMAIL.com. > is-an-entertainer.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-by.us: 1 ASPMX.L.GOOGLE.COM. > is-by.us: 10 ASPMX2.GOOGLEMAIL.COM. > is-by.us: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-by.us: 10 ASPMX3.GOOGLEMAIL.COM. > is-by.us: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-certified.com: 10 ASPMX2.GOOGLEMAIL.com. > is-certified.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-certified.com: 1 ASPMX.L.GOOGLE.com. > is-certified.com: 10 ASPMX3.GOOGLEMAIL.com. > is-certified.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-found.org: 1 ASPMX.L.GOOGLE.COM. > is-found.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-found.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-found.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-found.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-gone.com: 10 ASPMX3.GOOGLEMAIL.com. > is-gone.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-gone.com: 1 ASPMX.L.GOOGLE.com. > is-gone.com: 10 ASPMX2.GOOGLEMAIL.com. > is-gone.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-into-anime.com: 10 ASPMX2.GOOGLEMAIL.com. > is-into-anime.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-into-anime.com: 10 ASPMX3.GOOGLEMAIL.com. > is-into-anime.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-into-anime.com: 1 ASPMX.L.GOOGLE.com. > is-into-cars.com: 10 ASPMX3.GOOGLEMAIL.com. > is-into-cars.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-into-cars.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-into-cars.com: 10 ASPMX2.GOOGLEMAIL.com. > is-into-cars.com: 1 ASPMX.L.GOOGLE.com. > is-into-cartoons.com: 10 ASPMX3.GOOGLEMAIL.com. > is-into-cartoons.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-into-cartoons.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-into-cartoons.com: 1 ASPMX.L.GOOGLE.com. > is-into-cartoons.com: 10 ASPMX2.GOOGLEMAIL.com. > is-into-games.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-into-games.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-into-games.com: 1 ASPMX.L.GOOGLE.com. > is-into-games.com: 10 ASPMX2.GOOGLEMAIL.com. > is-into-games.com: 10 ASPMX3.GOOGLEMAIL.com. > is-leet.com: 10 ASPMX2.GOOGLEMAIL.com. > is-leet.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-leet.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-leet.com: 10 ASPMX3.GOOGLEMAIL.com. > is-leet.com: 1 ASPMX.L.GOOGLE.com. > is-lost.org: 1 ASPMX.L.GOOGLE.COM. > is-lost.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-lost.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-lost.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-lost.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-not-certified.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-not-certified.com: 10 ASPMX3.GOOGLEMAIL.com. > is-not-certified.com: 10 ASPMX2.GOOGLEMAIL.com. > is-not-certified.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-not-certified.com: 1 ASPMX.L.GOOGLE.com. > is-saved.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-saved.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-saved.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-saved.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-saved.org: 1 ASPMX.L.GOOGLE.COM. > is-slick.com: 10 ASPMX2.GOOGLEMAIL.com. > is-slick.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-slick.com: 10 ASPMX3.GOOGLEMAIL.com. > is-slick.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-slick.com: 1 ASPMX.L.GOOGLE.com. > is-uberleet.com: 10 ASPMX2.GOOGLEMAIL.com. > is-uberleet.com: 10 ASPMX3.GOOGLEMAIL.com. > is-uberleet.com: 1 ASPMX.L.GOOGLE.com. > is-uberleet.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-uberleet.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-very-bad.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-very-bad.org: 1 ASPMX.L.GOOGLE.COM. > is-very-bad.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-very-bad.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-very-bad.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-very-evil.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-very-evil.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-very-evil.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-very-evil.org: 1 ASPMX.L.GOOGLE.COM. > is-very-evil.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-very-good.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-very-good.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-very-good.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-very-good.org: 1 ASPMX.L.GOOGLE.COM. > is-very-good.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-very-nice.org: 1 ASPMX.L.GOOGLE.COM. > is-very-nice.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-very-nice.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-very-nice.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-very-nice.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-very-sweet.org: 10 ASPMX2.GOOGLEMAIL.COM. > is-very-sweet.org: 1 ASPMX.L.GOOGLE.COM. > is-very-sweet.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > is-very-sweet.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > is-very-sweet.org: 10 ASPMX3.GOOGLEMAIL.COM. > is-with-theband.com: 1 ASPMX.L.GOOGLE.com. > is-with-theband.com: 10 ASPMX3.GOOGLEMAIL.com. > is-with-theband.com: 5 ALT1.ASPMX.L.GOOGLE.com. > is-with-theband.com: 5 ALT2.ASPMX.L.GOOGLE.com. > is-with-theband.com: 10 ASPMX2.GOOGLEMAIL.com. > isa-geek.com: 10 ASPMX3.GOOGLEMAIL.com. > isa-geek.com: 1 ASPMX.L.GOOGLE.com. > isa-geek.com: 5 ALT2.ASPMX.L.GOOGLE.com. > isa-geek.com: 10 ASPMX2.GOOGLEMAIL.com. > isa-geek.com: 5 ALT1.ASPMX.L.GOOGLE.com. > isa-geek.net: 10 ASPMX3.GOOGLEMAIL.COM. > isa-geek.net: 10 ASPMX2.GOOGLEMAIL.COM. > isa-geek.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > isa-geek.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > isa-geek.net: 1 ASPMX.L.GOOGLE.COM. > isa-geek.org: 10 ASPMX2.GOOGLEMAIL.COM. > isa-geek.org: 10 ASPMX3.GOOGLEMAIL.COM. > isa-geek.org: 1 ASPMX.L.GOOGLE.COM. > isa-geek.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > isa-geek.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > isa-hockeynut.com: 1 ASPMX.L.GOOGLE.com. > isa-hockeynut.com: 10 ASPMX3.GOOGLEMAIL.com. > isa-hockeynut.com: 5 ALT2.ASPMX.L.GOOGLE.com. > isa-hockeynut.com: 10 ASPMX2.GOOGLEMAIL.com. > isa-hockeynut.com: 5 ALT1.ASPMX.L.GOOGLE.com. > issmarterthanyou.com: 10 ASPMX3.GOOGLEMAIL.com. > issmarterthanyou.com: 5 ALT2.ASPMX.L.GOOGLE.com. > issmarterthanyou.com: 5 ALT1.ASPMX.L.GOOGLE.com. > issmarterthanyou.com: 10 ASPMX2.GOOGLEMAIL.com. > issmarterthanyou.com: 1 ASPMX.L.GOOGLE.com. > isteingeek.de: 10 mx1.mailhop.org. > isteingeek.de: 20 mx2.mailhop.org. > istmein.de: 20 mx2.mailhop.org. > istmein.de: 10 mx1.mailhop.org. > kicks-ass.net: 10 ASPMX3.GOOGLEMAIL.COM. > kicks-ass.net: 1 ASPMX.L.GOOGLE.COM. > kicks-ass.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > kicks-ass.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > kicks-ass.net: 10 ASPMX2.GOOGLEMAIL.COM. > kicks-ass.org: 10 ASPMX2.GOOGLEMAIL.COM. > kicks-ass.org: 10 ASPMX3.GOOGLEMAIL.COM. > kicks-ass.org: 1 ASPMX.L.GOOGLE.COM. > kicks-ass.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > kicks-ass.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > knowsitall.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > knowsitall.info: 10 ASPMX3.GOOGLEMAIL.COM. > knowsitall.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > knowsitall.info: 10 ASPMX2.GOOGLEMAIL.COM. > knowsitall.info: 1 ASPMX.L.GOOGLE.COM. > land-4-sale.us: 5 ALT1.ASPMX.L.GOOGLE.COM. > land-4-sale.us: 1 ASPMX.L.GOOGLE.COM. > land-4-sale.us: 10 ASPMX3.GOOGLEMAIL.COM. > land-4-sale.us: 5 ALT2.ASPMX.L.GOOGLE.COM. > land-4-sale.us: 10 ASPMX2.GOOGLEMAIL.COM. > lebtimnetz.de: 10 mx1.mailhop.org. > lebtimnetz.de: 20 mx2.mailhop.org. > leitungsen.de: 20 mx2.mailhop.org. > leitungsen.de: 10 mx1.mailhop.org. > likes-pie.com: 5 ALT1.ASPMX.L.GOOGLE.com. > likes-pie.com: 10 ASPMX2.GOOGLEMAIL.com. > likes-pie.com: 1 ASPMX.L.GOOGLE.com. > likes-pie.com: 10 ASPMX3.GOOGLEMAIL.com. > likes-pie.com: 5 ALT2.ASPMX.L.GOOGLE.com. > likescandy.com: 10 ASPMX2.GOOGLEMAIL.com. > likescandy.com: 5 ALT2.ASPMX.L.GOOGLE.com. > likescandy.com: 10 ASPMX3.GOOGLEMAIL.com. > likescandy.com: 5 ALT1.ASPMX.L.GOOGLE.com. > likescandy.com: 1 ASPMX.L.GOOGLE.com. > mine.nu: 10 ASPMX2.GOOGLEMAIL.COM. > mine.nu: 1 ASPMX.L.GOOGLE.COM. > mine.nu: 5 ALT1.ASPMX.L.GOOGLE.COM. > mine.nu: 5 ALT2.ASPMX.L.GOOGLE.COM. > mine.nu: 10 ASPMX3.GOOGLEMAIL.COM. > misconfused.org: 1 ASPMX.L.GOOGLE.COM. > misconfused.org: 10 ASPMX3.GOOGLEMAIL.COM. > misconfused.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > misconfused.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > misconfused.org: 10 ASPMX2.GOOGLEMAIL.COM. > mypets.ws: 5 ALT2.ASPMX.L.GOOGLE.COM. > mypets.ws: 1 ASPMX.L.GOOGLE.COM. > mypets.ws: 10 ASPMX3.GOOGLEMAIL.COM. > mypets.ws: 10 ASPMX2.GOOGLEMAIL.COM. > mypets.ws: 5 ALT1.ASPMX.L.GOOGLE.COM. > myphotos.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. > myphotos.cc: 10 ASPMX2.GOOGLEMAIL.COM. > myphotos.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. > myphotos.cc: 10 ASPMX3.GOOGLEMAIL.COM. > myphotos.cc: 1 ASPMX.L.GOOGLE.COM. > neat-url.com: 10 ASPMX2.GOOGLEMAIL.com. > neat-url.com: 5 ALT1.ASPMX.L.GOOGLE.com. > neat-url.com: 1 ASPMX.L.GOOGLE.com. > neat-url.com: 5 ALT2.ASPMX.L.GOOGLE.com. > neat-url.com: 10 ASPMX3.GOOGLEMAIL.com. > office-on-the.net: 10 ASPMX2.GOOGLEMAIL.COM. > office-on-the.net: 1 ASPMX.L.GOOGLE.COM. > office-on-the.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > office-on-the.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > office-on-the.net: 10 ASPMX3.GOOGLEMAIL.COM. > on-the-web.tv: 10 ASPMX2.GOOGLEMAIL.COM. > on-the-web.tv: 1 ASPMX.L.GOOGLE.COM. > on-the-web.tv: 10 ASPMX3.GOOGLEMAIL.COM. > on-the-web.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. > on-the-web.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. > podzone.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > podzone.net: 10 ASPMX2.GOOGLEMAIL.COM. > podzone.net: 10 ASPMX3.GOOGLEMAIL.COM. > podzone.net: 1 ASPMX.L.GOOGLE.COM. > podzone.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > podzone.org: 10 ASPMX2.GOOGLEMAIL.COM. > podzone.org: 1 ASPMX.L.GOOGLE.COM. > podzone.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > podzone.org: 10 ASPMX3.GOOGLEMAIL.COM. > podzone.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > readmyblog.org: 1 ASPMX.L.GOOGLE.COM. > readmyblog.org: 10 ASPMX2.GOOGLEMAIL.COM. > readmyblog.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > readmyblog.org: 10 ASPMX3.GOOGLEMAIL.COM. > readmyblog.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > saves-the-whales.com: 1 ASPMX.L.GOOGLE.com. > saves-the-whales.com: 10 ASPMX3.GOOGLEMAIL.com. > saves-the-whales.com: 10 ASPMX2.GOOGLEMAIL.com. > saves-the-whales.com: 5 ALT2.ASPMX.L.GOOGLE.com. > saves-the-whales.com: 5 ALT1.ASPMX.L.GOOGLE.com. > scrapper-site.net: 10 ASPMX3.GOOGLEMAIL.COM. > scrapper-site.net: 10 ASPMX2.GOOGLEMAIL.COM. > scrapper-site.net: 1 ASPMX.L.GOOGLE.COM. > scrapper-site.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > scrapper-site.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > scrapping.cc: 5 ALT1.ASPMX.L.GOOGLE.COM. > scrapping.cc: 10 ASPMX2.GOOGLEMAIL.COM. > scrapping.cc: 5 ALT2.ASPMX.L.GOOGLE.COM. > scrapping.cc: 10 ASPMX3.GOOGLEMAIL.COM. > scrapping.cc: 1 ASPMX.L.GOOGLE.COM. > selfip.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > selfip.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > selfip.biz: 1 ASPMX.L.GOOGLE.COM. > selfip.biz: 10 ASPMX3.GOOGLEMAIL.COM. > selfip.biz: 10 ASPMX2.GOOGLEMAIL.COM. > selfip.com: 10 ASPMX3.GOOGLEMAIL.com. > selfip.com: 10 ASPMX2.GOOGLEMAIL.com. > selfip.com: 5 ALT1.ASPMX.L.GOOGLE.com. > selfip.com: 1 ASPMX.L.GOOGLE.com. > selfip.com: 5 ALT2.ASPMX.L.GOOGLE.com. > selfip.info: 10 ASPMX3.GOOGLEMAIL.COM. > selfip.info: 1 ASPMX.L.GOOGLE.COM. > selfip.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > selfip.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > selfip.info: 10 ASPMX2.GOOGLEMAIL.COM. > selfip.net: 10 ASPMX3.GOOGLEMAIL.COM. > selfip.net: 1 ASPMX.L.GOOGLE.COM. > selfip.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > selfip.net: 10 ASPMX2.GOOGLEMAIL.COM. > selfip.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > selfip.org: 1 ASPMX.L.GOOGLE.COM. > selfip.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > selfip.org: 10 ASPMX2.GOOGLEMAIL.COM. > selfip.org: 10 ASPMX3.GOOGLEMAIL.COM. > selfip.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > sells-for-less.com: 10 ASPMX2.GOOGLEMAIL.com. > sells-for-less.com: 5 ALT1.ASPMX.L.GOOGLE.com. > sells-for-less.com: 10 ASPMX3.GOOGLEMAIL.com. > sells-for-less.com: 1 ASPMX.L.GOOGLE.com. > sells-for-less.com: 5 ALT2.ASPMX.L.GOOGLE.com. > sells-for-u.com: 5 ALT2.ASPMX.L.GOOGLE.com. > sells-for-u.com: 1 ASPMX.L.GOOGLE.com. > sells-for-u.com: 10 ASPMX3.GOOGLEMAIL.com. > sells-for-u.com: 10 ASPMX2.GOOGLEMAIL.com. > sells-for-u.com: 5 ALT1.ASPMX.L.GOOGLE.com. > sells-it.net: 1 ASPMX.L.GOOGLE.COM. > sells-it.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > sells-it.net: 10 ASPMX2.GOOGLEMAIL.COM. > sells-it.net: 10 ASPMX3.GOOGLEMAIL.COM. > sells-it.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > sellsyourhome.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > sellsyourhome.org: 1 ASPMX.L.GOOGLE.COM. > sellsyourhome.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > sellsyourhome.org: 10 ASPMX3.GOOGLEMAIL.COM. > sellsyourhome.org: 10 ASPMX2.GOOGLEMAIL.COM. > servebbs.com: 10 ASPMX2.GOOGLEMAIL.com. > servebbs.com: 1 ASPMX.L.GOOGLE.com. > servebbs.com: 5 ALT2.ASPMX.L.GOOGLE.com. > servebbs.com: 5 ALT1.ASPMX.L.GOOGLE.com. > servebbs.com: 10 ASPMX3.GOOGLEMAIL.com. > servebbs.net: 1 ASPMX.L.GOOGLE.COM. > servebbs.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > servebbs.net: 10 ASPMX3.GOOGLEMAIL.COM. > servebbs.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > servebbs.net: 10 ASPMX2.GOOGLEMAIL.COM. > servebbs.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > servebbs.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > servebbs.org: 10 ASPMX2.GOOGLEMAIL.COM. > servebbs.org: 10 ASPMX3.GOOGLEMAIL.COM. > servebbs.org: 1 ASPMX.L.GOOGLE.COM. > serveftp.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > serveftp.net: 1 ASPMX.L.GOOGLE.COM. > serveftp.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > serveftp.net: 10 ASPMX2.GOOGLEMAIL.COM. > serveftp.net: 10 ASPMX3.GOOGLEMAIL.COM. > serveftp.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > serveftp.org: 1 ASPMX.L.GOOGLE.COM. > serveftp.org: 10 ASPMX2.GOOGLEMAIL.COM. > serveftp.org: 10 ASPMX3.GOOGLEMAIL.COM. > serveftp.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > servegame.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > servegame.org: 10 ASPMX3.GOOGLEMAIL.COM. > servegame.org: 1 ASPMX.L.GOOGLE.COM. > servegame.org: 10 ASPMX2.GOOGLEMAIL.COM. > servegame.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > simple-url.com: 5 ALT1.ASPMX.L.GOOGLE.com. > simple-url.com: 10 ASPMX3.GOOGLEMAIL.com. > simple-url.com: 1 ASPMX.L.GOOGLE.com. > simple-url.com: 5 ALT2.ASPMX.L.GOOGLE.com. > simple-url.com: 10 ASPMX2.GOOGLEMAIL.com. > space-to-rent.com: 5 ALT2.ASPMX.L.GOOGLE.com. > space-to-rent.com: 5 ALT1.ASPMX.L.GOOGLE.com. > space-to-rent.com: 1 ASPMX.L.GOOGLE.com. > space-to-rent.com: 10 ASPMX2.GOOGLEMAIL.com. > space-to-rent.com: 10 ASPMX3.GOOGLEMAIL.com. > stuff-4-sale.org: 10 ASPMX3.GOOGLEMAIL.COM. > stuff-4-sale.org: 10 ASPMX2.GOOGLEMAIL.COM. > stuff-4-sale.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > stuff-4-sale.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > stuff-4-sale.org: 1 ASPMX.L.GOOGLE.COM. > stuff-4-sale.us: 5 ALT1.ASPMX.L.GOOGLE.COM. > stuff-4-sale.us: 10 ASPMX2.GOOGLEMAIL.COM. > stuff-4-sale.us: 10 ASPMX3.GOOGLEMAIL.COM. > stuff-4-sale.us: 5 ALT2.ASPMX.L.GOOGLE.COM. > stuff-4-sale.us: 1 ASPMX.L.GOOGLE.COM. > teaches-yoga.com: 10 ASPMX3.GOOGLEMAIL.com. > teaches-yoga.com: 5 ALT1.ASPMX.L.GOOGLE.com. > teaches-yoga.com: 10 ASPMX2.GOOGLEMAIL.com. > teaches-yoga.com: 1 ASPMX.L.GOOGLE.com. > teaches-yoga.com: 5 ALT2.ASPMX.L.GOOGLE.com. > thruhere.net: 10 ASPMX3.GOOGLEMAIL.COM. > thruhere.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > thruhere.net: 10 ASPMX2.GOOGLEMAIL.COM. > thruhere.net: 1 ASPMX.L.GOOGLE.COM. > thruhere.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > traeumtgerade.de: 10 mx1.mailhop.org. > traeumtgerade.de: 20 mx2.mailhop.org. > webhop.biz: 5 ALT1.ASPMX.L.GOOGLE.COM. > webhop.biz: 10 ASPMX2.GOOGLEMAIL.COM. > webhop.biz: 10 ASPMX3.GOOGLEMAIL.COM. > webhop.biz: 1 ASPMX.L.GOOGLE.COM. > webhop.biz: 5 ALT2.ASPMX.L.GOOGLE.COM. > webhop.info: 1 ASPMX.L.GOOGLE.COM. > webhop.info: 10 ASPMX2.GOOGLEMAIL.COM. > webhop.info: 5 ALT1.ASPMX.L.GOOGLE.COM. > webhop.info: 10 ASPMX3.GOOGLEMAIL.COM. > webhop.info: 5 ALT2.ASPMX.L.GOOGLE.COM. > webhop.net: 5 ALT1.ASPMX.L.GOOGLE.COM. > webhop.net: 5 ALT2.ASPMX.L.GOOGLE.COM. > webhop.net: 10 ASPMX2.GOOGLEMAIL.COM. > webhop.net: 10 ASPMX3.GOOGLEMAIL.COM. > webhop.net: 1 ASPMX.L.GOOGLE.COM. > webhop.org: 5 ALT2.ASPMX.L.GOOGLE.COM. > webhop.org: 1 ASPMX.L.GOOGLE.COM. > webhop.org: 10 ASPMX3.GOOGLEMAIL.COM. > webhop.org: 10 ASPMX2.GOOGLEMAIL.COM. > webhop.org: 5 ALT1.ASPMX.L.GOOGLE.COM. > worse-than.tv: 10 ASPMX3.GOOGLEMAIL.COM. > worse-than.tv: 5 ALT2.ASPMX.L.GOOGLE.COM. > worse-than.tv: 1 ASPMX.L.GOOGLE.COM. > worse-than.tv: 5 ALT1.ASPMX.L.GOOGLE.COM. > worse-than.tv: 10 ASPMX2.GOOGLEMAIL.COM. > writesthisblog.com: 5 ALT2.ASPMX.L.GOOGLE.com. > writesthisblog.com: 5 ALT1.ASPMX.L.GOOGLE.com. > writesthisblog.com: 10 ASPMX3.GOOGLEMAIL.com. > writesthisblog.com: 10 ASPMX2.GOOGLEMAIL.com. > writesthisblog.com: 1 ASPMX.L.GOOGLE.com. > ddnss.de: 10 mail.mc-p.de. > ddnss.de: 20 mail.ddnss.de. > dyn.ddnss.de: 10 mail.mc-p.de. > dyndns.ddnss.de: 10 mail.mc-p.de. > dyndns1.de: 10 mail.mc-p.de. > dyn-ip24.de: 10 mail.mc-p.de. > home-webserver.de: 10 mail.mc-p.de. > dyn.home-webserver.de: 10 mail.mc-p.de. > myhome-server.de: 10 mail.mc-p.de. > ddnss.org: 10 mail.mc-p.de. > definima.net: 5 aspmx2.googlemail.com. > definima.net: 5 aspmx3.googlemail.com. > definima.net: 5 aspmx4.googlemail.com. > definima.net: 5 aspmx5.googlemail.com. > definima.net: 1 aspmx.l.google.com. > definima.net: 3 alt1.aspmx.l.google.com. > definima.net: 3 alt2.aspmx.l.google.com. > definima.io: 0 definima.io. > definima.io: 10 mail2.definima.com. > e4.cz: 5 smtp.smartweb.cz. > e4.cz: 500 slave.smartweb.cz. > enonic.io: 10 aspmx2.googlemail.com. > enonic.io: 5 alt2.aspmx.l.google.com. > enonic.io: 1 aspmx.l.google.com. > enonic.io: 10 aspmx3.googlemail.com. > enonic.io: 5 alt1.aspmx.l.google.com. > eu.org: 10 SMTP.eu.org. > cy.eu.org: 100 asterix.tee.gr. > de.eu.org: 30 fb-mx.LF.net. > de.eu.org: 20 pmx01.mail.LF.net. > gr.eu.org: 100 asterix.tee.gr. > nl.eu.org: 200 mx1.elm.net. > eu-1.evennode.com: ec2-52-18-91-8.eu-west-1.compute.amazonaws.com. > url.tw: hosting.url.com.tw. > apps.fbsbx.com: star.c10r.facebook.com. > apps.fbsbx.com: 10 msgin.vvv.facebook.com. > ru.net: 90 relay2.relcom.ru. > ru.net: 80 relay1.relcom.ru. > fedorainfracloud.org: 10 mx1.redhat.com. > fedorainfracloud.org: 20 mx2.redhat.com. > filegear.me: 10 mailstore1.secureserver.net. > filegear.me: 0 smtp.secureserver.net. > myfusion.cloud: 5 alt2.aspmx.l.google.com. > myfusion.cloud: 10 aspmx3.googlemail.com. > myfusion.cloud: 0 aspmx.l.google.com. > myfusion.cloud: 5 alt1.aspmx.l.google.com. > myfusion.cloud: 10 aspmx2.googlemail.com. > futurehosting.at: 100 mx2.futureweb.at. > futurehosting.at: 200 mx1.futureweb.at. > futurehosting.at: 100 mx4.futureweb.org. > futurehosting.at: 100 mx3.futureweb.org. > futuremailing.at: 100 mx4.futureweb.org. > futuremailing.at: 100 mx3.futureweb.org. > futuremailing.at: 200 mx1.futureweb.at. > futuremailing.at: 100 mx2.futureweb.at. > gitlab.io: 10 mxa.mailgun.org. > gitlab.io: 10 mxb.mailgun.org. > homeoffice.gov.uk: 0 homeoffice-gov-uk.mail.protection.outlook.com. > ro.im: 0 mail.ro.im. > goip.de: 10 genesis.poulter.de. > appspot.com: 5 gmr-smtp-in.l.google.com. > appspot.com: 10 alt1.gmr-smtp-in.l.google.com. > appspot.com: 30 alt3.gmr-smtp-in.l.google.com. > appspot.com: 40 alt4.gmr-smtp-in.l.google.com. > appspot.com: 20 alt2.gmr-smtp-in.l.google.com. > blogspot.bj: 10 alt1.gmr-smtp-in.l.google.com. > blogspot.bj: 10 alt2.gmr-smtp-in.l.google.com. > blogspot.bj: 5 gmr-smtp-in.l.google.com. > blogspot.cf: 10 alt2.gmr-smtp-in.l.google.com. > blogspot.cf: 10 alt1.gmr-smtp-in.l.google.com. > blogspot.cf: 5 gmr-smtp-in.l.google.com. > blogspot.cv: 10 alt2.gmr-smtp-in.l.google.com. > blogspot.cv: 10 alt1.gmr-smtp-in.l.google.com. > blogspot.cv: 5 gmr-smtp-in.l.google.com. > blogspot.re: 10 alt1.gmr-smtp-in.l.google.com. > blogspot.re: 10 alt2.gmr-smtp-in.l.google.com. > blogspot.re: 5 gmr-smtp-in.l.google.com. > blogspot.td: 5 gmr-smtp-in.l.google.com. > blogspot.td: 10 alt1.gmr-smtp-in.l.google.com. > blogspot.td: 10 alt2.gmr-smtp-in.l.google.com. > codespot.com: 5 gmr-smtp-in.l.google.com. > codespot.com: 10 alt1.gmr-smtp-in.l.google.com. > codespot.com: 10 alt2.gmr-smtp-in.l.google.com. > googlecode.com: 10 alt1.gmr-smtp-in.l.google.com. > googlecode.com: 5 gmr-smtp-in.l.google.com. > googlecode.com: 10 alt2.gmr-smtp-in.l.google.com. > withgoogle.com: 30 alt2.aspmx.l.google.com. > withgoogle.com: 10 aspmx.l.google.com. > withgoogle.com: 40 alt3.aspmx.l.google.com. > withgoogle.com: 50 alt4.aspmx.l.google.com. > withgoogle.com: 20 alt1.aspmx.l.google.com. > withyoutube.com: 20 alt1.aspmx.l.google.com. > withyoutube.com: 10 aspmx.l.google.com. > withyoutube.com: 30 alt2.aspmx.l.google.com. > withyoutube.com: 50 alt4.aspmx.l.google.com. > withyoutube.com: 40 alt3.aspmx.l.google.com. > hashbang.sh: 10 mail.hashbang.sh. > hasura-app.io: 10 mailstore1.secureserver.net. > hasura-app.io: 0 smtp.secureserver.net. > hepforge.org: 4 mailrelay4.dur.ac.uk. > hepforge.org: 4 mailrelay5.dur.ac.uk. > hepforge.org: 5 mailrelay1.dur.ac.uk. > hepforge.org: 5 mailrelay2.dur.ac.uk. > iki.fi: 10 mail3.iki.fi. > iki.fi: 10 mail.iki.fi. > biz.at: 10 proteus.info.at. > info.at: 10 proteus.info.at. > info.cx: 10 mx.igloo.to. > pixolino.com: 10 mail.pixolino.com. > js.org: 0 mail.js.org. > keymachine.de: 10 mail.keyweb.de. > git-repos.de: 10 mail.lcube-mail.de. > lcube-server.de: 10 mail.lcube-mail.de. > svn-repos.de: 10 mail.lcube-mail.de. > we.bs: 10 mx1uk.supremebox.com. > barsy.bg: 10 mail.lukanet.com. > barsyonline.com: 10 mail.lukanet.com. > barsy.de: 0 barsy.de. > barsy.eu: 0 barsy.eu. > barsy.in: 10 mail.lukanet.com. > barsy.net: 0 barsy.net. > barsy.online: 0 barsy.online. > barsy.support: 10 mail.lukanet.com. > eu.meteorapp.com: galaxy-ingress.meteor.com. > co.pl: 1 ASPMX.L.GOOGLE.COM. > bitballoon.com: 1 aspmx.l.google.com. > bitballoon.com: 5 alt1.aspmx.l.google.com. > bitballoon.com: 5 alt2.aspmx.l.google.com. > bitballoon.com: 10 aspmx2.googlemail.com. > bitballoon.com: 10 aspmx3.googlemail.com. > netlify.com: 5 ALT1.ASPMX.L.GOOGLE.com. > netlify.com: 1 ASPMX.L.GOOGLE.com. > netlify.com: 5 ALT2.ASPMX.L.GOOGLE.com. > netlify.com: 10 ASPMX2.GOOGLEMAIL.com. > netlify.com: 10 ASPMX3.GOOGLEMAIL.com. > ngrok.io: 1 aspmx.l.google.com. > ngrok.io: 10 aspmx2.googlemail.com. > ngrok.io: 10 aspmx3.googlemail.com. > ngrok.io: 5 alt1.aspmx.l.google.com. > ngrok.io: 5 alt2.aspmx.l.google.com. > nfshost.com: 0 mail.nearlyfreespeech.net. > nsupdate.info: 10 mx.thinkmo.de. > blogsyte.com: 5 mail1.no-ip.com. > blogsyte.com: 10 mail2.no-ip.com. > brasilia.me: 5 mail1.no-ip.com. > brasilia.me: 10 mail2.no-ip.com. > cable-modem.org: 10 mail2.no-ip.com. > ciscofreak.com: 5 mail1.no-ip.com. > ciscofreak.com: 10 mail2.no-ip.com. > collegefan.org: 5 mail.collegefan.org. > couchpotatofries.org: 5 mail.couchpotatofries.org. > damnserver.com: 5 mail1.no-ip.com. > damnserver.com: 10 mail2.no-ip.com. > ddns.me: 5 mail.ddns.me. > ditchyourip.com: 5 mail1.no-ip.com. > ditchyourip.com: 10 mail2.no-ip.com. > dnsfor.me: 5 mail.dnsfor.me. > dnsiskinky.com: 5 mail1.no-ip.com. > dnsiskinky.com: 10 mail2.no-ip.com. > dvrcam.info: 5 mail.dvrcam.info. > dynns.com: 5 mail.dynns.com. > eating-organic.net: 5 mail.eating-organic.net. > fantasyleague.cc: 5 mail.fantasyleague.cc. > geekgalaxy.com: 5 mail1.no-ip.com. > geekgalaxy.com: 10 mail2.no-ip.com. > golffan.us: 5 mail.golffan.us. > health-carereform.com: 5 mail.health-carereform.com. > homesecuritymac.com: 5 mail1.no-ip.com. > homesecuritymac.com: 10 mail2.no-ip.com. > homesecuritypc.com: 10 mail2.no-ip.com. > hopto.me: 5 mail.hopto.me. > ilovecollege.info: 5 mail.ilovecollege.info. > loginto.me: 5 mail.loginto.me. > mlbfan.org: 5 mail.mlbfan.org. > mmafan.biz: 5 mail.mmafan.biz. > myactivedirectory.com: 5 mail1.no-ip.com. > myactivedirectory.com: 10 mail2.no-ip.com. > mydissent.net: 5 mail.mydissent.net. > myeffect.net: 5 mail.myeffect.net. > mymediapc.net: 5 mail1.no-ip.com. > mymediapc.net: 10 mail2.no-ip.com. > mypsx.net: 10 mail2.no-ip.com. > mysecuritycamera.com: 5 mail.mysecuritycamera.com. > mysecuritycamera.net: 5 mail.mysecuritycamera.net. > mysecuritycamera.org: 5 mail.mysecuritycamera.org. > net-freaks.com: 5 mail1.no-ip.com. > net-freaks.com: 10 mail2.no-ip.com. > nflfan.org: 5 mail.nflfan.org. > nhlfan.net: 5 mail.nhlfan.net. > no-ip.co.uk: 5 mail1.no-ip.com. > no-ip.co.uk: 10 mail2.no-ip.com. > no-ip.net: 5 mail1.no-ip.com. > no-ip.net: 10 mail2.no-ip.com. > noip.us: 5 mail.noip.us. > onthewifi.com: 5 mail1.no-ip.com. > onthewifi.com: 10 mail2.no-ip.com. > pgafan.net: 5 mail.pgafan.net. > point2this.com: 5 mail1.no-ip.com. > point2this.com: 10 mail2.no-ip.com. > pointto.us: 5 mail1.no-ip.com. > pointto.us: 10 mail2.no-ip.com. > privatizehealthinsurance.net: 5 mail.privatizehealthinsurance.net. > quicksytes.com: 5 mail1.no-ip.com. > quicksytes.com: 10 mail2.no-ip.com. > read-books.org: 5 mail.read-books.org. > securitytactics.com: 5 mail1.no-ip.com. > securitytactics.com: 10 mail2.no-ip.com. > serveexchange.com: 5 mail1.no-ip.com. > servehumour.com: 5 mail1.no-ip.com. > servehumour.com: 10 mail2.no-ip.com. > servep2p.com: 5 mail1.no-ip.com. > servep2p.com: 10 mail2.no-ip.com. > servesarcasm.com: 5 mail1.no-ip.com. > servesarcasm.com: 10 mail2.no-ip.com. > stufftoread.com: 5 mail1.no-ip.com. > stufftoread.com: 10 mail2.no-ip.com. > ufcfan.org: 5 mail.ufcfan.org. > unusualperson.com: 5 mail1.no-ip.com. > unusualperson.com: 10 mail2.no-ip.com. > workisboring.com: 5 mail1.no-ip.com. > workisboring.com: 10 mail2.no-ip.com. > ddns.net: 5 mail.ddns.net. > ddnsking.com: 5 mail1.no-ip.com. > ddnsking.com: 10 mail1.no-ip.com. > ddnsking.com: 15 mail2.no-ip.com. > gotdns.ch: 5 mail1.no-ip.com. > gotdns.ch: 10 mail2.no-ip.com. > hopto.org: 5 mail1.no-ip.com. > hopto.org: 10 mail2.no-ip.com. > myftp.biz: 5 mail1.no-ip.com. > myftp.biz: 10 mail2.no-ip.com. > myvnc.com: 5 mail1.no-ip.com. > myvnc.com: 10 mail2.no-ip.com. > no-ip.biz: 5 mail1.no-ip.com. > no-ip.biz: 10 mail2.no-ip.com. > no-ip.info: 5 mail1.no-ip.com. > no-ip.info: 10 mail2.no-ip.com. > no-ip.org: 5 mail1.no-ip.com. > no-ip.org: 10 mail2.no-ip.com. > noip.me: 5 mail1.no-ip.com. > noip.me: 10 mail2.no-ip.com. > redirectme.net: 5 mail1.no-ip.com. > redirectme.net: 10 mail2.no-ip.com. > servebeer.com: 5 mail1.no-ip.com. > servebeer.com: 10 mail2.no-ip.com. > serveblog.net: 10 mail2.no-ip.com. > servecounterstrike.com: 5 mail1.no-ip.com. > servecounterstrike.com: 10 mail2.no-ip.com. > serveftp.com: 5 mail1.no-ip.com. > serveftp.com: 10 mail2.no-ip.com. > servegame.com: 5 mail1.no-ip.com. > servegame.com: 10 mail2.no-ip.com. > servehalflife.com: 5 mail1.no-ip.com. > servehalflife.com: 10 mail2.no-ip.com. > serveirc.com: 5 mail1.no-ip.com. > serveirc.com: 10 mail2.no-ip.com. > serveminecraft.net: 5 mail.serveminecraft.net. > servepics.com: 5 mail1.no-ip.com. > servepics.com: 10 mail2.no-ip.com. > sytes.net: 10 mail2.no-ip.com. > webhop.me: 5 mail.webhop.me. > zapto.org: 5 mail1.no-ip.com. > zapto.org: 10 mail2.no-ip.com. > nodum.co: 10 alt3.aspmx.l.google.com. > nodum.co: 1 aspmx.l.google.com. > nodum.co: 10 alt4.aspmx.l.google.com. > nodum.co: 5 alt2.aspmx.l.google.com. > nodum.co: 5 alt1.aspmx.l.google.com. > nodum.io: 5 alt1.aspmx.l.google.com. > nodum.io: 1 aspmx.l.google.com. > nodum.io: 10 alt4.aspmx.l.google.com. > nodum.io: 5 alt2.aspmx.l.google.com. > nodum.io: 10 alt3.aspmx.l.google.com. > nid.io: 0 nid.io. > opencraft.hosting: 50 mail.plebia.org. > outsystemscloud.com: 10 relay2.outsystems.net. > ownprovider.com: 10 cloud.moennich.ownprovider.com. > oy.lc: 10 oy.lc. > pgfog.com: 1 aspmx.l.google.com. > pgfog.com: 5 alt1.aspmx.l.google.com. > pgfog.com: 5 alt2.aspmx.l.google.com. > pgfog.com: 10 aspmx2.googlemail.com. > pgfog.com: 10 aspmx3.googlemail.com. > pagefrontapp.com: 1 aspmx.l.google.com. > pagefrontapp.com: 10 aspmx2.googlemail.com. > pagefrontapp.com: 10 aspmx3.googlemail.com. > pagefrontapp.com: 5 alt1.aspmx.l.google.com. > pagefrontapp.com: 5 alt2.aspmx.l.google.com. > art.pl: 5 mail.net.icm.edu.pl. > gliwice.pl: 10 mx.silweb.pl. > krakow.pl: 5 mx4.cyf-kr.edu.pl. > poznan.pl: 1 aspmx.l.google.com. > zakopane.pl: 5 mx4.cyf-kr.edu.pl. > on-web.fr: 10 mx2.planet-work.com. > on-web.fr: 10 mx3.planet-work.com. > on-web.fr: 10 mx1.planet-work.com. > protonet.io: 15 eforward4.registrar-servers.com. > protonet.io: 10 eforward2.registrar-servers.com. > protonet.io: 10 eforward3.registrar-servers.com. > protonet.io: 10 eforward1.registrar-servers.com. > protonet.io: 20 eforward5.registrar-servers.com. > chirurgiens-dentistes-en-france.fr: 1 ASPMX.L.GOOGLE.COM. > chirurgiens-dentistes-en-france.fr: 3 ALT2.ASPMX.L.GOOGLE.COM. > chirurgiens-dentistes-en-france.fr: 5 ASPMX3.GOOGLEMAIL.COM. > chirurgiens-dentistes-en-france.fr: 5 ASPMX2.GOOGLEMAIL.COM. > chirurgiens-dentistes-en-france.fr: 3 ALT1.ASPMX.L.GOOGLE.COM. > byen.site: 3 ALT1.ASPMX.L.GOOGLE.COM. > byen.site: 1 ASPMX.L.GOOGLE.COM. > byen.site: 5 ASPMX3.GOOGLEMAIL.COM. > byen.site: 3 ALT2.ASPMX.L.GOOGLE.COM. > byen.site: 5 ASPMX2.GOOGLEMAIL.COM. > alpha-myqnapcloud.com: > qcloud-alpha-fronted-841689676.us-east-1.elb.amazonaws.com. > myqnapcloud.com: aws-portal-1002075996.us-east-1.elb.amazonaws.com. > vapor.cloud: 1 aspmx.l.google.com. > vapor.cloud: 10 aspmx2.googlemail.com. > vapor.cloud: 10 aspmx3.googlemail.com. > vapor.cloud: 5 alt1.aspmx.l.google.com. > vapor.cloud: 5 alt2.aspmx.l.google.com. > rackmaze.com: 1 aspmx.l.google.com. > rackmaze.com: 10 aspmx2.googlemail.com. > rackmaze.com: 10 aspmx3.googlemail.com. > rackmaze.com: 10 aspmx4.googlemail.com. > rackmaze.com: 10 aspmx5.googlemail.com. > rackmaze.com: 5 alt1.aspmx.l.google.com. > rackmaze.com: 5 alt2.aspmx.l.google.com. > rhcloud.com: 10 use-mailrelay1.prod.rhcloud.com. > ptplus.fit: 20 mx1.123-reg.co.uk. > ptplus.fit: 10 mx0.123-reg.co.uk. > wellbeingzone.co.uk: 5 wellbeingzone-co-uk.mail.protection.outlook.com. > logoip.de: 10 mail.myshn.com. > logoip.com: 10 mail.myshn.com. > firewall-gateway.de: 10 mail.spdns.de. > spdns.de: 10 mx0.securepoint.de. > spdns.eu: 10 mail.spdns.eu. > firewall-gateway.net: 10 mail.spdns.de. > spdns.org: 10 mail.spdns.org. > biz.ua: 20 mx2.biz.ua.uadns.com. > biz.ua: 30 mx3.biz.ua.uadns.com. > biz.ua: 10 mx1.biz.ua.uadns.com. > co.ua: 30 mx3.co.ua.uadns.com. > co.ua: 10 mx1.co.ua.uadns.com. > co.ua: 20 mx2.co.ua.uadns.com. > pp.ua: 10 mx1.pp.ua.uadns.com. > pp.ua: 20 mx2.pp.ua.uadns.com. > pp.ua: 30 mx3.pp.ua.uadns.com. > myshopblocks.com: 20 mx2.improvmx.com. > myshopblocks.com: 10 mx1.improvmx.com. > static.land: 10 spool.mail.gandi.net. > static.land: 50 fb.mail.gandi.net. > apps.lair.io: mytikas.servers.lair.io. > storj.farm: 10 eforward1.registrar-servers.com. > storj.farm: 10 eforward3.registrar-servers.com. > storj.farm: 10 eforward2.registrar-servers.com. > storj.farm: 20 eforward5.registrar-servers.com. > storj.farm: 15 eforward4.registrar-servers.com. > temp-dns.com: 5 mx2.email-cluster.com. > temp-dns.com: 10 failover1.email-cluster.com. > temp-dns.com: 5 mx1.email-cluster.com. > gda.pl: 0 hmail.task.gda.pl. > gdansk.pl: 10 ASPMX2.GOOGLEMAIL.COM. > gdansk.pl: 1 ASPMX.L.GOOGLE.COM. > gdansk.pl: 10 ASPMX3.GOOGLEMAIL.COM. > gdansk.pl: 5 ALT2.ASPMX.L.GOOGLE.COM. > gdansk.pl: 5 ALT1.ASPMX.L.GOOGLE.COM. > gdynia.pl: 0 server.miasto.gdynia.pl. > med.pl: 1 hmail.task.gda.pl. > sopot.pl: 10 mx2.um.sopot.pl. > bloxcms.com: 10 mail.chicago2.vip.townnews.com. > lima-city.at: 10 mail.lima-city.de. > lima-city.ch: 10 mail.lima-city.de. > trafficplex.cloud: 0 mail.lima-city.de. > de.cool: 10 mail.lima-city.de. > lima-city.de: 10 mail.lima-city.de. > clan.rip: 10 mail.lima-city.de. > lima-city.rocks: 10 mail.lima-city.de. > webspace.rocks: 10 mail.lima-city.de. > lima.zone: 10 mail.lima-city.de. > tuxfamily.org: 10 mx1.tuxfamily.net. > tuxfamily.org: 15 mx2.tuxfamily.net. > uber.space: 0 mx01.mailproxy.uberspace.de. > uber.space: 0 mx02.mailproxy.uberspace.de. > hk.com: 10 mailme.hk.com. > lib.de.us: 20 mail.lib.de.us. > v-info.info: 0 v-info.info. > wmflabs.org: 50 mx2001.wikimedia.org. > wmflabs.org: 10 mx1001.wikimedia.org. > cistron.nl: 100 mx.cistron.nl. > cistron.nl: 50 primx.cistron.nl. > demon.nl: 0 . > xs4all.space: 100 mx3.xs4all.nl. > xs4all.space: 100 mx1.xs4all.nl. > xs4all.space: 100 mx4.xs4all.nl. > xs4all.space: 100 mx2.xs4all.nl. > za.net: 5 virt.plig.net. > za.org: 5 virt.plig.net. > -- > Regards, > John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > From nobody Sat Dec 16 14:48:47 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E612127444 for ; Sat, 16 Dec 2017 14:48:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=lh+b0wg9; dkim=pass (1536-bit key) header.d=taugh.com header.b=h9rzmUeJ Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XAdGhNvIIPxY for ; Sat, 16 Dec 2017 14:48:43 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2C73127011 for ; Sat, 16 Dec 2017 14:48:42 -0800 (PST) Received: (qmail 67970 invoked from network); 16 Dec 2017 22:48:40 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=10980.5a35a2c8.k1712; bh=JRRhajJS0beY7O4QnhwRIVVFg0hVYv1rmwhgZkqZMXc=; b=lh+b0wg9UW4t3lLeqXNRH50OOkznQduaMecVoepLclT8KEp9jM1rDCPrOqgvZbrqzKDICHhoj5AQF2NJFEeaLy/LuU47e0osNiGBybE3mEfpbP1kgzvpSkI9/9Po/n86uUdYoEpJiJtTSCRsv49I+0ZGHAgfFaIbw0TlchSd9Bt2M5Y7g0dBVAq8g3g83o4CEBxCGzEtCKiSXt9KkmUd14Xhyt7Ihvcf+XrWqbtsYlZ0y6dLi8LqkD2HAkcvU6GD DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=10980.5a35a2c8.k1712; bh=JRRhajJS0beY7O4QnhwRIVVFg0hVYv1rmwhgZkqZMXc=; b=h9rzmUeJyxetOlEN3QOY9OcxWNBGK/v5INs3u6mI5SzGpxprm/oBbohR0xtUt1RBdWFgJ458eubNF4Dw4Zy3eK3ht1Ytaezwc1U81Y1ZOQW7vxIOGOjUHAyZVc6KQhncZZomAorslDl4dtwhxAN/jkAIBTW0dMhoMS5gSSq4DHsZ/XNoe5T9iI+9eNTouQb7RQ5VJd/4hknXA6mhKeNfrA+UwYcwYKEMoJU9cQoXPf2wCH4b809NembG+9a2XXvQ Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 16 Dec 2017 22:48:40 -0000 Received: by ary.qy (Postfix, from userid 501) id 7EF86180C794; Sat, 16 Dec 2017 17:48:40 -0500 (EST) Date: 16 Dec 2017 17:48:40 -0500 Message-Id: <20171216224840.7EF86180C794@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: ajs@crankycanuck.ca In-Reply-To: <16060f3af18.2772.9bc7627f4bf0daf95da66808f3dcb332@crankycanuck.ca> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Dec 2017 22:48:45 -0000 In article <16060f3af18.2772.9bc7627f4bf0daf95da66808f3dcb332@crankycanuck.ca> you write: >But if course, it isn't necessarily the domain admin who puts things in the >PSL, which has always been one of the problems with the PSL. It was why we >set up the dbound WG. Pity we couldn't get that to consensus. I take your point, but in this case the entries come from the registry, which somehow has simultaneously insisted that all names be registered below SLDs, and provided A and MX for some SLDs. https://www.zadna.org.za/content/page/domain-information/ R's, John >> In article >> you write: >>>I've heard from one of my contacts that country-level TLDs like gov.za are >>>being used for attacks and that there is not a particularly effective way >>>to protect against that or to protect against non-existent subdomains being >>>abused. (It's even worse if those public suffix level domains are being >>>used to send mail, but if they aren't, how do you protect it?) >> >> I was about to say that surely nobody would be foolish enough to put a >> name in the PSL that has live MX records and used for mail. Silly me. >> >> The obvious response is that if they can publish A and MX and SPF >> records for gov.za, which they do, they can publish DMARC, too. It >> also suggests that putting gov.za in the PSL was not a very good idea. >> >> R's, >> John >> >> >> ================ >> >> freight.aero: 10 mx1.champ.aero. >> freight.aero: 10 mx3.champ.aero. >> freight.aero: 10 mx2.champ.aero. >> freight.aero: 10 mx4.champ.aero. ... >> ac.za: 10 protea.tenet.ac.za. >> agric.za: 10 gwsmtp1.agric.za. >> alt.za: 0 ln1.cequrux.com. >> co.za: 10 mx2.coza.net.za. >> gov.za: 100 mta.gov.za. >> grondar.za: 0 gromit.grondar.org. >> law.za: 20 luke.voffice.co.za. >> law.za: 30 mail.attorneys.law.za. >> law.za: 10 mailfirewall.voffice.co.za. >> mil.za: 10 fm-mail-in.voxtelecom.co.za. >> ngo.za: 10 mxc01.mxrc.co.za. >> ngo.za: 10 mxc02.mxrc.co.za. >> nis.za: 0 nis.za. >> nom.za: 20 secdns1.posix.co.za. >> nom.za: 10 mail.nom.za. >> org.za: 10 mx2.coza.net.za. >> school.za: 10 ochre.school.za. >> school.za: 20 mopani.school.za. >> tm.za: 20 alt1.aspmx.l.google.com. >> tm.za: 20 alt2.aspmx.l.google.com. >> tm.za: 30 aspmx2.googlemail.com. >> tm.za: 30 aspmx3.googlemail.com. >> tm.za: 30 aspmx4.googlemail.com. >> tm.za: 30 aspmx5.googlemail.com. >> tm.za: 10 aspmx.l.google.com. -- Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From ian.levy@ncsc.gov.uk Mon Dec 18 06:46:24 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAACD126C26 for ; Mon, 18 Dec 2017 06:46:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.101 X-Spam-Level: X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rSD4unEhmTs2 for ; Mon, 18 Dec 2017 06:46:22 -0800 (PST) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0139.outbound.protection.outlook.com [104.47.1.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AE0AC124D85 for ; Mon, 18 Dec 2017 06:46:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZO7Su/Wqbtcr7Yc59Doa8ajeoRKVqnRt0dYb2sjIo4s=; b=RhiVjGX0q99FjpRfXbYhszVAaa91im8hGcQ/dPfP+cTVRy3itSUPG9lLpLRd1IL3SnfB2PpezeOIFv+ngAgR9pMQpNOxSxhe5o9aBgm4cxlvBs6YN7OCnZK1AO94e/EdYn18XY2a/M/qyt+UyOAH4TdNbYGV6Ko0BmbDu40NFU0= Received: from MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM (10.166.240.152) by MMXP12301MB1661.GBRP123.PROD.OUTLOOK.COM (10.166.237.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.323.15; Mon, 18 Dec 2017 14:46:18 +0000 Received: from MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM ([10.166.240.152]) by MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM ([10.166.240.152]) with mapi id 15.20.0302.017; Mon, 18 Dec 2017 14:46:18 +0000 From: Ian Levy To: "Kurt Andersen (b)" , "dmarc@ietf.org" Thread-Topic: [dmarc-ietf] Preventing abuse of public-suffix-level domains Thread-Index: AQHTdevoT2ysiWzEvUO1V0Z1nq0wk6NHbc2A Date: Mon, 18 Dec 2017 14:46:18 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk; x-originating-ip: [165.225.81.26] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; MMXP12301MB1661; 6:rLC2d9Mr9oL+V9UDkOULuYoMd9BgzxIKmj3ra7GsmsbmGb9FRP5mp+veLQfORWSCS7CYgAOW+UBJZ0GoGctkWIldiITHRcI+uAHkN6B0zglk4Wz8Dq9AAR/dbAdgLVgxjL6D6Mm59VvwQ8i9U7YXYOJa7zafuqJA8MZ/3nWPVqnQJCioyltp08nCsr9Ke/UclwyeiXrd/IHRFQlLvl3I/dymd45i6bJWFnIl3f+VfgcUB/4/uHt9Ep7RPffIqFGNk0Cf1lxIOeg3OWNTq9wtW5ujk/rQBj+ELNpNOKasAK8Pvh40IwpZEpiBQiQRo0LTp/d4Ozbl1KKcmrIk9LdM50F4EjOCHnmBmIv9hZ5vpK8=; 5:qVzSjpUlfQUBsb1nxf/0TX03iDwk+XMiZxdjBYWbWcT0yrJX2qROAf9hlaJ716CIHVSLFVU4mTD2QYgj8zmh8aS7XcfqiGlq56ehcEwZgbNK4BdtmMYNhsDrnDCC1w4cJdxImt5RhdxLBHnysueXcijkkXwDdItTRKmicB2mgp4=; 24:dDhona0ydT+6HFiZb5ku6fVk+D5yTKn6aGRuRjbIC/ZLQZvVhsqgL5CEKdkcy889j9d0zndXXLuK5xig1wSURTwMCib6+KuoQ9rPXNldOh0=; 7:DKPwns5GiLRJ01nq8hZZNfgBsnwGCER8f3ZYUpiHgiSHPP3n3tIcFoWe3FdG2/gSGQEv/Kcp+QmfjL4Vbg6DchCJjQbR1D4AkKeGWZJM5LsFCJ9v04gacuOM2XW8qmeUUnuD7O5YaL8QEvZi6GEMuF5PniIgonUuYZJSN5D5Ow1wvr5w68OHLvcwQsa8+Xu1ound5dsVqPEGoAvfVxtFMMj1McB3gbR6MbPnR2pTqtPdCkeOkK54RexdeyKcWFgV x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: 0ee707bd-9399-48d6-43d8-08d5462618e4 x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(7168020)(4627115)(201703031133081)(201702281549075)(2017052603307); SRVR:MMXP12301MB1661; x-ms-traffictypediagnostic: MMXP12301MB1661: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(20558992708506)(192374486261705)(27231711734898)(21748063052155); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(8121501046)(5005006)(3002001)(3231023)(93006095)(93001095)(10201501046)(6041248)(20161123558100)(20161123555025)(20161123564025)(20161123560025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MMXP12301MB1661; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MMXP12301MB1661; x-forefront-prvs: 0525BB0ADF x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(366004)(39850400004)(396003)(199004)(189003)(54094003)(6116002)(3846002)(790700001)(102836003)(66066001)(77096006)(229853002)(55016002)(6436002)(5660300001)(25786009)(33656002)(230783001)(106356001)(316002)(236005)(97736004)(2900100001)(110136005)(42882006)(6306002)(9686003)(54896002)(3660700001)(2950100002)(105586002)(53546011)(3280700002)(81166006)(6246003)(7736002)(2906002)(14454004)(1680700002)(606006)(55236004)(59450400001)(68736007)(2501003)(8936002)(81156014)(8676002)(53936002)(478600001)(74482002)(7696005)(76176011)(99286004)(86362001)(53386004)(75922002)(74316002)(6506007); DIR:OUT; SFP:1102; SCL:1; SRVR:MMXP12301MB1661; H:MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_MMXP12301MB1663B5D4F60BE1B26A9A74ECC90E0MMXP12301MB1663_" MIME-Version: 1.0 X-OriginatorOrg: ncsc.gov.uk X-MS-Exchange-CrossTenant-Network-Message-Id: 0ee707bd-9399-48d6-43d8-08d5462618e4 X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2017 14:46:18.1232 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MMXP12301MB1661 Archived-At: X-Mailman-Approved-At: Mon, 18 Dec 2017 07:18:00 -0800 Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 14:47:24 -0000 --_000_MMXP12301MB1663B5D4F60BE1B26A9A74ECC90E0MMXP12301MB1663_ Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 PGRlbHVyayDigJMgaW50cm8gYXQgdGhlIGVuZD4NCg0KSSB0aGluayBLdXJ04oCZcyBxdWVzdGlv biBjb21lcyBmcm9tIGEgY29udmVyc2F0aW9uIGhlIGFuZCBJIHdlcmUgaGF2aW5nLiBJ4oCZbGwg dHJ5IHRvIHByb3ZpZGUgYSBiaXQgbW9yZSBkZXRhaWwuIEFzIHBhcnQgb2YgdGhlIFVLIEdvdmVy bm1lbnTigJlzIEFjdGl2ZSBDeWJlciBEZWZlbmNlIHByb2dyYW1tZSwgd2XigJlyZSB0cnlpbmcg dG8gZ2V0IERNQVJDIGFjcm9zcyBhbGwgcHVibGljIGZhY2luZyBicmFuZHMgaW4gdGhlIFVLLCBz dGFydGluZyB3aXRoIGFsbCBwdWJsaWMgc2VjdG9yIGRvbWFpbnMuIFdl4oCZdmUgZm91bmQgYSBj b3VwbGUgb2YgaW50ZXJlc3RpbmcgdGhpbmdzIHdoaWxlIHRyeWluZyB0byBpbXBsZW1lbnQgRE1B UkMgYXQgc2NhbGUuDQoNCiAgMS4gIEdvdi51ayBzaG91bGRu4oCZdCBiZSBzZW5kaW5nIGFueSBt YWlsIGF0IGFsbC4gVGhlcmXigJlzIG5vIGludGVuZGVkIHVzZSBjYXNlIHdoZXJlIHdl4oCZZCBz ZW5kIG1haWwgZnJvbSBhbiBAZ292LnVrIGFkZHJlc3Mg4oCTIGFsbCBITUcgbWFpbCBpcyBmcm9t IHN1YmRvbWFpbnMuIENyaW1pbmFscyBzZWVtIHRvIGxpa2UgdGF4cmVmdW5kQGdvdi51azxtYWls dG86dGF4cmVmdW5kQGdvdi51az4gYW5kIHNpbWlsYXIsIHNvIHdlIHNldCBhIHRvcCBsZXZlbCBT UEYgcmVjb3JkICgtYWxsKSBhbmQgRE1BUkMgcmVjb3JkIChwPXJlamVjdCkgdG8gdHJ5IHRvIG1h a2UgdGhpbmdzIG1vcmUgZGlmZmljdWx0IGZvciB0aGVtLiBGcm9tIG91ciBwcm9jZXNzaW5nIG9m IHJlcG9ydHMgb3ZlciB0aGUgbGFzdCB5ZWFyIG9yIHNvLCBpdCBsb29rcyBsaWtlIGEgY291cGxl IG9mIG1pbGxpb24gc3Bvb2ZzIGhhdmUgYmVlbiByZXBvcnRlZC4gVGhhdOKAmXMgZmluZS4gT2Yg dGhvc2UsIGFib3V0IDklIG9mIHRob3NlIGFyZSBkZWVtZWQgdHJ1c3RlZCBpbiBzb21lIHdheSBi eSB0aGUgcmVjZWl2ZXIg4oCTIGVpdGhlciBTUEYgb3IgREtJTSBwYXNzZWQuIFdlIGNhbuKAmXQg cmVhbGx5IHNlZSBob3cgdGhvc2UganVkZ2VtZW50cyBjYW4gYmUgbWFkZSwgZ2l2ZW4gdGhlIHB1 Ymxpc2hlZCBwb2xpY2llcyBvbiBnb3YudWsuIE9mIHRoZSA5MSUgdGhhdCBoYXZlIGluIHNvbWUg d2F5IGZhaWxlZCB2YWxpZGF0aW9uLCBvbmx5IDIwJSBvZiB0aG9zZSBhcmUgcmVwb3J0ZWQgYXMg YmxvY2tlZCBieSB0aGUgcmVjZWl2ZXIsIGxlYXZpbmcgc29tZSA4MCUgb2YgdGhlIG1haWwgdGhh dOKAmXMgZmFpbGVkIHZhbGlkYXRpb24gdHVybmluZyB1cCB0byBlbmQgdXNlcnMgaW4gc29tZSB3 YXkuIFdl4oCZcmUgbG9va2luZyBpbnRvIGNvbW1vbmFsaXRpZXMgaW4gdGhlIGNhc2VzIHdoZXJl IHRoaXMgaGFwcGVucyBhbmQgSSB3b25kZXIgaWYgdGhlcmUgYXJlIHBvbGljaWVzIHJlY2VpdmVy cyBhcmUgbWFraW5nIHRoYXQgb3ZlcnJpZGUgZG9tYWluIG93bmVycywgb3IgdGhlcmXigJlzIGEg YnVnIGluIHNvbWUgY29tbW9ubHkgdXNlZCBjb21wb25lbnQuIFdlIHdvbmRlcmVkIGlmIGFueW9u ZSBoYWQgYW55IG90aGVyIGlkZWFzIHdoeSB0aGlzIGNvdWxkIGJlIHRoZSBjYXNlLiBJIGNhbuKA mXQgZmluZCBhbnl0aGluZyB0aGF0IHdvdWxkIGNoYW5nZSBwcm9jZXNzaW5nIG9mIHZhbGlkYXRp b24ganVzdCBiZWNhdXNlIGEgcmVjb3JkIGlzIG9uIGEgZG9tYWluIG9uIHRoZSBQU0wsIGJ1dCBp ZiBhbnlvbmUgaGFzIGFueSBpZGVhcyB3ZeKAmWQgbG92ZSB0byBoZWFyIHRoZW0hDQoNCg0KDQog IDEuICBBcyB3ZeKAmXZlIHN0YXJ0ZWQgdG8gbWFrZSBjcmltaW5hbHPigJkgbGl2ZXMgaGFyZGVy IGluIGFidXNpbmcgR292ZXJubWVudCBicmFuZHMsIHRoZXnigJlyZSBtb3ZpbmcgdG8gZGVjZXB0 aXZlIGRvbWFpbnMgKHJlbGF0aXZlbHkgZWFzeSB0byBtYW5hZ2UpIGFuZCBub24tZXhpc3RlbnQg c3ViZG9tYWlucyBvZiBnb3YudWsuIFdl4oCZdmUgZ290IG92ZXIgNTAwMCB2YWxpZCBzdWJkb21h aW5zIG9mIGdvdi51ayBhbmQgbm90IGFsbCBvZiB0aGVtIGFyZSBjb21wbGlhbnQgd2l0aCBvdXIg cG9saWNpZXMgeWV0LCBzbyB3ZSBjYW7igJl0IGp1c3Qgc2V0IGFuIHNwPXJlamVjdCBwb2xpY3kg KGFuZCBpdOKAmXMgbm90IGNsZWFyIGl0IHdvcmtzIGluIGFsbCBjaXJjdW1zdGFuY2VzIGFueXdh eSkuIFNvLCB3ZeKAmXZlIGJlZW4gdHJ5aW5nIHRvIGNvbWUgdXAgd2l0aCBhIHdheSBvZiBzeW50 aGVzaXNpbmcgdGhlIHJlbGV2YW50IFNQRiwgREtJTSBhbmQgRE1BUkMgcmVjb3JkcyBmb3Igbm9u LWV4aXN0ZW50IGRvbWFpbnMgb2YgZ292LnVrLCB1c2luZyB0aGUgYXV0aG9yaXRhdGl2ZSBuYW1l IHNlcnZlci4gVGhpcyBhcHBlYXJzIHRvIGJlIGhhcmRlciB0aGFuIHdl4oCZZCB3YW50LiBXZSBj YW7igJl0IGp1c3QgdXNlIGEgd2lsZGNhcmQgQ05BTUUgcmVjb3JkIGJlY2F1c2UgdGhlcmUgZG9l c27igJl0IHNlZW0gdG8gYmUgYW55IHdheSB0byBnZW5lcmF0ZSB0aGUgbmVjZXNzYXJ5IHNlY29u ZCBsZXZlbCBzdWJkb21haW4gdGhhdCB3ZSBuZWVkICh0aGUgX2RtYXJjLmJhZGRvbWFpbi5nb3Yu dWspLiBETkFNRSB3b3VsZCBiZSB0aGUgbW9zdCBvYnZpb3VzIHdheSB0byBkbyB0aGlzLCBidXQg aXTigJlkIG5lZWQgYSB3aWxkY2FyZCBETkFNRSBhbmQgdGhleeKAmXJlIOKAmGZyb3duZWQgdXBv buKAmSDimLouIEJlZm9yZSB3ZSBzdGFydCB0aGlua2luZyBhYm91dCBkb2luZyBzb21ldGhpbmcg a2x1ZGd5IChwcm9iYWJseSBsb29raW5nIGZvciBmYWlsZWQgbG9va3VwcyBmb3IgVFhUIHJlY29y ZHMgaW4gbG9ncyBhbmQgYWRkaW5nIHRoZSBzdWJkb21haW4gdG8gdGhlIHpvbmUsIHdoaWNoIHN1 Y2tzKSwgZG9lcyBhbnlvbmUgaGF2ZSBhbnkgaWRlYXMgdGhhdCB3ZSBjb3VsZCB0cnk/IEkgY2Fu 4oCZdCBiZWxpZXZlIHRoaXMgaXMgdGhlIGZpcnN0IHRpbWUgdGhpcyBoYXMgYmVlbiBlbmNvdW50 ZXJlZCENCg0KQW55IHRob3VnaHRzIHZlcnkgd2VsY29tZS4NCg0KVGEuDQoNCkkuDQoNCkludHJv IDogSGksIEnigJltIElhbiBMZXZ5LCBUZWNobmljYWwgRGlyZWN0b3Igb2YgdGhlIFVL4oCZcyBO YXRpb25hbCBDeWJlciBTZWN1cml0eSBDZW50cmUgKE5DU0MpLCB0aGUgVUsgR292ZXJubWVudCBh Z2VuY3kgY2hhcmdlZCB3aXRoIGJlaW5nIHRoZSBzaW5nbGUsIGF1dGhvcml0YXRpdmUgdm9pY2Ug b24gY3liZXJzZWN1cml0eSBmb3IgdGhlIFVLLiBPbmUgb2YgdGhlIHRoaW5ncyB3ZeKAmXJlIGRv aW5nIGlzIGJlaW5nIG1vcmUgYWN0aXZlIGluIHRoZSBwcm90ZWN0aW9uIG9mIHRoZSBVSyBhdCBz Y2FsZS4gVGhlcmXigJlzIGEgYmxvZyBmcm9tIG1lIG9uIHRoZSBOQ1NDIHdlYnNpdGUgaW50cm9k dWNpbmcgdGhlIHdob2xlIHByb2dyYW1tZSwgYnV0IGdldHRpbmcgRE1BUkMgYWRvcHRlZCBhdCBz Y2FsZSBpcyBwYXJ0IG9mIGl0LiBUaGUgYml0IG1vc3QgcmVsZXZhbnQgdG8gdGhpcyBkaXNjdXNz aW9uIGlzIGF0IHd3dy5uY3NjLmdvdi51ay9hY3RpdmUtY3liZXItZGVmZW5jZTxodHRwOi8vd3d3 Lm5jc2MuZ292LnVrL2FjdGl2ZS1jeWJlci1kZWZlbmNlPiB3aGljaCB0YWxrcyBhYm91dCB0aGUg YWN0aXZlIHNlcnZpY2VzLCBpbmNsdWRpbmcgZW1haWwgc2VjdXJpdHkgYW5kIGFudGktc3Bvb2Zp bmcuIE1haWxDaGVjayBpcyBvdXIgRE1BUkMgcHJvY2Vzc2luZyBhbmQgYW5hbHlzaXMgcGxhdGZv cm0sIHdoaWNoIHdlIGludGVuZCB0byByZWxlYXNlIGFzIG9wZW4gc291cmNlIGVhcmx5IEphbnVh cnkuDQoNCi0tDQpEciBJYW4gTGV2eQ0KVGVjaG5pY2FsIERpcmVjdG9yDQpOYXRpb25hbCBDeWJl ciBTZWN1cml0eSBDZW50cmUNCg0KU3RhZmYgT2ZmaWNlciA6IEthdGUgQXRraW5zLCBrYXRlLmFA bmNzYy5nb3YudWs8bWFpbHRvOmthdGUuYUBuY3NjLmdvdi51az4NCg0KRnJvbTogZG1hcmMgW21h aWx0bzpkbWFyYy1ib3VuY2VzQGlldGYub3JnXSBPbiBCZWhhbGYgT2YgS3VydCBBbmRlcnNlbiAo YikNClNlbnQ6IDE1IERlY2VtYmVyIDIwMTcgMjE6MzANClRvOiBkbWFyY0BpZXRmLm9yZw0KU3Vi amVjdDogW2RtYXJjLWlldGZdIFByZXZlbnRpbmcgYWJ1c2Ugb2YgcHVibGljLXN1ZmZpeC1sZXZl bCBkb21haW5zDQoNCkkga25vdyB0aGF0IHRoZXJlIGhhZCBiZWVuIHNvbWUgdmVyeSBwcmVsaW1p bmFyeSB0aG91Z2h0cyBhYm91dCBwcm90ZWN0aW5nIHRoZSBQU0wgZG9tYWlucyB0aGVtc2VsdmVz LCBidXQgdGhvc2UgbmV2ZXIgZ290IHZlcnkgZmFyICh0aGV5IHdlcmUgaW4gdGhlIGNvbnRleHQg b2YgdGhlIERCT1VORCBXRykuDQoNCkkndmUgaGVhcmQgZnJvbSBvbmUgb2YgbXkgY29udGFjdHMg dGhhdCBjb3VudHJ5LWxldmVsIFRMRHMgbGlrZSBnb3YuemE8aHR0cDovL2dvdi56YT4gYXJlIGJl aW5nIHVzZWQgZm9yIGF0dGFja3MgYW5kIHRoYXQgdGhlcmUgaXMgbm90IGEgcGFydGljdWxhcmx5 IGVmZmVjdGl2ZSB3YXkgdG8gcHJvdGVjdCBhZ2FpbnN0IHRoYXQgb3IgdG8gcHJvdGVjdCBhZ2Fp bnN0IG5vbi1leGlzdGVudCBzdWJkb21haW5zIGJlaW5nIGFidXNlZC4gKEl0J3MgZXZlbiB3b3Jz ZSBpZiB0aG9zZSBwdWJsaWMgc3VmZml4IGxldmVsIGRvbWFpbnMgYXJlIGJlaW5nIHVzZWQgdG8g c2VuZCBtYWlsLCBidXQgaWYgdGhleSBhcmVuJ3QsIGhvdyBkbyB5b3UgcHJvdGVjdCBpdD8pDQoN CkFueSBpZGVhcyBoZXJlPw0KDQotLUt1cnQgQW5kZXJzZW4NClRoaXMgaW5mb3JtYXRpb24gaXMg ZXhlbXB0IHVuZGVyIHRoZSBGcmVlZG9tIG9mIEluZm9ybWF0aW9uIEFjdCAyMDAwIChGT0lBKSBh bmQgbWF5IGJlIGV4ZW1wdCB1bmRlciBvdGhlciBVSyBpbmZvcm1hdGlvbiBsZWdpc2xhdGlvbi4g UmVmZXIgYW55IEZPSUEgcXVlcmllcyB0byBuY3NjaW5mb2xlZ0BuY3NjLmdvdi51aw0K --_000_MMXP12301MB1663B5D4F60BE1B26A9A74ECC90E0MMXP12301MB1663_ Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: base64 PGh0bWwgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVy bjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSIgeG1sbnM6dz0idXJuOnNjaGVt YXMtbWljcm9zb2Z0LWNvbTpvZmZpY2U6d29yZCIgeG1sbnM6bT0iaHR0cDovL3NjaGVtYXMubWlj cm9zb2Z0LmNvbS9vZmZpY2UvMjAwNC8xMi9vbW1sIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv VFIvUkVDLWh0bWw0MCI+DQo8aGVhZD4NCjxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlwZSIg Y29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PXV0Zi04Ij4NCjxtZXRhIG5hbWU9IkdlbmVyYXRv ciIgY29udGVudD0iTWljcm9zb2Z0IFdvcmQgMTUgKGZpbHRlcmVkIG1lZGl1bSkiPg0KPHN0eWxl PjwhLS0NCi8qIEZvbnQgRGVmaW5pdGlvbnMgKi8NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6 V2luZ2RpbmdzOw0KCXBhbm9zZS0xOjUgMCAwIDAgMCAwIDAgMCAwIDA7fQ0KQGZvbnQtZmFjZQ0K CXtmb250LWZhbWlseToiQ2FtYnJpYSBNYXRoIjsNCglwYW5vc2UtMToyIDQgNSAzIDUgNCA2IDMg MiA0O30NCkBmb250LWZhY2UNCgl7Zm9udC1mYW1pbHk6Q2FsaWJyaTsNCglwYW5vc2UtMToyIDE1 IDUgMiAyIDIgNCAzIDIgNDt9DQovKiBTdHlsZSBEZWZpbml0aW9ucyAqLw0KcC5Nc29Ob3JtYWws IGxpLk1zb05vcm1hbCwgZGl2Lk1zb05vcm1hbA0KCXttYXJnaW46MGNtOw0KCW1hcmdpbi1ib3R0 b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixz YW5zLXNlcmlmO30NCmE6bGluaywgc3Bhbi5Nc29IeXBlcmxpbmsNCgl7bXNvLXN0eWxlLXByaW9y aXR5Ojk5Ow0KCWNvbG9yOmJsdWU7DQoJdGV4dC1kZWNvcmF0aW9uOnVuZGVybGluZTt9DQphOnZp c2l0ZWQsIHNwYW4uTXNvSHlwZXJsaW5rRm9sbG93ZWQNCgl7bXNvLXN0eWxlLXByaW9yaXR5Ojk5 Ow0KCWNvbG9yOnB1cnBsZTsNCgl0ZXh0LWRlY29yYXRpb246dW5kZXJsaW5lO30NCnAuTXNvTGlz dFBhcmFncmFwaCwgbGkuTXNvTGlzdFBhcmFncmFwaCwgZGl2Lk1zb0xpc3RQYXJhZ3JhcGgNCgl7 bXNvLXN0eWxlLXByaW9yaXR5OjM0Ow0KCW1hcmdpbi10b3A6MGNtOw0KCW1hcmdpbi1yaWdodDow Y207DQoJbWFyZ2luLWJvdHRvbTowY207DQoJbWFyZ2luLWxlZnQ6MzYuMHB0Ow0KCW1hcmdpbi1i b3R0b206LjAwMDFwdDsNCglmb250LXNpemU6MTEuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJp IixzYW5zLXNlcmlmO30NCnAubXNvbm9ybWFsMCwgbGkubXNvbm9ybWFsMCwgZGl2Lm1zb25vcm1h bDANCgl7bXNvLXN0eWxlLW5hbWU6bXNvbm9ybWFsOw0KCW1zby1tYXJnaW4tdG9wLWFsdDphdXRv Ow0KCW1hcmdpbi1yaWdodDowY207DQoJbXNvLW1hcmdpbi1ib3R0b20tYWx0OmF1dG87DQoJbWFy Z2luLWxlZnQ6MGNtOw0KCWZvbnQtc2l6ZToxMS4wcHQ7DQoJZm9udC1mYW1pbHk6IkNhbGlicmki LHNhbnMtc2VyaWY7fQ0Kc3Bhbi5FbWFpbFN0eWxlMTkNCgl7bXNvLXN0eWxlLXR5cGU6cGVyc29u YWwtcmVwbHk7DQoJZm9udC1mYW1pbHk6IkNhbGlicmkiLHNhbnMtc2VyaWY7DQoJY29sb3I6d2lu ZG93dGV4dDt9DQouTXNvQ2hwRGVmYXVsdA0KCXttc28tc3R5bGUtdHlwZTpleHBvcnQtb25seTsN Cglmb250LXNpemU6MTAuMHB0Ow0KCWZvbnQtZmFtaWx5OiJDYWxpYnJpIixzYW5zLXNlcmlmOw0K CW1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTO30NCkBwYWdlIFdvcmRTZWN0aW9uMQ0KCXtzaXpl OjYxMi4wcHQgNzkyLjBwdDsNCgltYXJnaW46NzIuMHB0IDcyLjBwdCA3Mi4wcHQgNzIuMHB0O30N CmRpdi5Xb3JkU2VjdGlvbjENCgl7cGFnZTpXb3JkU2VjdGlvbjE7fQ0KLyogTGlzdCBEZWZpbml0 aW9ucyAqLw0KQGxpc3QgbDANCgl7bXNvLWxpc3QtaWQ6MTI3OTA5NjU0NTsNCgltc28tbGlzdC10 ZW1wbGF0ZS1pZHM6LTEyNjE5MDEyMzQ7fQ0KQGxpc3QgbDENCgl7bXNvLWxpc3QtaWQ6MTU4ODI2 NTIxMTsNCgltc28tbGlzdC10eXBlOmh5YnJpZDsNCgltc28tbGlzdC10ZW1wbGF0ZS1pZHM6Mjgy MzkzODgyIDEzNDgwNzU2OSAxMzQ4MDc1NzcgMTM0ODA3NTc5IDEzNDgwNzU2NyAxMzQ4MDc1Nzcg MTM0ODA3NTc5IDEzNDgwNzU2NyAxMzQ4MDc1NzcgMTM0ODA3NTc5O30NCkBsaXN0IGwxOmxldmVs MQ0KCXttc28tbGV2ZWwtdGV4dDoiJTFcKSI7DQoJbXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJ bXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0K QGxpc3QgbDE6bGV2ZWwyDQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLWxvd2VyOw0K CW1zby1sZXZlbC10YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVm dDsNCgl0ZXh0LWluZGVudDotMTguMHB0O30NCkBsaXN0IGwxOmxldmVsMw0KCXttc28tbGV2ZWwt bnVtYmVyLWZvcm1hdDpyb21hbi1sb3dlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCglt c28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9uOnJpZ2h0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpA bGlzdCBsMTpsZXZlbDQNCgl7bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51 bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE6bGV2 ZWw1DQoJe21zby1sZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLWxvd2VyOw0KCW1zby1sZXZlbC10 YWItc3RvcDpub25lOw0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWlu ZGVudDotMTguMHB0O30NCkBsaXN0IGwxOmxldmVsNg0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1h dDpyb21hbi1sb3dlcjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVt YmVyLXBvc2l0aW9uOnJpZ2h0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpAbGlzdCBsMTpsZXZl bDcNCgl7bXNvLWxldmVsLXRhYi1zdG9wOm5vbmU7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlv bjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4wcHQ7fQ0KQGxpc3QgbDE6bGV2ZWw4DQoJe21zby1s ZXZlbC1udW1iZXItZm9ybWF0OmFscGhhLWxvd2VyOw0KCW1zby1sZXZlbC10YWItc3RvcDpub25l Ow0KCW1zby1sZXZlbC1udW1iZXItcG9zaXRpb246bGVmdDsNCgl0ZXh0LWluZGVudDotMTguMHB0 O30NCkBsaXN0IGwxOmxldmVsOQ0KCXttc28tbGV2ZWwtbnVtYmVyLWZvcm1hdDpyb21hbi1sb3dl cjsNCgltc28tbGV2ZWwtdGFiLXN0b3A6bm9uZTsNCgltc28tbGV2ZWwtbnVtYmVyLXBvc2l0aW9u OnJpZ2h0Ow0KCXRleHQtaW5kZW50Oi05LjBwdDt9DQpAbGlzdCBsMg0KCXttc28tbGlzdC1pZDox NzIyNjMxMjQ2Ow0KCW1zby1saXN0LXRlbXBsYXRlLWlkczo2ODg2NTI2MzQ7fQ0KQGxpc3QgbDI6 bGV2ZWwxDQoJe21zby1sZXZlbC1zdGFydC1hdDoyOw0KCW1zby1sZXZlbC10YWItc3RvcDozNi4w cHQ7DQoJbXNvLWxldmVsLW51bWJlci1wb3NpdGlvbjpsZWZ0Ow0KCXRleHQtaW5kZW50Oi0xOC4w cHQ7fQ0Kb2wNCgl7bWFyZ2luLWJvdHRvbTowY207fQ0KdWwNCgl7bWFyZ2luLWJvdHRvbTowY207 fQ0KLS0+PC9zdHlsZT48IS0tW2lmIGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlZGVmYXVsdHMg djpleHQ9ImVkaXQiIHNwaWRtYXg9IjEwMjYiIC8+DQo8L3htbD48IVtlbmRpZl0tLT48IS0tW2lm IGd0ZSBtc28gOV0+PHhtbD4NCjxvOnNoYXBlbGF5b3V0IHY6ZXh0PSJlZGl0Ij4NCjxvOmlkbWFw IHY6ZXh0PSJlZGl0IiBkYXRhPSIxIiAvPg0KPC9vOnNoYXBlbGF5b3V0PjwveG1sPjwhW2VuZGlm XS0tPg0KPC9oZWFkPg0KPGJvZHkgbGFuZz0iRU4tR0IiIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJw bGUiPg0KPGRpdiBjbGFzcz0iV29yZFNlY3Rpb24xIj4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxh IG5hbWU9Il9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdl OkVOLVVTIj4mbHQ7ZGVsdXJrIOKAkyBpbnRybyBhdCB0aGUgZW5kJmd0OzxvOnA+PC9vOnA+PC9z cGFuPjwvYT48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2tt YXJrOl9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVO LVVTIj48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0 eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+SSB0aGluayBLdXJ04oCZcyBxdWVzdGlv biBjb21lcyBmcm9tIGEgY29udmVyc2F0aW9uIGhlIGFuZCBJIHdlcmUgaGF2aW5nLiBJ4oCZbGwg dHJ5IHRvIHByb3ZpZGUgYSBiaXQgbW9yZSBkZXRhaWwuIEFzIHBhcnQgb2YgdGhlIFVLIEdvdmVy bm1lbnTigJlzIEFjdGl2ZSBDeWJlcg0KIERlZmVuY2UgcHJvZ3JhbW1lLCB3ZeKAmXJlIHRyeWlu ZyB0byBnZXQgRE1BUkMgYWNyb3NzIGFsbCBwdWJsaWMgZmFjaW5nIGJyYW5kcyBpbiB0aGUgVUss IHN0YXJ0aW5nIHdpdGggYWxsIHB1YmxpYyBzZWN0b3IgZG9tYWlucy4gV2XigJl2ZSBmb3VuZCBh IGNvdXBsZSBvZiBpbnRlcmVzdGluZyB0aGluZ3Mgd2hpbGUgdHJ5aW5nIHRvIGltcGxlbWVudCBE TUFSQyBhdCBzY2FsZS4NCjxvOnA+PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8b2wgc3R5bGU9 Im1hcmdpbi10b3A6MGNtIiBzdGFydD0iMSIgdHlwZT0iMSI+DQo8bGkgY2xhc3M9Ik1zb05vcm1h bCIgc3R5bGU9Im1zby1saXN0OmwxIGxldmVsMSBsZm8zIj48c3BhbiBzdHlsZT0ibXNvLWJvb2tt YXJrOl9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVO LVVTIj5Hb3YudWsgc2hvdWxkbuKAmXQgYmUgc2VuZGluZyBhbnkgbWFpbCBhdCBhbGwuIFRoZXJl 4oCZcyBubyBpbnRlbmRlZCB1c2UgY2FzZSB3aGVyZSB3ZeKAmWQgc2VuZCBtYWlsIGZyb20gYW4g QGdvdi51ayBhZGRyZXNzDQog4oCTIGFsbCBITUcgbWFpbCBpcyBmcm9tIHN1YmRvbWFpbnMuIENy aW1pbmFscyBzZWVtIHRvIGxpa2UgPC9zcGFuPjwvc3Bhbj48YSBocmVmPSJtYWlsdG86dGF4cmVm dW5kQGdvdi51ayI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjxz cGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+dGF4cmVmdW5kQGdvdi51azwv c3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjwv c3Bhbj48L2E+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjxzcGFu IHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+DQogYW5kIHNpbWlsYXIsIHNvIHdl IHNldCBhIHRvcCBsZXZlbCBTUEYgcmVjb3JkICgtYWxsKSBhbmQgRE1BUkMgcmVjb3JkIChwPXJl amVjdCkgdG8gdHJ5IHRvIG1ha2UgdGhpbmdzIG1vcmUgZGlmZmljdWx0IGZvciB0aGVtLiBGcm9t IG91ciBwcm9jZXNzaW5nIG9mIHJlcG9ydHMgb3ZlciB0aGUgbGFzdCB5ZWFyIG9yIHNvLCBpdCBs b29rcyBsaWtlIGEgY291cGxlIG9mIG1pbGxpb24gc3Bvb2ZzIGhhdmUgYmVlbiByZXBvcnRlZC4g VGhhdOKAmXMgZmluZS4NCiBPZiB0aG9zZSwgYWJvdXQgOSUgb2YgdGhvc2UgYXJlIGRlZW1lZCB0 cnVzdGVkIGluIHNvbWUgd2F5IGJ5IHRoZSByZWNlaXZlciDigJMgZWl0aGVyIFNQRiBvciBES0lN IHBhc3NlZC4gV2UgY2Fu4oCZdCByZWFsbHkgc2VlIGhvdyB0aG9zZSBqdWRnZW1lbnRzIGNhbiBi ZSBtYWRlLCBnaXZlbiB0aGUgcHVibGlzaGVkIHBvbGljaWVzIG9uIGdvdi51ay4gT2YgdGhlIDkx JSB0aGF0IGhhdmUgaW4gc29tZSB3YXkgZmFpbGVkIHZhbGlkYXRpb24sIG9ubHkgMjAlDQogb2Yg dGhvc2UgYXJlIHJlcG9ydGVkIGFzIGJsb2NrZWQgYnkgdGhlIHJlY2VpdmVyLCBsZWF2aW5nIHNv bWUgODAlIG9mIHRoZSBtYWlsIHRoYXTigJlzIGZhaWxlZCB2YWxpZGF0aW9uIHR1cm5pbmcgdXAg dG8gZW5kIHVzZXJzIGluIHNvbWUgd2F5LiBXZeKAmXJlIGxvb2tpbmcgaW50byBjb21tb25hbGl0 aWVzIGluIHRoZSBjYXNlcyB3aGVyZSB0aGlzIGhhcHBlbnMgYW5kIEkgd29uZGVyIGlmIHRoZXJl IGFyZSBwb2xpY2llcyByZWNlaXZlcnMgYXJlIG1ha2luZw0KIHRoYXQgb3ZlcnJpZGUgZG9tYWlu IG93bmVycywgb3IgdGhlcmXigJlzIGEgYnVnIGluIHNvbWUgY29tbW9ubHkgdXNlZCBjb21wb25l bnQuIFdlIHdvbmRlcmVkIGlmIGFueW9uZSBoYWQgYW55IG90aGVyIGlkZWFzIHdoeSB0aGlzIGNv dWxkIGJlIHRoZSBjYXNlLiBJIGNhbuKAmXQgZmluZCBhbnl0aGluZyB0aGF0IHdvdWxkIGNoYW5n ZSBwcm9jZXNzaW5nIG9mIHZhbGlkYXRpb24ganVzdCBiZWNhdXNlIGEgcmVjb3JkIGlzIG9uIGEg ZG9tYWluIG9uIHRoZQ0KIFBTTCwgYnV0IGlmIGFueW9uZSBoYXMgYW55IGlkZWFzIHdl4oCZZCBs b3ZlIHRvIGhlYXIgdGhlbSE8bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9saT48L29sPg0KPHAg Y2xhc3M9Ik1zb0xpc3RQYXJhZ3JhcGgiPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxF bmRDb21wb3NlIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+ Jm5ic3A7PC9vOnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8b2wgc3R5bGU9Im1hcmdpbi10b3A6MGNt IiBzdGFydD0iMiIgdHlwZT0iMSI+DQo8bGkgY2xhc3M9Ik1zb05vcm1hbCIgc3R5bGU9Im1zby1s aXN0OmwxIGxldmVsMSBsZm8zIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29t cG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5BcyB3ZeKAmXZl IHN0YXJ0ZWQgdG8gbWFrZSBjcmltaW5hbHPigJkgbGl2ZXMgaGFyZGVyIGluIGFidXNpbmcgR292 ZXJubWVudCBicmFuZHMsIHRoZXnigJlyZSBtb3ZpbmcgdG8gZGVjZXB0aXZlIGRvbWFpbnMgKHJl bGF0aXZlbHkNCiBlYXN5IHRvIG1hbmFnZSkgYW5kIG5vbi1leGlzdGVudCBzdWJkb21haW5zIG9m IGdvdi51ay4gV2XigJl2ZSBnb3Qgb3ZlciA1MDAwIHZhbGlkIHN1YmRvbWFpbnMgb2YgZ292LnVr IGFuZCBub3QgYWxsIG9mIHRoZW0gYXJlIGNvbXBsaWFudCB3aXRoIG91ciBwb2xpY2llcyB5ZXQs IHNvIHdlIGNhbuKAmXQganVzdCBzZXQgYW4gc3A9cmVqZWN0IHBvbGljeSAoYW5kIGl04oCZcyBu b3QgY2xlYXIgaXQgd29ya3MgaW4gYWxsIGNpcmN1bXN0YW5jZXMgYW55d2F5KS4NCiBTbywgd2Xi gJl2ZSBiZWVuIHRyeWluZyB0byBjb21lIHVwIHdpdGggYSB3YXkgb2Ygc3ludGhlc2lzaW5nIHRo ZSByZWxldmFudCBTUEYsIERLSU0gYW5kIERNQVJDIHJlY29yZHMgZm9yIG5vbi1leGlzdGVudCBk b21haW5zIG9mIGdvdi51aywgdXNpbmcgdGhlIGF1dGhvcml0YXRpdmUgbmFtZSBzZXJ2ZXIuIFRo aXMgYXBwZWFycyB0byBiZSBoYXJkZXIgdGhhbiB3ZeKAmWQgd2FudC4gV2UgY2Fu4oCZdCBqdXN0 IHVzZSBhIHdpbGRjYXJkIENOQU1FIHJlY29yZA0KIGJlY2F1c2UgdGhlcmUgZG9lc27igJl0IHNl ZW0gdG8gYmUgYW55IHdheSB0byBnZW5lcmF0ZSB0aGUgbmVjZXNzYXJ5IHNlY29uZCBsZXZlbCBz dWJkb21haW4gdGhhdCB3ZSBuZWVkICh0aGUgX2RtYXJjLmJhZGRvbWFpbi5nb3YudWspLiBETkFN RSB3b3VsZCBiZSB0aGUgbW9zdCBvYnZpb3VzIHdheSB0byBkbyB0aGlzLCBidXQgaXTigJlkIG5l ZWQgYSB3aWxkY2FyZCBETkFNRSBhbmQgdGhleeKAmXJlIOKAmGZyb3duZWQgdXBvbuKAmQ0KPC9z cGFuPjwvc3Bhbj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29tcG9zZSI+PHNw YW4gc3R5bGU9ImZvbnQtZmFtaWx5OldpbmdkaW5nczttc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1V UyI+Sjwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBv c2UiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+LiBCZWZvcmUgd2Ug c3RhcnQgdGhpbmtpbmcgYWJvdXQgZG9pbmcNCiBzb21ldGhpbmcga2x1ZGd5IChwcm9iYWJseSBs b29raW5nIGZvciBmYWlsZWQgbG9va3VwcyBmb3IgVFhUIHJlY29yZHMgaW4gbG9ncyBhbmQgYWRk aW5nIHRoZSBzdWJkb21haW4gdG8gdGhlIHpvbmUsIHdoaWNoIHN1Y2tzKSwgZG9lcyBhbnlvbmUg aGF2ZSBhbnkgaWRlYXMgdGhhdCB3ZSBjb3VsZCB0cnk/IEkgY2Fu4oCZdCBiZWxpZXZlIHRoaXMg aXMgdGhlIGZpcnN0IHRpbWUgdGhpcyBoYXMgYmVlbiBlbmNvdW50ZXJlZCE8bzpwPjwvbzpwPjwv c3Bhbj48L3NwYW4+PC9saT48L29sPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9 Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxlPSJtc28tZmFyZWFzdC1s YW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3Nl Ij48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPkFueSB0aG91Z2h0cyB2 ZXJ5IHdlbGNvbWUuPG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29O b3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48c3BhbiBz dHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFu Pjwvc3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2tt YXJrOl9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVO LVVTIj5UYS48bzpwPjwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjxzcGFuIHN0eWxl PSJtc28tZmFyZWFzdC1sYW5ndWFnZTpFTi1VUyI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9z cGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6 X01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMi PkkuPG86cD48L286cD48L3NwYW4+PC9zcGFuPjwvcD4NCjxwIGNsYXNzPSJNc29Ob3JtYWwiPjxz cGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48c3BhbiBzdHlsZT0ibXNv LWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9vOnA+PC9zcGFuPjwvc3Bhbj48 L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWls RW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj5JbnRy byA6IEhpLCBJ4oCZbSBJYW4gTGV2eSwgVGVjaG5pY2FsIERpcmVjdG9yIG9mIHRoZSBVS+KAmXMg TmF0aW9uYWwgQ3liZXIgU2VjdXJpdHkgQ2VudHJlIChOQ1NDKSwgdGhlIFVLIEdvdmVybm1lbnQg YWdlbmN5IGNoYXJnZWQgd2l0aCBiZWluZyB0aGUgc2luZ2xlLA0KIGF1dGhvcml0YXRpdmUgdm9p Y2Ugb24gY3liZXJzZWN1cml0eSBmb3IgdGhlIFVLLiBPbmUgb2YgdGhlIHRoaW5ncyB3ZeKAmXJl IGRvaW5nIGlzIGJlaW5nIG1vcmUgYWN0aXZlIGluIHRoZSBwcm90ZWN0aW9uIG9mIHRoZSBVSyBh dCBzY2FsZS4gVGhlcmXigJlzIGEgYmxvZyBmcm9tIG1lIG9uIHRoZSBOQ1NDIHdlYnNpdGUgaW50 cm9kdWNpbmcgdGhlIHdob2xlIHByb2dyYW1tZSwgYnV0IGdldHRpbmcgRE1BUkMgYWRvcHRlZCBh dCBzY2FsZSBpcyBwYXJ0DQogb2YgaXQuIFRoZSBiaXQgbW9zdCByZWxldmFudCB0byB0aGlzIGRp c2N1c3Npb24gaXMgYXQgPC9zcGFuPjwvc3Bhbj48YSBocmVmPSJodHRwOi8vd3d3Lm5jc2MuZ292 LnVrL2FjdGl2ZS1jeWJlci1kZWZlbmNlIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWls RW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVTIj53d3cu bmNzYy5nb3YudWsvYWN0aXZlLWN5YmVyLWRlZmVuY2U8L3NwYW4+PC9zcGFuPjxzcGFuIHN0eWxl PSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48L3NwYW4+PC9hPjxzcGFuIHN0eWxlPSJt c28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj4NCiB3aGljaCB0YWxrcyBhYm91dCB0aGUgYWN0 aXZlIHNlcnZpY2VzLCBpbmNsdWRpbmcgZW1haWwgc2VjdXJpdHkgYW5kIGFudGktc3Bvb2Zpbmcu PC9zcGFuPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj48c3BhbiBz dHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPiBNYWlsQ2hlY2sgaXMgb3VyIERNQVJD IHByb2Nlc3NpbmcgYW5kIGFuYWx5c2lzIHBsYXRmb3JtLCB3aGljaCB3ZSBpbnRlbmQgdG8gcmVs ZWFzZQ0KIGFzIG9wZW4gc291cmNlIGVhcmx5IEphbnVhcnkuIDxvOnA+PC9vOnA+PC9zcGFuPjwv c3Bhbj48L3A+DQo8cCBjbGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJr Ol9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9Im1zby1mYXJlYXN0LWxhbmd1YWdlOkVOLVVT Ij48bzpwPiZuYnNwOzwvbzpwPjwvc3Bhbj48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1h bCI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPi0tPG86cD48L286 cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1ib29r bWFyazpfTWFpbEVuZENvbXBvc2UiPkRyIElhbiBMZXZ5PG86cD48L286cD48L3NwYW4+PC9wPg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNwYW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENv bXBvc2UiPlRlY2huaWNhbCBEaXJlY3RvcjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNsYXNz PSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3NlIj5O YXRpb25hbCBDeWJlciBTZWN1cml0eSBDZW50cmU8bzpwPjwvbzpwPjwvc3Bhbj48L3A+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29tcG9z ZSI+PG86cD4mbmJzcDs8L286cD48L3NwYW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PHNw YW4gc3R5bGU9Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPlN0YWZmIE9mZmljZXIgOiBL YXRlIEF0a2lucywNCjwvc3Bhbj48YSBocmVmPSJtYWlsdG86a2F0ZS5hQG5jc2MuZ292LnVrIj48 c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5kQ29tcG9zZSI+PHNwYW4gc3R5bGU9ImNv bG9yOiMwNTYzQzEiPmthdGUuYUBuY3NjLmdvdi51azwvc3Bhbj48L3NwYW4+PHNwYW4gc3R5bGU9 Im1zby1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjwvc3Bhbj48L2E+PHNwYW4gc3R5bGU9Im1z by1ib29rbWFyazpfTWFpbEVuZENvbXBvc2UiPjxvOnA+PC9vOnA+PC9zcGFuPjwvcD4NCjxwIGNs YXNzPSJNc29Ob3JtYWwiPjxzcGFuIHN0eWxlPSJtc28tYm9va21hcms6X01haWxFbmRDb21wb3Nl Ij48c3BhbiBzdHlsZT0ibXNvLWZhcmVhc3QtbGFuZ3VhZ2U6RU4tVVMiPjxvOnA+Jm5ic3A7PC9v OnA+PC9zcGFuPjwvc3Bhbj48L3A+DQo8c3BhbiBzdHlsZT0ibXNvLWJvb2ttYXJrOl9NYWlsRW5k Q29tcG9zZSI+PC9zcGFuPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PGI+PHNwYW4gbGFuZz0iRU4t VVMiPkZyb206PC9zcGFuPjwvYj48c3BhbiBsYW5nPSJFTi1VUyI+IGRtYXJjIFttYWlsdG86ZG1h cmMtYm91bmNlc0BpZXRmLm9yZ10NCjxiPk9uIEJlaGFsZiBPZiA8L2I+S3VydCBBbmRlcnNlbiAo Yik8YnI+DQo8Yj5TZW50OjwvYj4gMTUgRGVjZW1iZXIgMjAxNyAyMTozMDxicj4NCjxiPlRvOjwv Yj4gZG1hcmNAaWV0Zi5vcmc8YnI+DQo8Yj5TdWJqZWN0OjwvYj4gW2RtYXJjLWlldGZdIFByZXZl bnRpbmcgYWJ1c2Ugb2YgcHVibGljLXN1ZmZpeC1sZXZlbCBkb21haW5zPG86cD48L286cD48L3Nw YW4+PC9wPg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8ZGl2 Pg0KPHAgY2xhc3M9Ik1zb05vcm1hbCI+SSBrbm93IHRoYXQgdGhlcmUgaGFkIGJlZW4gc29tZSB2 ZXJ5IHByZWxpbWluYXJ5IHRob3VnaHRzIGFib3V0IHByb3RlY3RpbmcgdGhlIFBTTCBkb21haW5z IHRoZW1zZWx2ZXMsIGJ1dCB0aG9zZSBuZXZlciBnb3QgdmVyeSBmYXIgKHRoZXkgd2VyZSBpbiB0 aGUgY29udGV4dCBvZiB0aGUgREJPVU5EIFdHKS48bzpwPjwvbzpwPjwvcD4NCjxkaXY+DQo8cCBj bGFzcz0iTXNvTm9ybWFsIj48bzpwPiZuYnNwOzwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPkkndmUgaGVhcmQgZnJvbSBvbmUgb2YgbXkgY29udGFjdHMgdGhh dCBjb3VudHJ5LWxldmVsIFRMRHMgbGlrZQ0KPGEgaHJlZj0iaHR0cDovL2dvdi56YSI+Z292Lnph PC9hPiBhcmUgYmVpbmcgdXNlZCBmb3IgYXR0YWNrcyBhbmQgdGhhdCB0aGVyZSBpcyBub3QgYSBw YXJ0aWN1bGFybHkgZWZmZWN0aXZlIHdheSB0byBwcm90ZWN0IGFnYWluc3QgdGhhdCBvciB0byBw cm90ZWN0IGFnYWluc3Qgbm9uLWV4aXN0ZW50IHN1YmRvbWFpbnMgYmVpbmcgYWJ1c2VkLiAoSXQn cyBldmVuIHdvcnNlIGlmIHRob3NlIHB1YmxpYyBzdWZmaXggbGV2ZWwgZG9tYWlucyBhcmUgYmVp bmcNCiB1c2VkIHRvIHNlbmQgbWFpbCwgYnV0IGlmIHRoZXkgYXJlbid0LCBob3cgZG8geW91IHBy b3RlY3QgaXQ/KTxvOnA+PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0KPHAgY2xhc3M9Ik1zb05v cm1hbCI+PG86cD4mbmJzcDs8L286cD48L3A+DQo8L2Rpdj4NCjxkaXY+DQo8cCBjbGFzcz0iTXNv Tm9ybWFsIj5BbnkgaWRlYXMgaGVyZT88bzpwPjwvbzpwPjwvcD4NCjwvZGl2Pg0KPGRpdj4NCjxw IGNsYXNzPSJNc29Ob3JtYWwiPjxvOnA+Jm5ic3A7PC9vOnA+PC9wPg0KPC9kaXY+DQo8ZGl2Pg0K PHAgY2xhc3M9Ik1zb05vcm1hbCI+LS1LdXJ0IEFuZGVyc2VuPG86cD48L286cD48L3A+DQo8L2Rp dj4NCjwvZGl2Pg0KPC9kaXY+DQpUaGlzIGluZm9ybWF0aW9uIGlzIGV4ZW1wdCB1bmRlciB0aGUg RnJlZWRvbSBvZiBJbmZvcm1hdGlvbiBBY3QgMjAwMCAoRk9JQSkgYW5kIG1heSBiZSBleGVtcHQg dW5kZXIgb3RoZXIgVUsgaW5mb3JtYXRpb24gbGVnaXNsYXRpb24uIFJlZmVyIGFueSBGT0lBIHF1 ZXJpZXMgdG8gbmNzY2luZm9sZWdAbmNzYy5nb3YudWsNCjwvYm9keT4NCjwvaHRtbD4NCg== --_000_MMXP12301MB1663B5D4F60BE1B26A9A74ECC90E0MMXP12301MB1663_-- From nobody Mon Dec 18 08:03:30 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 657C612D7EF for ; Mon, 18 Dec 2017 08:03:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.111 X-Spam-Level: X-Spam-Status: No, score=-0.111 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=crash.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 34uP28cXiopJ for ; Mon, 18 Dec 2017 08:03:25 -0800 (PST) Received: from segv.crash.com (segv.crash.com [IPv6:2001:470:1:1e9::4415]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DB0C12D7ED for ; Mon, 18 Dec 2017 08:03:25 -0800 (PST) Received: from [10.10.10.41] (70-36-157-26.dsl.static.fusionbroadband.com [70.36.157.26]) (authenticated bits=0) by segv.crash.com (8.14.5/8.14.5/cci-colo-1.6) with ESMTP id vBIG3Hrn056109 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Mon, 18 Dec 2017 08:03:23 -0800 (PST) (envelope-from smj@crash.com) X-DKIM: OpenDKIM Filter v2.4.3 segv.crash.com vBIG3Hrn056109 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=crash.com; s=201506-2k; t=1513613003; bh=c22O/XASRvdDJ7mQI6gX9G+wboFwhJdfuzXcALxIdME=; h=Subject:To:References:From:Message-ID:Date:MIME-Version: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=Ef1Et5i/dNdoO8w3e2cK0cBg+kQPxY/B1amdvB8NQUms7oUS7EQ/5E7I8TpnwFVIb 3szpH5w2mm7cJVJzMBzBLhIcSLUfj4GFPkNQAjMR/nrnDnDv3bB5w07xL1RCZI1QZ9 uuvYTlrR4UNjGA+1fFTcH1nfLDyxFrm3/i1dcur+LDn/cipVicT0bED7mPDIBg7YF6 ayCRs1XMbTtwrzVKSG1DDQYOcC2HrK2t9J8f+4gB++8cLYHMLLVvTRg8ejaWJRYFUJ GfunVXyfRpK3gXL635fq11GMV/LmxvYjcvo8j+0rfwvaSbekWMMRAREnnZsF+OuQUp xeNHL0fNWhBqw== X-Authentication-Warning: segv.crash.com: Host 70-36-157-26.dsl.static.fusionbroadband.com [70.36.157.26] claimed to be [10.10.10.41] To: dmarc@ietf.org References: From: Steven M Jones Organization: Crash Computing Message-ID: <1590f0da-6c3b-22c1-c4ca-92deb9de09d4@crash.com> Date: Mon, 18 Dec 2017 08:03:19 -0800 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (segv.crash.com [72.52.75.15]); Mon, 18 Dec 2017 08:03:23 -0800 (PST) Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 16:03:28 -0000 Hullo Ian, good to hear from you. Interesting observations with gov.uk. I confess I'm unclear on expected behavior for DMARC policies published at a label listed in the PSL itself, but this is certainly the right place to ask. And maybe there are some heuristics operating in the local policy space at receivers that need to be updated in light of last year's UK policy announcements... --Steve. From nobody Mon Dec 18 12:53:01 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5635812D88B for ; Mon, 18 Dec 2017 12:52:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WK8d7laM1QwK for ; Mon, 18 Dec 2017 12:52:56 -0800 (PST) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 306D41200FC for ; Mon, 18 Dec 2017 12:52:56 -0800 (PST) Received: by mail-lf0-x231.google.com with SMTP id o26so5027763lfc.10 for ; Mon, 18 Dec 2017 12:52:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=qq/UzM2eRerFv0ln5g+aRbOQPlXCG/xwTPUKQEW5pPY=; b=JOEV02aQQ55jcpNgdmunF0DufGMeu+070iR5NnE9ZdcjwOm7uhFiptr1HdYWJCpvMT npBF2SltP+AgwxbLIX/+qaCCRMsEij8jf349SGsHjJ9Kn6Zk42rH7m1vD6tlch6aKaMO dMPVoLhPaw3iNvt/YcDENF3pXq7JscOPRKQ3Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=qq/UzM2eRerFv0ln5g+aRbOQPlXCG/xwTPUKQEW5pPY=; b=N8gb0gEBiP+0mCC7d7bCRDU6ByXH04a0ItJWRNnaHkAnPFUnCXuVPPhB+7oijKV8Ij AP4rei82hipp5U8rrNZ7eP85Xknv1P3xWUHyKjN8/yRB78ZlgP9fJm+WqcUB/zyNxMy2 FoqsDkh24GXbzdlYhGgoVtncEFE0rrRSRNUJOLlGt/mlNdTLj+jvl2Sey1VZl8D/mvbD DPrvIxyzr/qZvRKtaYqyvTRnl8rOVC4VULTV3V6haMbxCnZEYm8LF2zReVy8DxmGx58h AgMsJa16QMBpuEpkS61MR2Vq+0OLAlEA6lkpi9avYBFVQyi23fftrgobWyavumH8+615 v19w== X-Gm-Message-State: AKGB3mLLTnW70H8574B/pW/GpY3XhQYFJhyzltzUg0s8UcwWkjOb3ycU fmk2s235D+G+Zc8vLmno4cOX59KZLIlBclywGPOCdg== X-Google-Smtp-Source: ACJfBotjRjPVUUMAcCaqbq5B5q6LJf51Fm9OfpWlF6HAvV3Sr0XK69i6IJw9JiNTWQpgyXD19PTp5STi4DOzEvqmmY0= X-Received: by 10.25.178.10 with SMTP id b10mr758173lff.13.1513630374250; Mon, 18 Dec 2017 12:52:54 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Mon, 18 Dec 2017 12:52:53 -0800 (PST) In-Reply-To: References: From: "Kurt Andersen (b)" Date: Mon, 18 Dec 2017 20:52:53 +0000 X-Google-Sender-Auth: 9xc-jXRCf0lIiat6t702w4viuqQ Message-ID: To: Ian Levy Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="f403045fa784c75f980560a388eb" Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Dec 2017 20:52:59 -0000 --f403045fa784c75f980560a388eb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, Dec 18, 2017 at 2:46 PM, Ian Levy wrote: > > > . . .As part of the UK Government=E2=80=99s Active Cyber Defence programm= e, we=E2=80=99re > trying to get DMARC across all public facing brands in the UK, starting > with all public sector domains. We=E2=80=99ve found a couple of interesti= ng things > while trying to implement DMARC at scale. > > 1. > > > 1. As we=E2=80=99ve started to make criminals=E2=80=99 lives harder in= abusing > Government brands, they=E2=80=99re moving to deceptive domains (relati= vely easy to > manage) and non-existent subdomains of gov.uk. We=E2=80=99ve got over = 5000 > valid subdomains of gov.uk and not all of them are compliant with our > policies yet, so we can=E2=80=99t just set an sp=3Dreject policy (and = it=E2=80=99s not clear > it works in all circumstances anyway). > > Even if you listed an "sp=3Dreject" policy, it would only be seen for mai= l that purported to come from gov.uk itself (so not helpful). As a public-level suffix, gov.uk's DMARC record should never be seen for any subdomains thereof (the algorithm checks an exact match domain and then falls back to an org-level domain which would already be the non-existent x.gov.uk, not gov.uk itself). --Kurt --f403045fa784c75f980560a388eb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On M= on, Dec 18, 2017 at 2:46 PM, Ian Levy <ian.levy@ncsc.gov.uk> wrote:

=C2=A0

. . .As part of the UK Government=E2=80= =99s Active Cyber Defence programme, we=E2=80=99re trying to get DMARC across all public fac= ing brands in the UK, starting with all public sector domains. We=E2=80=99v= e found a couple of interesting things while trying to implement DMARC at s= cale.

  1. <elided>=C2=A0
  1. As we=E2=80=99ve started to make crimin= als=E2=80=99 lives harder in abusing Government brands, they=E2=80=99re mov= ing to deceptive domains (relatively easy to manage) and non-existent subdomains of gov.uk. We=E2=80=99ve got over 5000 valid subdomains o= f gov.uk and not all of the= m are compliant with our policies yet, so we can=E2=80=99t just set an sp= =3Dreject policy (and it=E2=80=99s not clear it works in all circumstances = anyway).=C2=A0
Even if= you listed an "sp=3Dreject" policy, it would only be seen for ma= il that purported to come from gov.uk itself = (so not helpful). As a public-level suffix, gov.u= k's DMARC record should never be seen for any subdomains thereof (t= he algorithm checks an exact match domain and then falls back to an org-lev= el domain which would already be the non-existent x.gov.uk, not gov.uk itself).

--Kurt=C2=A0

--f403045fa784c75f980560a388eb-- From nobody Tue Dec 19 06:41:22 2017 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 107641241FC; Tue, 19 Dec 2017 06:41:20 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dmarc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.68.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <151369448002.7411.3989576169791680146@ietfa.amsl.com> Date: Tue, 19 Dec 2017 06:41:20 -0800 Archived-At: Subject: [dmarc-ietf] I-D Action: draft-ietf-dmarc-arc-protocol-10.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 14:41:20 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain-based Message Authentication, Reporting & Conformance WG of the IETF. Title : Authenticated Received Chain (ARC) Protocol Authors : Kurt Andersen Brandon Long Steven Jones Seth Blank Filename : draft-ietf-dmarc-arc-protocol-10.txt Pages : 49 Date : 2017-12-19 Abstract: The Authenticated Received Chain (ARC) protocol creates a mechanism whereby a series of handlers of an email message can conduct authentication of the email message as it passes among them on the way to its destination, and record the status of that authentication at each step along the handling path, for use by the final recipient in making choices about the disposition of the message. Changes in the message that might break DKIM or DMARC can be identified through the ARC set of header fields. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10 https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol-10 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-protocol-10 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Dec 19 06:41:42 2017 Return-Path: X-Original-To: dmarc@ietf.org Delivered-To: dmarc@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1721F127342; Tue, 19 Dec 2017 06:41:31 -0800 (PST) MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit From: internet-drafts@ietf.org To: Cc: dmarc@ietf.org X-Test-IDTracker: no X-IETF-IDTracker: 6.68.0 Auto-Submitted: auto-generated Precedence: bulk Message-ID: <151369449106.7419.13734857322660686674@ietfa.amsl.com> Date: Tue, 19 Dec 2017 06:41:31 -0800 Archived-At: Subject: [dmarc-ietf] I-D Action: draft-ietf-dmarc-arc-usage-03.txt X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 14:41:31 -0000 A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Domain-based Message Authentication, Reporting & Conformance WG of the IETF. Title : Recommended Usage of the Authenticated Received Chain (ARC) Authors : Steven Jones Kurt Andersen John Rae-Grant J. Trent Adams Filename : draft-ietf-dmarc-arc-usage-03.txt Pages : 18 Date : 2017-12-19 Abstract: The Authentication Received Chain (ARC) provides a means to preserve email authentication results and verify the identity of email message handlers, each of which participates by inserting certain header fields before passing the message on. But the specification does not indicate how intermediaries and receivers should interpret or utilize ARC. This document will provide guidance in these areas. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-usage/ There are also htmlized versions available at: https://tools.ietf.org/html/draft-ietf-dmarc-arc-usage-03 https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-usage-03 A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-usage-03 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ From nobody Tue Dec 19 06:50:13 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E35BD1241FC for ; Tue, 19 Dec 2017 06:50:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7Xo3iwfCSYA for ; Tue, 19 Dec 2017 06:50:04 -0800 (PST) Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F8D2126C25 for ; Tue, 19 Dec 2017 06:50:04 -0800 (PST) Received: by mail-lf0-x22f.google.com with SMTP id u84so511782lff.7 for ; Tue, 19 Dec 2017 06:50:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:from:date:message-id:subject:to; bh=+fvJqZwSrSxWNsRWOPsG3RDXeqvgyvAVy19TG2WtqoU=; b=PvWIDibK9KjMVLAzpBXNVt5ihyKlJjOYtBKHq6/R/+5Pi/YHbpn/T98Hf+9Egi1skX hQ8NOBMlQBf8z2g/LZpRJFRJr1CQmFVQR8ldQPkYODQO+/A37TKMyvdAtFbx6mdO9ihw tQmTmJ1nOwn2wB7bBZIMKMeIqFx8CJZ8sFpZ0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=+fvJqZwSrSxWNsRWOPsG3RDXeqvgyvAVy19TG2WtqoU=; b=bBjYbFAxlFkPcarDVGin9y7iOTX/F5L54PQiyKF/ZGT5Ign/eLyfpoN1otjGgl+gKq 8DOP0lDzymGuwtQZMvuoExsBMCNkmQ3cdnHJjBLJCuht9Jc0IC1wV4MAeRczavfbeT0g tjlrNap41thl84rmIJkfafVpPnvU63csFFo/d0S7awJQfmC06dGprJ+rOwWcdjW8NF0H wV7tHAsxjxLg5Mzy4RzHFcdIps+taVrvoQCLPKyUaCjQ027gGPpRS62oyj0qtIbZam6L 3I0mgNj1s5E5Wr0x7z0nTr7GU1srGE6fS8/orkLpDvgg2nFpo6q059KX0U8Gg+wuch1h j4JA== X-Gm-Message-State: AKGB3mKDi7pQZeX4arKtJuzaUHWwy0Xj8QsLu2Rfx7ddvVl3dpfG4Rnj xS7sxAL93l8M7zD3mLjQCpfuCT3ajTylF51eqZCOiRmWVSg= X-Google-Smtp-Source: ACJfBotD22+PiYoeutcDCfsvY9/xEVgAA0KvUzGWoQZFMLggZMyBVtbCpiUUOJlM5vxFGKg71B+5D074VcV2jsSt/TE= X-Received: by 10.46.22.15 with SMTP id w15mr2472414ljd.17.1513695002030; Tue, 19 Dec 2017 06:50:02 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Tue, 19 Dec 2017 06:49:10 -0800 (PST) From: "Kurt Andersen (b)" Date: Tue, 19 Dec 2017 14:49:10 +0000 X-Google-Sender-Auth: zumReHFKpQ3BZlerBMFHGz8fxWk Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="f403045fc1b8e617d40560b2946d" Archived-At: Subject: [dmarc-ietf] New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 14:50:12 -0000 --f403045fc1b8e617d40560b2946d Content-Type: text/plain; charset="UTF-8" I've just posted new drafts of both the protocol and usage documents: Name: draft-ietf-dmarc-arc-protocol Revision: 10 Title: Authenticated Received Chain (ARC) Protocol Document date: 2017-12-19 Group: dmarc Pages: 49 URL: https://www.ietf.org/internet-drafts/draft-ietf-dmarc-arc-protocol-10.txt Status: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/ Htmlized: https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-protocol-10 Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-protocol-10 and Name: draft-ietf-dmarc-arc-usage Revision: 03 Title: Recommended Usage of the Authenticated Received Chain (ARC) Document date: 2017-12-19 Group: dmarc Pages: 18 URL: https://www.ietf.org/internet-drafts/draft-ietf-dmarc-arc-usage-03.txt Status: https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-usage/ Htmlized: https://tools.ietf.org/html/draft-ietf-dmarc-arc-usage-03 Htmlized: https://datatracker.ietf.org/doc/html/draft-ietf-dmarc-arc-usage-03 Diff: https://www.ietf.org/rfcdiff?url2=draft-ietf-dmarc-arc-usage-03 The pertinent changes are as follows: Protocol: * Update section 4 using Seth's suggested "protocol elements" section with some editorial adjustments and incorporating the few feedback suggestions which had come in on the list; * Move the "instance" definition into section 5 * Update the AAR definition section (formerly 5.1) using Seth's suggested 7601bis wording (also adjusting for feedback that came in on the list) and annotating the section to be adjusted if we can kick off the 7601bis work in a timely fashion; * Various other tweaks and adjustments to clean up the prose here and there Usage: * Incorporate Seth's "experiment" write-up as an "open questions" section with various adjustments to the wording to reflect the "open questions we would like to understand" adjustment. --Kurt --f403045fc1b8e617d40560b2946d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I've just posted new drafts of both the protocol and u= sage documents:

Name: draft-ietf-dmarc-arc-protocol
Revision: 10<= br>Title: Authenticated Received Chain (ARC) Protocol
Document date: 201= 7-12-19
Group: dmarc
Pages: 49
URL: =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0https://www.ietf.org/internet-drafts/draft-ietf-dma= rc-arc-protocol-10.txt
Status: =C2=A0 =C2=A0 =C2=A0 =C2=A0 https:= //datatracker.ietf.org/doc/draft-ietf-dmarc-arc-protocol/
Htmlized: = =C2=A0 =C2=A0 =C2=A0 https://tools.ietf.org/html/draft-ietf-dmarc-arc-protoco= l-10
Htmlized: =C2=A0 =C2=A0 =C2=A0 https://datatracker.ietf= .org/doc/html/draft-ietf-dmarc-arc-protocol-10
Diff: =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/rfcdiff?url2=3Ddraft-ietf-d= marc-arc-protocol-10

and

Name: draft-ietf-dmarc-arc-usage=
Revision: 03
Title: Recommended Usage of the Authenticated Received = Chain (ARC)
Document date: 2017-12-19
Group: dmarc
Pages: 18
UR= L: =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0https://www.ietf.org/in= ternet-drafts/draft-ietf-dmarc-arc-usage-03.txt
Status: =C2=A0 =C2= =A0 =C2=A0 =C2=A0 https://datatracker.ietf.org/doc/draft-ietf-dmarc-arc-usage= /
Htmlized: =C2=A0 =C2=A0 =C2=A0 https://tools.ietf.org/html/draft-ietf-d= marc-arc-usage-03
Htmlized: =C2=A0 =C2=A0 =C2=A0 https://datatr= acker.ietf.org/doc/html/draft-ietf-dmarc-arc-usage-03
Diff: =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 https://www.ietf.org/rfcdiff?url2=3Ddraft-ie= tf-dmarc-arc-usage-03

The pertinent changes are as follows:
<= br>Protocol:
* Update section 4 using Seth's suggested "protoco= l elements" section with some editorial adjustments and incorporating = the few feedback suggestions which had come in on the list;
* Move the &= quot;instance" definition into section 5
* Update the AAR definitio= n section (formerly 5.1) using Seth's suggested 7601bis wording (also a= djusting for feedback that came in on the list) and annotating the section = to be adjusted if we can kick off the 7601bis work in a timely fashion;
= * Various other tweaks and adjustments to clean up the prose here and there=

Usage:
* Incorporate Seth's "experiment" write-up = as an "open questions" section with various adjustments to the wo= rding to reflect the "open questions we would like to understand"= adjustment.

--Kurt
--f403045fc1b8e617d40560b2946d-- From nobody Tue Dec 19 08:34:29 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1087F127369 for ; Tue, 19 Dec 2017 08:34:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.761 X-Spam-Level: X-Spam-Status: No, score=-1.761 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=GOiq02NY; dkim=pass (1536-bit key) header.d=taugh.com header.b=gOOoXqxo Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id noOxcVY33Jen for ; Tue, 19 Dec 2017 08:34:27 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3AE5C1270AC for ; Tue, 19 Dec 2017 08:34:27 -0800 (PST) Received: (qmail 78649 invoked from network); 19 Dec 2017 16:34:26 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=13337.5a393f92.k1712; bh=7ZVboDcui0ZsNjdZBFJUWyQaRxbL06ft3YM4fu+KepQ=; b=GOiq02NYWZik5tN0MHEJUB/nTQwN0lUrEpjFbUZgQUURLjHi2QqmJoDEzCfW71vgusiTh2eXV/PP3tsaSvNzQ9Wfr2ue8g3hUzRG83P+EpDqf1LEK/LrCvhd8Ggg/gwIbFUoBFdrbEGDJ4LLNLm3grjYHDvXdLvf2gMF+I4fTLmvZJsip7mV1huPj67j2pUTc6WvCA+cgDCTRXBX22PGLpORglKwiYAGJSnUATJM3EqZ1eDUxWoKAcatNgbkKtxj DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:subject:mime-version:content-type:content-transfer-encoding; s=13337.5a393f92.k1712; bh=7ZVboDcui0ZsNjdZBFJUWyQaRxbL06ft3YM4fu+KepQ=; b=gOOoXqxoN3LxxHUckvrh7dJePYrodwNZ4lgpxI0cVVOXAWxV2Dnr//O5hm4VekZDIm7Ug6kXCsstZBLlOkC6KCCMfZI06BGxaffuWyidyoGO8ObB0y8ShP+a03T/iypZgEi+pyTsJxL/BUBjVP/KYAXnmZm8sKKmPK8oN4LvIk15/NKZm35+zELI4iaUnsBt4sp5Z6JlclvQ/rP/fhV1kyW09jcvVkRwqp2ydiYW1DpmdbnTLKGwjXkOIj2vTU+j Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 19 Dec 2017 16:34:26 -0000 Received: by ary.qy (Postfix, from userid 501) id F3A371829473; Tue, 19 Dec 2017 11:34:25 -0500 (EST) Date: 19 Dec 2017 11:34:25 -0500 Message-Id: <20171219163425.F3A371829473@ary.qy> From: "John Levine" To: dmarc@ietf.org Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: [dmarc-ietf] Duplicate DMARC records and tags? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 16:34:28 -0000 Dunno if this ever came up before. What, if anything, does this mean? _dmarc.example.com IN TXT "v=DMARC1; p=none" _dmarc.example.com IN TXT "v=DMARC1; p=reject" Looking through RFC 7489 I don't see anywhere that it says that more than one record is forbidden. For that matter, what if anything does this mean? _dmarc.example.com IN TXT "v=DMARC1; p=none; p=reject" In 7489 it says "DMARC records follow the extensible "tag-value" syntax for DNS-based key records defined in DKIM [DKIM]." I hope that means they follow the DKIM rule that duplicate tags make the whole record invalid, but that could be clearer. R's, John PS: This came up when I was reading a guy's code where he carefully looks at multiple records and somehow decides which one to believe. From nobody Tue Dec 19 09:15:53 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9426112D95A for ; Tue, 19 Dec 2017 09:15:51 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.76 X-Spam-Level: X-Spam-Status: No, score=-1.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=pAZAonfi; dkim=pass (1536-bit key) header.d=taugh.com header.b=Urxi5gbb Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gcLyTB8HR3Em for ; Tue, 19 Dec 2017 09:15:50 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3226E12D838 for ; Tue, 19 Dec 2017 09:15:50 -0800 (PST) Received: (qmail 85113 invoked from network); 19 Dec 2017 17:15:49 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=14c77.5a394945.k1712; bh=xVHkoigann4Lft2HDY3oBhhzH5amiVP5pA+OnnpEyVs=; b=pAZAonfiGghCc2ZbxdRgMGc49CxsOnXs/1b5q0dS+5ZdFscXXW1sOE+mvFVmtlDmMqVXM6fFHl7sFeCB3kzqByvmv1opJoBKGnDSFtR45dAE1TG6gxlNmKzpE5/dCucd94bVHU9m3C1JOFxD74YzXlkmfVNK+rUcTQR4OTCEBEv3Gtg0ZRUsvN0nMXL0q5oAtMdy79MgvhCTAjJi8WAUAqqfR8XyR6fzrmaWqAMcceh47bObMM1q91f2HoBEAqBW DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=14c77.5a394945.k1712; bh=xVHkoigann4Lft2HDY3oBhhzH5amiVP5pA+OnnpEyVs=; b=Urxi5gbb1SKuuOiHYC2an0Rp4fZeF4+BEfpNYgD9Og9Xf3m3UhzryI7QMVZQwWB5JXMGQdTNZKcKKNkmqGuedGA8H24SzkptE55HfQJQal6RYpwtqrsu6Rc39RzfUp1Y/0Tz0u4prqciwtQe+XUijATTGKhCULtJLBoaXC2MbIDqMuWHbNPDZiM0fzG7FPCMEh0EAFIjsccvsfpqHA1G2yUkC1BdjjQB6uR52Q6D1iMGT7RcwCJP0ZuB9R7I5H5R Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 19 Dec 2017 17:15:49 -0000 Received: by ary.qy (Postfix, from userid 501) id EA07418299CE; Tue, 19 Dec 2017 12:15:48 -0500 (EST) Date: 19 Dec 2017 12:15:48 -0500 Message-Id: <20171219171548.EA07418299CE@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: ian.levy@ncsc.gov.uk In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 17:15:51 -0000 > We can’t just >use a wildcard CNAME record because there doesn’t seem to be any way to generate the necessary second level subdomain that we >need (the _dmarc.baddomain.gov.uk). As you surmise, that won't work. For one thing _dmarc.*.gov.uk isn't a wildcard, and for another, *.gov.uk only matches names that don't already exist and don't have an existing parent. So if, for example, mod.gov.uk exists, *.mod.gov.uk won't match. This is not considered to be a bug. > DNAME would be the most obvious way to do this, but it’d need a wildcard DNAME and they’re >‘frowned upon’ ☺. Indeed they are, because they don't work either. You cannot have any DNS records or any NS delegations below a DNAME. In practice DNAMEs are not very useful. > Before we start thinking about doing something kludgy (probably looking for failed lookups for TXT records >in logs and adding the subdomain to the zone, which sucks), does anyone have any ideas that we could try? I can’t believe this is >the first time this has been encountered! Honestly, you need to figure out how to get the attention of of the people to whom you have delegated subdomains and have them fix their DNS. I realize this is not easy. I have often surmised that rather than delegating subdomain zones, you're much better off one big zone with a provisioning system that lets people mess with the records in their subtree. Then it's still your provisioning system so if they get things wrong, or you want to help them set up records like SPF or DMARC that they haven't gotten around do doing themselves, you can just do it. R's, John -- Regards, John Levine, johnl@iecc.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly From nobody Tue Dec 19 09:50:36 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9DB0E126DD9 for ; Tue, 19 Dec 2017 09:50:35 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andreasschulze.de Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqqPP2FGmJ1B for ; Tue, 19 Dec 2017 09:50:33 -0800 (PST) Received: from mail.somaf.de (mail.somaf.de [IPv6:2001:470:77b3:100::7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF6061241F5 for ; Tue, 19 Dec 2017 09:50:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=andreasschulze.de; s=ybz; t=1513705829; x=1518705829; bh=NcetfKuKZPpvztXkaZZphnJ5BV8PROPUjjE2hLm8UWk=; h=Subject:To:References:From:Message-ID:Date:In-Reply-To: Content-Type:from:reply-to:subject:date:to:cc:content-type: message-id; b=Az0adXEhmZMfjIy8/aA8ahNva3b0SfPeA7kgVWhhQ8MQlcMe7u7b/RkRzA+cyXHPD C6EWIY9//GjCBQdQKe6YAxX3/+ISX68TgewKRq0gZpQpohGAiI6VaUP9RQ6jE854RH 4U8EdSc69zOri9Nle/szsrkJZsMATdHU8WbFuOIUrrmkqkndf9Pm+R0iJdriFlrG3W YfuR2dhFu0Tc+U45nmkVOjpcbocyx6MBwkN73lI9KdCpQYsxxO59EC4GJebwcgc2/A CPEjgF8WWBB8TUpHzgiqL7YAlmM+cLWAWbAQjxVVr85bc9GFw4KVQ32TI4238PiidZ LxvdfjsxqAv6Q== To: dmarc@ietf.org References: <20171219163425.F3A371829473@ary.qy> From: "A. Schulze" Message-ID: <2ad88ca8-066c-1a64-dfd8-f17f1ffc773c@andreasschulze.de> Date: Tue, 19 Dec 2017 18:50:13 +0100 MIME-Version: 1.0 In-Reply-To: <20171219163425.F3A371829473@ary.qy> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Duplicate DMARC records and tags? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 17:50:36 -0000 Am 19.12.2017 um 17:34 schrieb John Levine: > Dunno if this ever came up before. What, if anything, does this mean? > > _dmarc.example.com IN TXT "v=DMARC1; p=none" > _dmarc.example.com IN TXT "v=DMARC1; p=reject" Hello John, https://tools.ietf.org/html/rfc7489#section-6.1 say .. MUST concatenate these strings ... One may read the example above like "v=DMARC1; p=none v=DMARC1; p=reject" which is invalid thus must be ignored. > Looking through RFC 7489 I don't see anywhere that it says that more > than one record is forbidden. yes, that would make it clear. > For that matter, what if anything does this mean? > > _dmarc.example.com IN TXT "v=DMARC1; p=none; p=reject" I would expect this to be valid but the result depend on the implemented parser thus is not predictable. Could be p=none OR p=reject > In 7489 it says "DMARC records follow the extensible "tag-value" > syntax for DNS-based key records defined in DKIM [DKIM]." ... or this... > I hope that > means they follow the DKIM rule that duplicate tags make the whole > record invalid, but that could be clearer. +1 Andreas From ezekielh@umich.edu Tue Dec 19 10:36:24 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D9C4126CBF for ; Tue, 19 Dec 2017 10:36:24 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.724 X-Spam-Level: X-Spam-Status: No, score=-2.724 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FAKE_REPLY_C=1.486, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nchdOa5FHGyd for ; Tue, 19 Dec 2017 10:36:22 -0800 (PST) Received: from defiant-yurei.egress.a.mail.umich.edu (egress-host.a.mail.umich.edu [52.37.117.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E92F91200F1 for ; Tue, 19 Dec 2017 10:36:20 -0800 (PST) Received: from fair-pyrrha.smtp-test.a.mail.umich.edu (ip-172-31-1-146.us-west-2.compute.internal [172.31.1.146]) by defiant-yurei.egress.a.mail.umich.edu with ESMTPS id 5A395C24.4748B.236CA7AC.26244; Tue, 19 Dec 2017 13:36:20 -0500 Received: from marwnad.com (vereveel.marwnad.com [45.79.218.81]) by fair-pyrrha.smtp-test.a.mail.umich.edu with ESMTPSA id 5A395C23.B500F.DE0C0BA.30284; Tue, 19 Dec 2017 13:36:19 -0500 Date: Tue, 19 Dec 2017 18:36:16 +0000 From: Zeke Hendrickson To: dmarc@ietf.org Message-ID: <20171219183616.GA6778@marwnad.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20171219163425.F3A371829473@ary.qy> User-Agent: Mutt/1.5.21 (2010-09-15) Archived-At: Subject: Re: [dmarc-ietf] Duplicate DMARC records and tags? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 18:38:23 -0000 On Tue, Dec 19, 2017 at 11:34:25 -0500, johnl@taugh.com wrote: > > Dunno if this ever came up before. What, if anything, does this mean? > > _dmarc.example.com IN TXT "v=DMARC1; p=none" > _dmarc.example.com IN TXT "v=DMARC1; p=reject" > > Looking through RFC 7489 I don't see anywhere that it says that more > than one record is forbidden. Section 6.6.3, Policy Discovery. "If the remaining set contains multiple records or no records, policy discovery terminates and DMARC processing is not applied to this message." > For that matter, what if anything does this mean? > > _dmarc.example.com IN TXT "v=DMARC1; p=none; p=reject" > In 7489 it says "DMARC records follow the extensible "tag-value" > syntax for DNS-based key records defined in DKIM [DKIM]." I hope that > means they follow the DKIM rule that duplicate tags make the whole > record invalid, but that could be clearer. The definition of tag-value syntax in [DKIM] section 3.2 says "Tags with duplicate names MUST NOT occur within a single tag-list; if a tag name does occur more than once, the entire tag-list is invalid." This language could be repeated in the DMARC specification, but I don't see any real reason to do so. There's also a formal ABNF definition in 7489 section 6.4 which shows that duplicate tags aren't allowed. -- Zeke Hendrickson (ezekielh@umich.edu) University of Michigan | Information and Technology Services Infrastructure | Application Operations | Application Delivery Support From nobody Tue Dec 19 10:49:20 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A69D6126CBF for ; Tue, 19 Dec 2017 10:49:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.76 X-Spam-Level: X-Spam-Status: No, score=-1.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=AYt7SEdb; dkim=pass (1536-bit key) header.d=taugh.com header.b=BVMtlfnp Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WQCxZMTQN_Oc for ; Tue, 19 Dec 2017 10:49:17 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522DF1200F1 for ; Tue, 19 Dec 2017 10:49:17 -0800 (PST) Received: (qmail 5899 invoked from network); 19 Dec 2017 18:49:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1709.5a395f2c.k1712; bh=h0vdLh1/DyuVPrdWsjUg8pTTrL09YuiljdeAt0C3axM=; b=AYt7SEdb6dePyhLDpR2ll7ROxNK5TuQTNuu4QkXfOK/J5yqmAYqN6gAPpdeHVkHAfEs5uOM1eio8unS7TNqrZYnM4XkNdZK22vkQzck5jp0yU8KdN8MyKISoeCU/1i8giuXOK6htTGoihegKFvqquZgx49EKQmoH7kUpkgUeJXMeIBUx972ILD6u6AxhtgbqwJbOxTye5nT7ZvMZW5iC6HO+7eU2V/p0LF2DI8OOtgHDCV/rQnRm5ozrEJrVdUG9 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1709.5a395f2c.k1712; bh=h0vdLh1/DyuVPrdWsjUg8pTTrL09YuiljdeAt0C3axM=; b=BVMtlfnpkZfQvD/zc8VOOdNm6IINLvoXmu1iYClkrHIjJgFem/IVlMzmn4wjFVbt5XxhXKTH0nZGYrOszdN2w9SgIO33odz3aFU5xdInEId+cJnO47Q7ryGidlqb7Yw3GaBVB8ue1Ps7IkMwbBu3qhkGHv6ZDw+SDXD+3ELHjppRD69KI0BmQppsh04kpbhlSnwF8PnwOrdQpO/KgkUeMTT7Zww4451QuaM2AWEEmIJIv9egbBy1CQsoYyqWYvbO Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 19 Dec 2017 18:49:16 -0000 Received: by ary.qy (Postfix, from userid 501) id 0E84A182B4C0; Tue, 19 Dec 2017 13:49:15 -0500 (EST) Date: 19 Dec 2017 13:49:15 -0500 Message-Id: <20171219184916.0E84A182B4C0@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: sca@andreasschulze.de In-Reply-To: <2ad88ca8-066c-1a64-dfd8-f17f1ffc773c@andreasschulze.de> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Duplicate DMARC records and tags? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 18:49:18 -0000 >> Dunno if this ever came up before. What, if anything, does this mean? >> >> _dmarc.example.com IN TXT "v=DMARC1; p=none" >> _dmarc.example.com IN TXT "v=DMARC1; p=reject" > >https://tools.ietf.org/html/rfc7489#section-6.1 say >.. MUST concatenate these strings ... Nope, that's talking about strings in a single TXT record. These are separate TXT records. >> For that matter, what if anything does this mean? >> >> _dmarc.example.com IN TXT "v=DMARC1; p=none; p=reject" >I would expect this to be valid but the result depend on the implemented parser >thus is not predictable. Could be p=none OR p=reject I would prefer it's not valid. If you can't figure out how to tell me what your policy (or whatever is) I don't see why I should waste time guessing. It would also make the parsing rules compatible with DKIM. R's, John From nobody Tue Dec 19 10:54:45 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F29D01200F1 for ; Tue, 19 Dec 2017 10:54:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.76 X-Spam-Level: X-Spam-Status: No, score=-1.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=zGkerTDO; dkim=pass (1536-bit key) header.d=taugh.com header.b=MCTNSObP Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BBPNeTRnnRz0 for ; Tue, 19 Dec 2017 10:54:42 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D961512751F for ; Tue, 19 Dec 2017 10:54:41 -0800 (PST) Received: (qmail 7109 invoked from network); 19 Dec 2017 18:54:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1bc3.5a396071.k1712; bh=eFjUugNx/NoJx5Fonem35m+f/eaJCtFg0Cg5vuAjegE=; b=zGkerTDOD85kaMKTr3/3NSltyIu6JuHhSOxsGUn4+fYUh5dfnaczw5UyApE/ArtbOZE7AO1jez7pEDXHwvzVskJSrr6849u+36YDpHBRLpPmb8hVnbng7pW/nK2QqTPyn9pWGFV1x8ClJj9Hio6BQqb+F8vJ4CK7/ykFj2NyDKmjFdUwCIqyXlqPZwXyfpAorY+zyxTU8NJptHYwKQj5ejBbZDnG3E18EaSYhgXA29JyFOGkH5yuJUYp5Q9ojMRa DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=1bc3.5a396071.k1712; bh=eFjUugNx/NoJx5Fonem35m+f/eaJCtFg0Cg5vuAjegE=; b=MCTNSObPmsswvtRsM9V2XSHTEWrHCGtZX35fAUdfLXImxzuCt6BRflusjnA9hqgjkdZCNPEHFg2HL8Hk+0tf2U7PCuZTcSttXo1ojgj7u4C/zL6d88KC1ATvnMLJYdNqeiybdVOd7kz7W9dQMROo7X4IMD5WgoED7XDkswPZ/hMnmYp4/k+BE0Lbo5gH0Ev/ybkNNWVzrEERKKoTX+5G6mwE2hB8MW3w/46+5544GAF7c+Fm/T/fpno2TNALKKuX Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 19 Dec 2017 18:54:40 -0000 Received: by ary.qy (Postfix, from userid 501) id AC8CF182B514; Tue, 19 Dec 2017 13:54:40 -0500 (EST) Date: 19 Dec 2017 13:54:40 -0500 Message-Id: <20171219185440.AC8CF182B514@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: ezekielh@umich.edu In-Reply-To: <20171219183616.GA6778@marwnad.com> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Duplicate DMARC records and tags? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Dec 2017 18:54:43 -0000 In article <20171219183616.GA6778@marwnad.com> you write: >Section 6.6.3, Policy Discovery. > >"If the remaining set contains multiple records or no records, >policy discovery terminates and DMARC processing is not applied >to this message." Oh, look at that. Thanks. >> For that matter, what if anything does this mean? >> >> _dmarc.example.com IN TXT "v=DMARC1; p=none; p=reject" > >> In 7489 it says "DMARC records follow the extensible "tag-value" >> syntax for DNS-based key records defined in DKIM [DKIM]." I hope that >> means they follow the DKIM rule that duplicate tags make the whole >> record invalid, but that could be clearer. > >The definition of tag-value syntax in [DKIM] section 3.2 says "Tags >with duplicate names MUST NOT occur within a single tag-list; if a tag >name does occur more than once, the entire tag-list is invalid." This >language could be repeated in the DMARC specification, but I don't see >any real reason to do so. > >There's also a formal ABNF definition in 7489 section 6.4 which shows >that duplicate tags aren't allowed. I see that, but unfortunately the DMARC ABNF doesn't match the prose. Section 6.3 says that unknown tags are ignored, but the ABNF syntax doesn't allow them. R's, John From nobody Wed Dec 20 00:29:34 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D601200C1 for ; Wed, 20 Dec 2017 00:29:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.021 X-Spam-Level: X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LXlsDfX510sR for ; Wed, 20 Dec 2017 00:29:29 -0800 (PST) Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10119.outbound.protection.outlook.com [40.107.1.119]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B530A126DFF for ; Wed, 20 Dec 2017 00:29:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TZmJg0vNys6o6P6cmwn1VeVdrFyuwX9mInFs/ntXquM=; b=aK0PpCfIwwdSsPN4+U0w6XIgfJBf0A0sThyi2MrfKISNmvZip17Xv4X4FDWLtZhFpiKH9MmQAXk1Rs8CtAjxqy0O/Kp0xpbGquiYn5KSWzhqAhxhhlEbNzSUI3cLfpEIwex3d8+pcmjY4eqlrH3s6c9ILl9JiuLPa7zaD/uCrsQ= Received: from MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM (10.166.240.152) by MMXP12301MB1664.GBRP123.PROD.OUTLOOK.COM (10.166.242.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.345.14; Wed, 20 Dec 2017 08:29:25 +0000 Received: from MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM ([10.166.240.152]) by MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM ([10.166.240.152]) with mapi id 15.20.0345.013; Wed, 20 Dec 2017 08:29:25 +0000 From: Ian Levy To: John Levine , "dmarc@ietf.org" Thread-Topic: [dmarc-ietf] Preventing abuse of public-suffix-level domains Thread-Index: AQHTdevoT2ysiWzEvUO1V0Z1nq0wk6NHbc2AgAOAYQCAAPZqoA== Date: Wed, 20 Dec 2017 08:29:25 +0000 Message-ID: References: <20171219171548.EA07418299CE@ary.qy> In-Reply-To: <20171219171548.EA07418299CE@ary.qy> Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk; x-originating-ip: [165.225.81.40] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; MMXP12301MB1664; 6:CWpRwx9BhZdyTXHf8GemjMzT36StkuDSD21ztcB1axzHaM8HAGzfnEPEdi746Etx4yCHteBaZovq+AkQWE7d17Pbw++oR1hmfXXLq8usRs6AAZwjQkXpCg7dzhqIB8RobuQOBLJ7Z6GRN4jgRKltg3saXppDNiu1+JThz8mV+SZZrR1oHuVB1jumFpZHibNghndEJ2OBgJBNesCGzRleOrvp3K1t6BQp8WBZcRzCtvVmYuU45yMiFiJYJ7vUEaO43TBRyFWfndhKLj1Mk5M8HzKv95wG/HeUE43JX5TniSAQeagO/NzaBCys2ATktq+gPT7IyQZUYcNl1x/iwVidCUMwlaEpZZvMLruec5wUyMc=; 5:zDP7Q9DIHDijXW31PC0fxVMASW1lwTez9+iBB7HS/gY82pgYHj3KAji9RZ70ueQextHpfYo37ZsnFuOklrS2epcSgClUXNjk13SEkRICOtkbLgk/hUWvm8sdy+jaEy7wZUPHamg+dp3cnIzq1TNNMeZDMn533q0uhRR0Qz1LoFE=; 24:BDRHa0XKJrD46qge+mSvvJ2Ovjq4V7xmNFKyv4DD/DspUSdzaT2b14YZUGFcukMng+uTrT9mqtVBvqvYBSnSsiOyiD7q4hZFjJuHfmj59F0=; 7:Ju29LZzUu45Dp9ZnvfAaqXJZBpqPZ//gHyb38AjzyTs3hxW6auj1Tt+zgNry/UmN+OnvS89qFcl2RRDUZI68/RBrEtt9b8CuhZGOHHwvk1tyy6PYyCCQQdbRZiCrHf0c48L8sJeVV/AhtxCNsE7zo0h4c8lx8YZUa8hv1s/xidXDIuQgtmLwPE6qJM1jsUs4d+KyAgSuHcEm7num9IsGbEH4jQDJuciiDPWtGlFjYNyith4hIlGOKXNpOck8Q3pK x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: ee054cb0-cfe4-4032-a8f7-08d54783c77b x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(7168020)(4627115)(201703031133081)(201702281549075)(2017052603307)(7153060); SRVR:MMXP12301MB1664; x-ms-traffictypediagnostic: MMXP12301MB1664: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(192374486261705)(27231711734898); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(5005006)(8121501046)(3231023)(93006095)(93001095)(10201501046)(3002001)(6041268)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MMXP12301MB1664; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MMXP12301MB1664; x-forefront-prvs: 0527DFA348 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(39850400004)(366004)(39380400002)(346002)(199004)(189003)(13464003)(6116002)(6306002)(305945005)(8676002)(7736002)(3846002)(102836003)(2906002)(59450400001)(99286004)(74316002)(7696005)(230783001)(2900100001)(81156014)(76176011)(81166006)(5660300001)(68736007)(105586002)(66066001)(55236004)(74482002)(75922002)(106356001)(77096006)(53546011)(6506007)(25786009)(33656002)(8936002)(42882006)(2501003)(6246003)(86362001)(2950100002)(9686003)(316002)(966005)(229853002)(3660700001)(110136005)(53936002)(478600001)(6436002)(3280700002)(97736004)(14454004)(55016002); DIR:OUT; SFP:1102; SCL:1; SRVR:MMXP12301MB1664; H:MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-OriginatorOrg: ncsc.gov.uk X-MS-Exchange-CrossTenant-Network-Message-Id: ee054cb0-cfe4-4032-a8f7-08d54783c77b X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Dec 2017 08:29:25.3819 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MMXP12301MB1664 Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 08:29:32 -0000 Pj4gV2UgY2Fu4oCZdCBqdXN0IHVzZSBhIHdpbGRjYXJkIENOQU1FIHJlY29yZA0KPiBBcyB5b3Ug c3VybWlzZSwgdGhhdCB3b24ndCB3b3JrLg0KDQo+PiBETkFNRSB3b3VsZCBiZSB0aGUgbW9zdCBv YnZpb3VzIHdheSB0byBkbyB0aGlzLCBidXQgaXTigJlkIG5lZWQgYSB3aWxkY2FyZCBETkFNRSBh bmQgdGhleeKAmXJlIOKAmGZyb3duZWQgdXBvbuKAmSDimLouDQo+IEluZGVlZCB0aGV5IGFyZSwg YmVjYXVzZSB0aGV5IGRvbid0IHdvcmsgZWl0aGVyLg0KDQpHbGFkIHdlIGFncmVlIHRoYXQgdGhl IHR3byBvYnZpb3VzIHBvdGVudGlhbCBzb2x1dGlvbnMgd29uJ3Qgd29yay4NCg0KPiBIb25lc3Rs eSwgeW91IG5lZWQgdG8gZmlndXJlIG91dCBob3cgdG8gZ2V0IHRoZSBhdHRlbnRpb24gb2Ygb2Yg dGhlIHBlb3BsZSB0byB3aG9tIHlvdSBoYXZlIGRlbGVnYXRlZCBzdWJkb21haW5zIGFuZCBoYXZl IHRoZW0gZml4IHRoZWlyIEROUy4gIEkgcmVhbGl6ZSB0aGlzIGlzIG5vdCBlYXN5Lg0KDQpXZWxs LCBpdCdzIG5vdCBlYXN5IGJ1dCB3ZSBoYXZlIHRoZWlyIGF0dGVudGlvbiBhbmQgd2UgaGF2ZSB3 b3JrIGluIHByb2dyZXNzIHRvICh0cnkgdG8pIGdldCBob2xkIG9mIHRoZSBwdWJsaWMgc2VjdG9y IEROUy4gQnV0IHVud2luZGluZyAyMC1vZGQgeWVhcnMgb2YgJ2ludmVudGl2ZW5lc3MnIHRha2Vz IHRpbWUuIEFuZCBkb2Vzbid0IGZpeCB0aGUgcHJvYmxlbSBJJ3ZlIHJhaXNlZC4NCg0KPiBJIGhh dmUgb2Z0ZW4gc3VybWlzZWQgdGhhdCByYXRoZXIgdGhhbiBkZWxlZ2F0aW5nIHN1YmRvbWFpbiB6 b25lcywgeW91J3JlIG11Y2ggYmV0dGVyIG9mZiBvbmUgYmlnIHpvbmUgd2l0aCBhIHByb3Zpc2lv bmluZyBzeXN0ZW0gdGhhdCBsZXRzIHBlb3BsZSBtZXNzIHdpdGggdGhlIHJlY29yZHMgaW4gdGhl aXIgc3VidHJlZS4NCg0KVGhlcmUncyBhIHJlYXNvbmFibGUgY2hhbmNlIHRoYXQncyB3aGF0IHdl J3JlIGxvb2tpbmcgdG8gYnVpbGQgYXQgdGhlIG1vbWVudC4NCg0KPiBUaGVuIGl0J3Mgc3RpbGwg eW91ciBwcm92aXNpb25pbmcgc3lzdGVtIHNvIGlmIHRoZXkgZ2V0IHRoaW5ncyB3cm9uZywgb3Ig eW91IHdhbnQgdG8gaGVscCB0aGVtIHNldCB1cCByZWNvcmRzIGxpa2UgU1BGIG9yIERNQVJDIHRo YXQgdGhleSBoYXZlbid0IGdvdHRlbiBhcm91bmQgZG8gZG9pbmcgdGhlbXNlbHZlcywgeW91IGNh biBqdXN0IGRvIGl0Lg0KDQpZb3UgY2FuJ3QgJ2p1c3QgZG8gW0RNQVJDIGFuZCBTUEZdJyBmb3Ig cGVvcGxlIC0gYXQgbGVhc3QgaW4gdGhlIGVudmlyb25tZW50IEknbSB0YWxraW5nIGFib3V0LiBQ dWJsaWMgc2VjdG9yIGRlcGFydG1lbnRzIGFuZCBhZ2VuY2llcyBoYXZlIGltcG9ydGFudCB3b3Jr IHRvIGRvIGFuZCB3ZSBjYW4ndCByaXNrIGFyYml0cmFyaWx5IGJyZWFraW5nIHRoZWlyIGVtYWls IGJ5IHNldHRpbmcgcG9saWNpZXMgZm9yIHRoZW0gd2l0aG91dCB0aGVpciBrbm93bGVkZ2UuIFRo ZSBlc3RhdGUgaXMgbWFzc2l2ZWx5IGRpdmVyc2UgLSBzb21lIG9mIGl0IHZlcnkgb3V0IG9mIGRh dGUgLSBhbmQgdGhlIHdheXMgZW1haWwgaXMgaW1wbGVtZW50ZWQgYW5kIHRoZSB1c2VzIGl0J3Mg cHV0IHRvIGFyZSAnaW50ZXJlc3RpbmcnIHRvIHNheSB0aGUgbGVhc3QuIEFsc28sIEkgZG9uJ3Qg dGhpbmsgaXQgZml4ZXMgdGhlIHByb2JsZW0sIHdoaWNoIEknbGwgdHJ5IHRvIHJlc3RhdGUgYWdh aW4gdG8gbWFrZSBpdCBjbGVhcmVyLg0KDQpJIG5lZWQgdG8gYmUgYWJsZSB0byBlbXVsYXRlIGlu IHNvbWUgd2F5IHRoZSBlZmZlY3Qgb2YgU1BGIGFuZCBETUFSQyByZWNvcmRzIGZvciBub24tZXhp c3RlbnQgZmlyc3QgbGV2ZWwgc3ViZG9tYWlucyB1bmRlciB0aGUgUFNMIGdvdi51ayAtIHRvIHN0 b3Agc3Bvb2YgbWFpbCBhcHBhcmVudGx5IGNvbWluZyBmcm9tIHRoZW0gYmVpbmcgZGVsaXZlcmVk LiBUaGlzIGlzIGFuIGFjdGl2ZSBwcm9ibGVtIHRoYXQgY3JpbWluYWxzIGFyZSBhYnVzaW5nLiBU aGV5IHNlbmQgbWFpbCBmcm9tIChmb3IgZXhhbXBsZSkgdGhlIG5vbi1leGlzdGVudCBzdWJkb21h aW4gaWFubGV2eS5nb3YudWsgYW5kIHRoZXJlJ3MgY3VycmVudGx5IG5vIHNlbnNpYmxlIHdheSB0 byBzdG9wIHRoYXQgdXNpbmcgRE1BUkMgZXQgYWwuIEkgYWNjZXB0IGFic29sdXRlbHkgdGhhdCB0 aGlzIGlzIGJ1dCBvbmUgcGFydCBvZiBhIHdpZGVyIGRlZmVuc2l2ZSBzdHJhdGVneSwgYnV0IG5v dCBldmVyeSByZWNlaXZlciBkb2VzIGxvdHMgb2Ygd29yayB0byBjbGFzc2lmeSBiYWQgZW1haWwg Zm9yIHRoZWlyIGN1c3RvbWVycyBhbmQgZXZlbiB3aGVuIHRoZXkgZG8gaXQncyBub3QgcGVyZmVj dC4gV2UgYmVsaWV2ZSBhIGdvb2QgbnVtYmVyIG9mIHVzZXJzIHN0aWxsIHJlY2VpdmUgdGhlc2Ug ZW1haWxzIGFuZCBtYW55IGFjdCB1cG9uIHRoZW0gYmVjYXVzZSB0aGV5IGxvb2sgcGxhdXNpYmxl LiBJZiB3ZSBhcmUgdG8gbWFrZSBhIHJlYWwgZGVudCBpbiBlbWFpbCBhYnVzZSwgSSBiZWxpZXZl IHdlJ2xsIG5lZWQgdG8gaGF2ZSBhIHdheSB0byBjb21iYXQgdGhpcy4gSXQncyBub3QganVzdCB0 aGUgVUsgdGhhdCdzIGdvaW5nIGRvd24gdGhlIHJvdXRlIG9mIHRyeWluZyB0byBjb21iYXQgZW1h aWwgYWJ1c2UgYXQgc2NhbGUgKGFzIHBhcnQgb2YgYSB3aWRlciBlbWFpbCBzZWN1cml0eSBwdXNo KSAtIHlvdSd2ZSBhbGwgc2VlbiB0aGUgREhTIEJPRCAod2hpY2ggd2lsbCBydW4gaW50byBleGFj dGx5IHRoZSBzYW1lIHByb2JsZW0gaW4gYSBmZXcgbW9udGhzIG9uIC5nb3YpLCB0aGUgcHVzaCBm cm9tIEdsb2JhbCBDeWJlciBBbGxpYW5jZSBhbmQgdGhlcmUncyBhIGJ1bmNoIG9mIG90aGVyIGNv dW50cmllcyB0YWxraW5nIHRvIHVzIGFib3V0IHB1c2hpbmcgRE1BUkMgaW4gdGhlIHNhbWUgd2F5 LiBJJ2QgcmVhbGx5IGxpa2UgdG8gd29yayB0b3dhcmRzIGEgc29sdXRpb24gZm9yIHRoaXMgcHJv YmxlbSBhbmQgd2UgY2FuIHNvcnQgb3V0IHRoZSBuZXh0IGxldmVsIGRvd24gaW4gZHVlIGNvdXJz ZS4NCg0KSSBiZWxpZXZlIHRoYXQgaWYgd2UncmUgdG8gbWFrZSBhIGxvbmcgdGVybSBkZW50IGlu IGVtYWlsIGFidXNlLCB0aGlzIGlzIG9uZSBvZiB0aGUgdGhpbmdzIHdlJ2xsIG5lZWQgdG8gZmlu ZCBhIHdheSB0byBmaXggLSBJIHRoaW5rIHRoZXJlIGFyZSBvdGhlcnMsIGJ1dCB0aGlzIGlzIGEg YmlnIG9uZS4gQ3VycmVudGx5LCB3ZSdyZSBwbGF5aW5nIHdoYWNrLWEtbW9sZSB3aXRoIHRoZSBj cmltaW5hbHMuIElmIHdlIGNhbid0IGZpeCB0aGlzLCBJIGNhbid0IHNlZSBob3cgd2UgY2FuIG1h a2UgZW5kIHVzZXJzJyBsaXZlcyBiZXR0ZXIgaW4gdGhlIGxvbmcgdGVybS4NCg0KU28sIHdlJ2Qg cmVhbGx5IHdlbGNvbWUgYW55IGFuZCBhbGwgaWRlYXMgb24gaG93IHRvIHRhY2tsZSB0aGlzIC0g d2UncmUgaGFwcHkgdG8gZXhwZXJpbWVudCBvbiBvdXJzZWx2ZXMgdG8gc2VlIHdoYXQgd29ya3Mg YW5kIHB1Ymxpc2ggc28gb3RoZXJzIGRvbuKAmXQgaGF2ZSB0byBnbyB0aHJvdWdoIHRoZSBzYW1l IHBhaW4uDQoNClRhLg0KDQpJLg0KDQotLQ0KRHIgSWFuIExldnkNClRlY2huaWNhbCBEaXJlY3Rv cg0KTmF0aW9uYWwgQ3liZXIgU2VjdXJpdHkgQ2VudHJlDQoNClN0YWZmIE9mZmljZXIgOiBLYXRl IEF0a2lucywga2F0ZS5hQG5jc2MuZ292LnVrDQoNCi0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0t DQpGcm9tOiBKb2huIExldmluZSBbbWFpbHRvOmpvaG5sQHRhdWdoLmNvbV0NClNlbnQ6IDE5IERl Y2VtYmVyIDIwMTcgMTc6MTYNClRvOiBkbWFyY0BpZXRmLm9yZw0KQ2M6IElhbiBMZXZ5IDxpYW4u bGV2eUBuY3NjLmdvdi51az4NClN1YmplY3Q6IFJlOiBbZG1hcmMtaWV0Zl0gUHJldmVudGluZyBh YnVzZSBvZiBwdWJsaWMtc3VmZml4LWxldmVsIGRvbWFpbnMNCg0KDQo+IFdlIGNhbuKAmXQganVz dA0KPnVzZSBhIHdpbGRjYXJkIENOQU1FIHJlY29yZCBiZWNhdXNlIHRoZXJlIGRvZXNu4oCZdCBz ZWVtIHRvIGJlIGFueSB3YXkgdG8NCj5nZW5lcmF0ZSB0aGUgbmVjZXNzYXJ5IHNlY29uZCBsZXZl bCBzdWJkb21haW4gdGhhdCB3ZSBuZWVkICh0aGUgX2RtYXJjLmJhZGRvbWFpbi5nb3YudWspLg0K DQpBcyB5b3Ugc3VybWlzZSwgdGhhdCB3b24ndCB3b3JrLiAgRm9yIG9uZSB0aGluZyBfZG1hcmMu Ki5nb3YudWsgaXNuJ3QgYSB3aWxkY2FyZCwgYW5kIGZvciBhbm90aGVyLCAqLmdvdi51ayBvbmx5 IG1hdGNoZXMgbmFtZXMgdGhhdCBkb24ndCBhbHJlYWR5IGV4aXN0IGFuZCBkb24ndCBoYXZlIGFu IGV4aXN0aW5nIHBhcmVudC4gIFNvIGlmLCBmb3IgZXhhbXBsZSwgbW9kLmdvdi51ayBleGlzdHMs ICoubW9kLmdvdi51ayB3b24ndCBtYXRjaC4gIFRoaXMgaXMgbm90IGNvbnNpZGVyZWQgdG8gYmUg YSBidWcuDQoNCj4gRE5BTUUgd291bGQgYmUgdGhlIG1vc3Qgb2J2aW91cyB3YXkgdG8gZG8gdGhp cywgYnV0IGl04oCZZCBuZWVkIGENCj53aWxkY2FyZCBETkFNRSBhbmQgdGhleeKAmXJlIOKAmGZy b3duZWQgdXBvbuKAmSDimLouDQoNCkluZGVlZCB0aGV5IGFyZSwgYmVjYXVzZSB0aGV5IGRvbid0 IHdvcmsgZWl0aGVyLiAgWW91IGNhbm5vdCBoYXZlIGFueSBETlMgcmVjb3JkcyBvciBhbnkgTlMg ZGVsZWdhdGlvbnMgYmVsb3cgYSBETkFNRS4gIEluIHByYWN0aWNlIEROQU1FcyBhcmUgbm90IHZl cnkgdXNlZnVsLg0KDQo+IEJlZm9yZSB3ZSBzdGFydCB0aGlua2luZyBhYm91dCBkb2luZyBzb21l dGhpbmcga2x1ZGd5IChwcm9iYWJseQ0KPmxvb2tpbmcgZm9yIGZhaWxlZCBsb29rdXBzIGZvciBU WFQgcmVjb3JkcyBpbiBsb2dzIGFuZCBhZGRpbmcgdGhlDQo+c3ViZG9tYWluIHRvIHRoZSB6b25l LCB3aGljaCBzdWNrcyksIGRvZXMgYW55b25lIGhhdmUgYW55IGlkZWFzIHRoYXQgd2UgY291bGQg dHJ5PyBJIGNhbuKAmXQgYmVsaWV2ZSB0aGlzIGlzIHRoZSBmaXJzdCB0aW1lIHRoaXMgaGFzIGJl ZW4gZW5jb3VudGVyZWQhDQoNCkhvbmVzdGx5LCB5b3UgbmVlZCB0byBmaWd1cmUgb3V0IGhvdyB0 byBnZXQgdGhlIGF0dGVudGlvbiBvZiBvZiB0aGUgcGVvcGxlIHRvIHdob20geW91IGhhdmUgZGVs ZWdhdGVkIHN1YmRvbWFpbnMgYW5kIGhhdmUgdGhlbSBmaXggdGhlaXIgRE5TLiAgSSByZWFsaXpl IHRoaXMgaXMgbm90IGVhc3kuDQoNCkkgaGF2ZSBvZnRlbiBzdXJtaXNlZCB0aGF0IHJhdGhlciB0 aGFuIGRlbGVnYXRpbmcgc3ViZG9tYWluIHpvbmVzLCB5b3UncmUgbXVjaCBiZXR0ZXIgb2ZmIG9u ZSBiaWcgem9uZSB3aXRoIGEgcHJvdmlzaW9uaW5nIHN5c3RlbSB0aGF0IGxldHMgcGVvcGxlIG1l c3Mgd2l0aCB0aGUgcmVjb3JkcyBpbiB0aGVpciBzdWJ0cmVlLiAgVGhlbiBpdCdzIHN0aWxsIHlv dXIgcHJvdmlzaW9uaW5nIHN5c3RlbSBzbyBpZiB0aGV5IGdldCB0aGluZ3Mgd3JvbmcsIG9yIHlv dSB3YW50IHRvIGhlbHAgdGhlbSBzZXQgdXAgcmVjb3JkcyBsaWtlIFNQRiBvciBETUFSQyB0aGF0 IHRoZXkgaGF2ZW4ndCBnb3R0ZW4gYXJvdW5kIGRvIGRvaW5nIHRoZW1zZWx2ZXMsIHlvdSBjYW4g anVzdCBkbyBpdC4NCg0KUidzLA0KSm9obg0KDQotLQ0KUmVnYXJkcywNCkpvaG4gTGV2aW5lLCBq b2hubEBpZWNjLmNvbSwgUHJpbWFyeSBQZXJwZXRyYXRvciBvZiAiVGhlIEludGVybmV0IGZvciBE dW1taWVzIiwgUGxlYXNlIGNvbnNpZGVyIHRoZSBlbnZpcm9ubWVudCBiZWZvcmUgcmVhZGluZyB0 aGlzIGUtbWFpbC4gaHR0cHM6Ly9qbC5seQ0KVGhpcyBpbmZvcm1hdGlvbiBpcyBleGVtcHQgdW5k ZXIgdGhlIEZyZWVkb20gb2YgSW5mb3JtYXRpb24gQWN0IDIwMDAgKEZPSUEpIGFuZCBtYXkgYmUg ZXhlbXB0IHVuZGVyIG90aGVyIFVLIGluZm9ybWF0aW9uIGxlZ2lzbGF0aW9uLiBSZWZlciBhbnkg Rk9JQSBxdWVyaWVzIHRvIG5jc2NpbmZvbGVnQG5jc2MuZ292LnVrDQo= From nobody Wed Dec 20 09:26:47 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48C86128959 for ; Wed, 20 Dec 2017 09:26:45 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJ-uEFeKkbL3 for ; Wed, 20 Dec 2017 09:26:42 -0800 (PST) Received: from mail-lf0-x231.google.com (mail-lf0-x231.google.com [IPv6:2a00:1450:4010:c07::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE1081270A3 for ; Wed, 20 Dec 2017 09:26:41 -0800 (PST) Received: by mail-lf0-x231.google.com with SMTP id j124so24925206lfg.2 for ; Wed, 20 Dec 2017 09:26:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+9lpgbMsi1NwJgAXrjodDdIpGKvzrrEL7oy3ujlKylk=; b=Ixi3cj7oUUVvDX7GqrCSYPZMW87KV9B3N9/Fosp/Hn7z2jZiZsOrwU3By9co6fQnZh mRfzYur6+USg1MjJD6076aby1A3CRVY1BmEfO5883SoRsaCZkno9m+x+hSmkTh8Q4IF7 nuS4tn5xzFIy2EzLNdsO1Lpss99OPGHyyBk+Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+9lpgbMsi1NwJgAXrjodDdIpGKvzrrEL7oy3ujlKylk=; b=c+TfANeHfoWndcrViaUiLZgPS7cRJSSWjapfaiGcLyU4RiIyi6VD8tlFKFsSVMHXWj EmONfmyGrmd7vS1MFWIqnbVXb/45kjGImYFBI3yTWUuhem17tUyvHVGWEtz2lXEAyMaf kXjAdG1dDBnLoExgsPhCavA2BzQd+UqPTr8QNjowaijatQsVGi31/hpMOt5RZChfe3qz GN/7TRAOphPcqqAQh1xgU/i8WvcJSUVf3P31jL/Ovzl08CpVjIaIxPI797ysPL7H/3k5 PYEq/fszsYJdvtFtsKGq3L3qZIX4jo/8aajNXou1M7kmIcO9DD0GlSUfyibiGMKLE2/T Jrrw== X-Gm-Message-State: AKGB3mL8oDB04Wq1/HhEJCVAblKzsVB4tc3weOl9hV7aXAS/jLF30FMJ aAw27dyisgUulyDc84pb+7mAZHxkrdQGhX/naZ6ck88I X-Google-Smtp-Source: ACJfBotwuhqs5HxCxmAqzkaCiMh9aSrmHM/hxtCLBpz71K3MvkfOiWbLNU6lQDbUne2KgwpFRJsayOCIKjeIQizNohM= X-Received: by 10.46.42.134 with SMTP id q128mr5158421ljq.62.1513790799990; Wed, 20 Dec 2017 09:26:39 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.9 with HTTP; Wed, 20 Dec 2017 09:26:39 -0800 (PST) In-Reply-To: References: <20171219171548.EA07418299CE@ary.qy> From: "Kurt Andersen (b)" Date: Wed, 20 Dec 2017 17:26:39 +0000 X-Google-Sender-Auth: 0Hmskc4qTGPOSQK7Paicywn3_dk Message-ID: To: Ian Levy Cc: John Levine , "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="f403043a2ed8e5e60d0560c8e275" Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 17:26:45 -0000 --f403043a2ed8e5e60d0560c8e275 Content-Type: text/plain; charset="UTF-8" On Wed, Dec 20, 2017 at 8:29 AM, Ian Levy wrote: > > I need to be able to emulate in some way the effect of SPF and DMARC > records for non-existent first level subdomains under the PSL gov.uk - to > stop spoof mail apparently coming from them being delivered. This is an > active problem that criminals are abusing. They send mail from (for > example) the non-existent subdomain ianlevy.gov.uk and there's currently > no sensible way to stop that using DMARC et al. I'm quite sure that you will need to do this via synthetic records being returned either by the gov.uk name servers or by having gov.uk refer to a general "parked domain" name server (farm) for all of the non-existent subdomains. This is essentially what some of the big registrars started doing some years ago to monetize "unsold" domains from a web POV and it wrecked havoc for mail when the fallback A record was one of these upsell pages rather than the normal NXDOMAIN. With a "parked domain" server, you can return null MX, bare SPF "-all", and whatever DMARC policy and reporting values are appropriate for all A, AAAA, MX, TXT queries. You could also feed that information into some of the passive DNS systems which can help track malfeasance. --Kurt --f403043a2ed8e5e60d0560c8e275 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On W= ed, Dec 20, 2017 at 8:29 AM, Ian Levy <ian.levy@ncsc.gov.uk> wrote:

I need to be able to emulate in some way the effect of SPF and DMARC record= s for non-existent first level subdomains under the PSL gov.uk - to stop spoof mail= apparently coming from them being delivered. This is an active problem tha= t criminals are abusing. They send mail from (for example) the non-existent= subdomain ianlevy.gov.uk and there's currently no sensible way to stop= that using DMARC et al.=C2=A0

I'm quit= e sure that you will need to do this via synthetic records being returned e= ither by the gov.uk name servers or by having= gov.uk refer to a general "parked domai= n" name server (farm) for all of the non-existent subdomains. This is = essentially what some of the big registrars started doing some years ago to= monetize "unsold" domains from a web POV and it wrecked havoc fo= r mail when the fallback A record was one of these upsell pages rather than= the normal NXDOMAIN.=C2=A0

With a "parked do= main" server, you can return null MX, bare SPF "-all", and w= hatever DMARC policy and reporting values are appropriate for all A, AAAA, = MX, TXT queries. You could also feed that information into some of the pass= ive DNS systems which can help track malfeasance.

--Kurt
--f403043a2ed8e5e60d0560c8e275-- From nobody Wed Dec 20 09:58:13 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C10F912420B for ; Wed, 20 Dec 2017 09:58:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=RHg+AS3B; dkim=pass (1536-bit key) header.d=taugh.com header.b=Jd+jblIG Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ICzmU1fS_VM for ; Wed, 20 Dec 2017 09:58:09 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 809F21241FC for ; Wed, 20 Dec 2017 09:58:09 -0800 (PST) Received: (qmail 57665 invoked from network); 20 Dec 2017 17:58:08 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=e13f.5a3aa4b0.k1712; bh=svQHO+3qVaNUojWhPEmXurP7qeSxk40bScR7CH0YfJg=; b=RHg+AS3BqHhggKWNHyDJzHVloDiL4V3iOL4obC12ATsg37QngFa7rb9UQW3cFB7xT0CwXCqDGy7Amg8JRwqqRvhcMNfWO8Q7ePsYfFDyden5sn8CJgE8+C+rnnwmCelynTgU1njj3mdaxyU3lWrOr/jCkuy/JfKSZ0rnXXHnDK4VPkAOqG0Dwsu/FHdXoy3RDsb285sFpqaqEAL/ap4ElJu3C2ezBUnBndGh5FidHwu9aTMrYCABwRAf6yPxMuC5 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=e13f.5a3aa4b0.k1712; bh=svQHO+3qVaNUojWhPEmXurP7qeSxk40bScR7CH0YfJg=; b=Jd+jblIGO8wNx8neLGzRWrxgODvoM/NrR6fLKEYnWTC4MaC7rRUBL7VT7W88QGtnkqhbw1WhV7FrhXeD6LTM34z6sl295ackLm0AMO6vnIMj2+5EdSSstuDcdpO1EwOFKThjee1i+T27t8jUYZtsoTrYjUTu5/hQKZ48xM8H/8nbnwkbzFEqdzDwu/RD6tGDFM/mZbtB53qZ2aHeRkg7FIu5v7w5QBUwUqO6xnJHyxerOKAhDxK38QRdkapmoHWr Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 Dec 2017 17:58:07 -0000 Date: 20 Dec 2017 12:58:07 -0500 Message-ID: From: "John R Levine" To: "Kurt Andersen (b)" Cc: "Ian Levy" , "dmarc@ietf.org" In-Reply-To: References: <20171219171548.EA07418299CE@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 17:58:12 -0000 On Wed, 20 Dec 2017, Kurt Andersen (b) wrote: >> I need to be able to emulate in some way the effect of SPF and DMARC >> records for non-existent first level subdomains under the PSL gov.uk - to >> stop spoof mail apparently coming from them being delivered. > I'm quite sure that you will need to do this via synthetic records being > returned either by the gov.uk name servers or by having gov.uk refer to a > general "parked domain" name server (farm) for all of the non-existent > subdomains ... With your current DNS setup, you could add this, no new name servers needed: *.gov.uk. IN TXT "v=spf1 -all" *.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:; ruf=mailto:" This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and abc.def.gov.uk. It won't cover names under existing subdomains, e.g. abc.mod.gov.uk but it's better than nothing. Unless the people who host your DNS are willing to let you use customized stunt servers, which seems unlikely considering who they are, that's about the best you can do without getting the cooperation of your delegatees. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Wed Dec 20 11:16:20 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9BEC1205F1 for ; Wed, 20 Dec 2017 11:16:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ts-XdRXN9rA for ; Wed, 20 Dec 2017 11:16:15 -0800 (PST) Received: from mail-io0-x22f.google.com (mail-io0-x22f.google.com [IPv6:2607:f8b0:4001:c06::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB7E1241F5 for ; Wed, 20 Dec 2017 11:16:15 -0800 (PST) Received: by mail-io0-x22f.google.com with SMTP id e204so18445848iof.12 for ; Wed, 20 Dec 2017 11:16:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qyBYVrjcTt2lvlv/XUj9ld97+LePYqcFJp1zUwInqJw=; b=Q51pYjlBYl5TggbguqZoPdef6bI4DCsMJ/btH6W2ROJndX9dVe60wbO6IWN8jI5+Rd 8qQqZt2dzLEkPMB7kGn2ROIVxYgKFb0ktoUcagVIVo8/5kt36W/6ypa3oYMRPOBJ/s33 P6NlQ4W+qmMoJVl2LAtF0YovK+K/3ybt1iPaMzO+AbXQpk/6j1V3f9XQgU9bnTJ9y4f9 YwJ8kFuCXdt8GPJoTb/RkEv2bp3xeW3MQ3IdH0tJw6S3kf9FxCjhlRhQSCBIPUxruH2U +TMbWHo+xwgYmeYSkPXAdWsjRcXkXTL3sctXIbCxKIinRppWBX4Bz2dn2rmcVTXlDGxg TaZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qyBYVrjcTt2lvlv/XUj9ld97+LePYqcFJp1zUwInqJw=; b=qskujiC9JmhjxE883cNGnhj26RWFyKBSkUveIF1jbbYjv5gI/gNS6JsNMLeoiFYGq/ uvpzqHl1CO3y5CtIUPym3RUIo3OmQCVsNMSNip8PjIQ4qpuOc/5Gf4E9E7m8kVlbvawi OCUP028QyCfY/2oCQYof6avqj5micA5Wa/b842XUAPi4CVDAxF3U8dZNwJboJAZi3sZh Z4xv2UMR9f7WaPsHjFwju9Kr0wrCLEJDmwt03rr5rKki0Cudivnef5Ktrr/WjVnPNZ3C LWx6yL+RtYUTQNgJUXfKSXE6qzqpBy/iDuss78gQk4LaNW2UO7Evj7sJ4Q+f/xnE8Ab6 xmQQ== X-Gm-Message-State: AKGB3mIHod524aNO9HGUCC9I5ZC4I9BePGZyXvRNp9P2Ss5dC5+x2Ujx Jw+mEjhFflejytezrRTKcup+cgim X-Google-Smtp-Source: ACJfBoue6pLO6NGUfvTX0xC9Uncnjp+05DdfKVKaoZEr6j8EtBrSl8VOD4QA7qYvS45Hy+07rE/zPg== X-Received: by 10.107.183.20 with SMTP id h20mr10261494iof.23.1513797374526; Wed, 20 Dec 2017 11:16:14 -0800 (PST) Received: from mail-io0-f171.google.com (mail-io0-f171.google.com. [209.85.223.171]) by smtp.gmail.com with ESMTPSA id x72sm2947447ite.43.2017.12.20.11.16.13 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Dec 2017 11:16:13 -0800 (PST) Received: by mail-io0-f171.google.com with SMTP id 14so11968869iou.2 for ; Wed, 20 Dec 2017 11:16:13 -0800 (PST) X-Received: by 10.107.18.147 with SMTP id 19mr7735634ios.197.1513797373148; Wed, 20 Dec 2017 11:16:13 -0800 (PST) MIME-Version: 1.0 References: <20171219171548.EA07418299CE@ary.qy> In-Reply-To: From: Brandon Long Date: Wed, 20 Dec 2017 19:16:01 +0000 X-Gmail-Original-Message-ID: Message-ID: To: John Levine Cc: "Kurt Andersen (b)" , dmarc@ietf.org, ian.levy@ncsc.gov.uk Content-Type: multipart/alternative; boundary="001a113f26ceb1225e0560ca6ac8" Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 19:16:19 -0000 --001a113f26ceb1225e0560ca6ac8 Content-Type: text/plain; charset="UTF-8" On Wed, Dec 20, 2017 at 9:58 AM John R Levine wrote: > On Wed, 20 Dec 2017, Kurt Andersen (b) wrote: > >> I need to be able to emulate in some way the effect of SPF and DMARC > >> records for non-existent first level subdomains under the PSL gov.uk - > to > >> stop spoof mail apparently coming from them being delivered. > > > I'm quite sure that you will need to do this via synthetic records being > > returned either by the gov.uk name servers or by having gov.uk refer to > a > > general "parked domain" name server (farm) for all of the non-existent > > subdomains ... > > With your current DNS setup, you could add this, no new name servers > needed: > > *.gov.uk. IN TXT "v=spf1 -all" > *.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:; ruf=mailto: > " > > This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and > abc.def.gov.uk. It won't cover names under existing subdomains, e.g. > abc.mod.gov.uk but it's better than nothing. > > Unless the people who host your DNS are willing to let you use customized > stunt servers, which seems unlikely considering who they are, that's about > the best you can do without getting the cooperation of your delegatees. SPF doesn't have sub-domain level protection like DMARC does, would it be useful to look at adding it? DMARC sub-domain level protection assumes that the owner domain isn't a TLD. Can we change that to add a lookup on the TLD? GIven the small number of TLDs and that most will not support that, negative caching should mitigate most of the DNS lookups for that. My knowledge of DNS is limited whether that is technically feasible. Also, curious issues if someone like .com decided to add such a record. Perhaps even more privacy issues with rua/ruf at a TLD level. Is there any designation difference between something like .gov.uk and .co.uk? Am I going to have read the entire archive of DBOUND? Brandon --001a113f26ceb1225e0560ca6ac8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On= Wed, Dec 20, 2017 at 9:58 AM John R Levine <johnl@taugh.com> wrote:
On Wed, 20 Dec 2017, Kurt Andersen (b) wrote:
>> I need to be able to emulate in some way the effect of SPF and DMA= RC
>> records for non-existent first level subdomains under the PSL gov.uk - to<= br> >> stop spoof mail apparently coming from them being delivered.

> I'm quite sure that you will need to do this via synthetic records= being
> returned either by the gov.uk name servers or by having gov.uk refer to a
> general "parked domain" name server (farm) for all of the no= n-existent
> subdomains ...

With your current DNS setup, you could add this, no new name servers
needed:

*.gov.uk= . IN TXT "v=3Dspf1 -all"
*.gov.uk= . IN TXT "v=3DDMARC1; p=3Dreject; rua=3Dmailto:<something>; ruf= =3Dmailto:<something>"

This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and
abc.= def.gov.uk.=C2=A0 It won't cover names under existing subdomains, e= .g.
abc.= mod.gov.uk but it's better than nothing.

Unless the people who host your DNS are willing to let you use customized stunt servers, which seems unlikely considering who they are, that's ab= out
the best you can do without getting the cooperation of your delegatees.

SPF doesn't have sub-domain level protecti= on like DMARC does, would it be useful to look at adding it?

=
DMARC sub-domain level protection assumes that the owner domain = isn't a TLD.=C2=A0 Can we change that to add a lookup on the TLD?
=

GIven the small number of TLDs and that most will not s= upport that, negative caching should mitigate most of the DNS lookups for t= hat.
My knowledge of DNS is limited whether that is technically f= easible.=C2=A0 Also, curious issues if someone like .com decided to add suc= h a record.
Perhaps even more privacy issues with rua/ruf at a TL= D level.=C2=A0 Is there any designation difference between something like .= gov.uk and .co.uk?

--001a113f26ceb1225e0560ca6ac8-- From nobody Wed Dec 20 11:40:39 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66235126B6E for ; Wed, 20 Dec 2017 11:40:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPpyhvc79iak for ; Wed, 20 Dec 2017 11:40:35 -0800 (PST) Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F1341205F1 for ; Wed, 20 Dec 2017 11:40:35 -0800 (PST) Received: by mail-qt0-x22a.google.com with SMTP id u10so29724662qtg.2 for ; Wed, 20 Dec 2017 11:40:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=oK+XR+QeBwOFvpygTCHN7F/lQvQH6ezReOT959LfU7Y=; b=Dv/RD5LTZCU9kVF1GnxrU5KIVbUMLc4MRE88U+BrMcFLD59/D721r5iJ3R1byzn3u4 7Zh4wFkWeW7zg/h00y1LUzgXZUN+urjKFHS9ebhhXqgleIQqfxsjkdSAkr8v4SW8tLVK J3eQQyRDrM/KI+ZIMmbZ1ROiGAR4ZFpGVw7+ToSQwtODMO2R8xM/ExQs6kTbWYZE0oqM BaRoWn1iZeqNIByA0RTEM0IZ5JQMGvsytAAagUiVYKzETAKOMC0ltuB5ENMdokDSrj6U xNU1j2pZ1QREAXbet3/bRTHSUFOzWCS906ETHQKuZjdB37Wg/CQJEW0rNKdLjUYacSIW kN0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=oK+XR+QeBwOFvpygTCHN7F/lQvQH6ezReOT959LfU7Y=; b=Ww6B7CaTe2R5Ab/lELSo+YNjN6MtQ088cng71x7SR/z5HuyEhAUtHylvdBSnh1lz9K oji8AKfhSgrlL1cHT73FIm2PXUnLmJMHyLbSOabPmZjzEf1DH315vWwVu8PoHs8f0uql ia9AWErHrLdY8gpIH4SN039EfYVH50MmmfBItFp6To8TVlEUx1+PgDHuvkKvQDXG1hkY xUn4hAR4bflRIfDU2OGDUjMhkjFc5EJ/BhbLFeYOB82Nv9q1L515Sm7URRn5o6FxrDKY sfCev0rlxiaAiJktIT2KCDncxR5gpSyGuXrXzFF4S+IEjsORlrbUvUsd7/QMAMeo/7X4 DvQQ== X-Gm-Message-State: AKGB3mLyj5Nx/gA8f6jyoDv7pwAVBRxmfwNvQHuaJdLLbNsmypgoqT+v scT+mLiR2Hz/uKNIxNboC4vxP9WlTClODjM+GMz38Q== X-Google-Smtp-Source: ACJfBouCcaxPvydqUlXIzr9AQFZi7clK4CehFyCnlLoa1YtKSUzPo1K04IZcDbF1XZmxO9aCv47J8DSKkXmr0zbp+UU= X-Received: by 10.237.35.207 with SMTP id k15mr12140112qtc.95.1513798833967; Wed, 20 Dec 2017 11:40:33 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Wed, 20 Dec 2017 11:40:33 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Wed, 20 Dec 2017 11:40:33 -0800 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a11356cccc2993c0560cac1a9" Archived-At: Subject: Re: [dmarc-ietf] New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 19:40:37 -0000 --001a11356cccc2993c0560cac1a9 Content-Type: text/plain; charset="UTF-8" On Tue, Dec 19, 2017 at 6:49 AM, Kurt Andersen (b) wrote: > * Update the AAR definition section (formerly 5.1) using Seth's suggested > 7601bis wording (also adjusting for feedback that came in on the list) and > annotating the section to be adjusted if we can kick off the 7601bis work > in a timely fashion; > I plan to start a 7601bis effort to support what ARC needs, possibly over the holidays, certainly in time for IETF 101. Usage: > * Incorporate Seth's "experiment" write-up as an "open questions" section > with various adjustments to the wording to reflect the "open questions we > would like to understand" adjustment. > Whoa, no. This belongs in the main protocol document, because it is the experiment. And that document is still showing "Standards Track". Didn't we reach consensus on the experimental route for the protocol document? Some other stuff after a quick glance at the diff: I like the addition of a "Protocol Elements" section. However, I'm becoming increasingly uneasy with the term "Chain of Custody". To me, perhaps from watching too many legal shows, that term is in effect a blob of metadata applied to some object as a way of showing who transported it from A to B (i.e., a handling chain), but in no way is that material modified in transit. If we have such an immutable payload here, I'm not clear on what that is. To me, ARC is more of an audit trail that incorporates a record of changes to the object as well as who handled it. I thought discussion had led to registration of "header.s" instead of "header.ds" and ARC would just use that plus "header.d" to provide the required information. This version still contains "header.ds". Finally, not specific to this version, but: Do we need the section on algorithm rotation? DKIM didn't have that in RFC7601, and DCRUP which is adding ECC to DKIM has far less to say on the matter ( https://tools.ietf.org/html/draft-ietf-dcrup-dkim-crypto-07#section-6). I suspect, therefore, that we could get away with a more minimalist approach. Alternatively, do we have experience in any other protocol of doing this kind of algorithm rotation pattern to success? -MSK --001a11356cccc2993c0560cac1a9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Tue, Dec 19, 2017 at 6:49 AM, Kurt Andersen (b) <kboth@= drkurt.com> wrote:
* Update the AAR definition section (formerly 5.1) using Seth'= s suggested 7601bis wording (also adjusting for feedback that came in on th= e list) and annotating the section to be adjusted if we can kick off the 76= 01bis work in a timely fashion;

I= plan to start a 7601bis effort to support what ARC needs, possibly over th= e holidays, certainly in time for IETF 101.

Usage:
* Incorp= orate Seth's "experiment" write-up as an "open questions= " section with various adjustments to the wording to reflect the "= ;open questions we would like to understand" adjustment.

Whoa, no.=C2=A0 This belongs in the main protocol document, because= it is the experiment.=C2=A0 And that document is still showing "Stand= ards Track".=C2=A0 Didn't we reach consensus on the experimental r= oute for the protocol document?

Some other stu= ff after a quick glance at the diff:

I like the addition = of a "Protocol Elements" section.=C2=A0 However, I'm becoming= increasingly uneasy with the term "Chain of Custody".=C2=A0 To m= e, perhaps from watching too many legal shows, that term is in effect a blo= b of metadata applied to some object as a way of showing who transported it= from A to B (i.e., a handling chain), but in no way is that material modif= ied in transit.=C2=A0 If we have such an immutable payload here, I'm no= t clear on what that is.=C2=A0 To me, ARC is more of an audit trail that in= corporates a record of changes to the object as well as who handled it.
=

I thought discussion had led to registration of &= quot;header.s" instead of "header.ds" and ARC would just use= that plus "header.d" to provide the required information.=C2=A0 = This version still contains "header.ds".

Finally, not specific to this version, but: Do we need the section on algo= rithm rotation?=C2=A0 DKIM didn't have that in RFC7601, and DCRUP which= is adding ECC to DKIM has far less to say on the matter (https://tools.ietf.org/html/draft-ietf-dcrup-dkim-crypto-= 07#section-6).=C2=A0 I suspect, therefore, that we could get away with = a more minimalist approach.=C2=A0 Alternatively, do we have experience in a= ny other protocol of doing this kind of algorithm rotation pattern to succe= ss?

-MSK
--001a11356cccc2993c0560cac1a9-- From nobody Wed Dec 20 11:55:20 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B278512422F for ; Wed, 20 Dec 2017 11:55:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=ETEwgmdQ; dkim=pass (1536-bit key) header.d=taugh.com header.b=E0S7Px+X Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xg8AT0-2591C for ; Wed, 20 Dec 2017 11:55:17 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CFAA1205F1 for ; Wed, 20 Dec 2017 11:55:16 -0800 (PST) Received: (qmail 79686 invoked from network); 20 Dec 2017 19:55:15 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13744.5a3ac023.k1712; bh=gYwxXPdEvg1SOQkpYKXoX5OtuaxL9rMjXBhasbfJecg=; b=ETEwgmdQkm2qAxBmHtl3+0GbUzk4O4oioBQgF1mj8BBMBjYg0l0jlm0Ah/lZC6sX1TyJKzpJKOTuuAW50D9KkU7YXXo6CwPLEFo7SubKw6piMFykts20g6igG7RNR65HiLfd2lMzmptBWNRsZrFEJBzvaaE5kpyIWZe2Vmu3g2nUQggnWJMixMIhL4PQC2lWx0pyZh4miJ7nMzVWRjMAxdAD40x3B5MaT6mgkEh0lSlZ9v+0TdoB7Dx5e11Rzt+h DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=13744.5a3ac023.k1712; bh=gYwxXPdEvg1SOQkpYKXoX5OtuaxL9rMjXBhasbfJecg=; b=E0S7Px+XVxxqgwLl6c185wKiWm1ES17ZP79mwiT/GVleGv/eNKN8qM/1Lf5ZrBOuurcu0mF+D0KiSDRogaVfuofCvfiWjxnbg1iADU6DsrGJMbegtG5cMUvn3E9iZM4woK4VvyGp8PLAESdHFH7/jRbvYTRS/097kWKsL8jd23Qx6fc2I0osL9OkJ7dZbgPj7N6DyvQDknHSKSrtqaAWxzo6jk2TL2M+iiC2O0hLKasM6Tpb77oMuwhJMh4t1039 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 20 Dec 2017 19:55:15 -0000 Date: 20 Dec 2017 14:55:15 -0500 Message-ID: From: "John R Levine" To: "Brandon Long" Cc: dmarc@ietf.org In-Reply-To: References: <20171219171548.EA07418299CE@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 19:55:19 -0000 > SPF doesn't have sub-domain level protection like DMARC does, would it be > useful to look at adding it? I doubt it. SPF was written and implemented a decade ago and it's unlikely anything new would be widely deployed. > DMARC sub-domain level protection assumes that the owner domain isn't a > TLD. Can we change that to add a lookup on the TLD? Depends on what's in the PSL for the domain. It seems to me that if the owner domain is the TLD, that tells us it's a single-user vanity domain, so you can make your DNS do whatever you want. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Wed Dec 20 13:54:51 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1DFC1277BB for ; Wed, 20 Dec 2017 13:54:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.01 X-Spam-Level: X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wordtothewise.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xK405pJgI2ju for ; Wed, 20 Dec 2017 13:54:48 -0800 (PST) Received: from mail.wordtothewise.com (mail.wordtothewise.com [IPv6:2001:470:1:6d::9a]) by ietfa.amsl.com (Postfix) with ESMTP id 927911205D3 for ; Wed, 20 Dec 2017 13:54:48 -0800 (PST) Received: from nastywoman.wordtothewise.com (204.11.227.194.static.etheric.net [204.11.227.194]) by mail.wordtothewise.com (Postfix) with ESMTPSA id 6C56023379; Wed, 20 Dec 2017 13:55:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=wordtothewise.com; s=aardvark; t=1513806929; bh=k70Q8Na064DiELVXLlUBjcbjK4B+Q5IkeGEbhwG0Tqw=; h=From:Subject:Date:In-Reply-To:Cc:To:References:From; b=PIRJs5l9dgQ72IZ8d7jk3kR0b63N2I9eY8dbIJTU0t1ZK94BQPiJznlik/jDdaBhv Me9N0SKzwQ+dy6pWhnXGy7c/i2hueRQVyhbkwB7yyxN2KVBTqwQxSf6KcShw0gWJ0o u9APCSm8nzgPX33p17q6h2p3FCPwo7uwS3xC7Upk= From: Laura Atkins Message-Id: <4DABC2A5-714C-4FA8-A44E-C48EE1C81518@wordtothewise.com> Content-Type: multipart/alternative; boundary="Apple-Mail=_57880753-910F-445E-92B9-F2EE1424B37D" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Date: Wed, 20 Dec 2017 13:54:47 -0800 In-Reply-To: Cc: Brandon Long , dmarc@ietf.org To: John R Levine References: <20171219171548.EA07418299CE@ary.qy> X-Mailer: Apple Mail (2.3273) Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Dec 2017 21:54:51 -0000 --Apple-Mail=_57880753-910F-445E-92B9-F2EE1424B37D Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On Dec 20, 2017, at 11:55 AM, John R Levine wrote: >=20 >> SPF doesn't have sub-domain level protection like DMARC does, would = it be >> useful to look at adding it? >=20 > I doubt it. SPF was written and implemented a decade ago and it's = unlikely anything new would be widely deployed. And there are way bigger issues with SPF that everyone is avoiding. = Bring up one leetle bit and all of a sudden we=E2=80=99re looking at a = full rewrite of the spec.=20 That is just not going to happen. laura=20 --=20 Having an Email Crisis? We can help! 800 823-9674=20 Laura Atkins Word to the Wise laura@wordtothewise.com (650) 437-0741 =09 Email Delivery Blog: https://wordtothewise.com/blog=09 --Apple-Mail=_57880753-910F-445E-92B9-F2EE1424B37D Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
On Dec 20, 2017, at 11:55 AM, John R Levine <johnl@taugh.com> = wrote:

SPF doesn't have = sub-domain level protection like DMARC does, would it be
useful to look at adding it?

I doubt it.  SPF was written and implemented a decade = ago and it's unlikely anything new would be widely deployed.

And = there are way bigger issues with SPF that everyone is avoiding. Bring up = one leetle bit and all of a sudden we=E2=80=99re looking at a full = rewrite of the spec. 

That is = just not going to happen.

laura 

-- 
Having an Email Crisis? =  We can help! 800 823-9674 

Laura Atkins
Word = to the Wise
laura@wordtothewise.com
(650) = 437-0741 =

Email Delivery Blog: https://wordtothewise.com/blog =







= --Apple-Mail=_57880753-910F-445E-92B9-F2EE1424B37D-- From nobody Wed Dec 20 16:35:22 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F71112D72F for ; Wed, 20 Dec 2017 16:35:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYrLi1wb2cPE for ; Wed, 20 Dec 2017 16:35:17 -0800 (PST) Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5BD1243FE for ; Wed, 20 Dec 2017 16:35:17 -0800 (PST) Received: by mail-io0-x236.google.com with SMTP id v186so19220762iod.7 for ; Wed, 20 Dec 2017 16:35:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gG6Tt5ucqZ1LVwTTxOv11xuK8piBkn2WHdwrVhBhGDM=; b=QFxDHwmSnVDDvkHyH1T4uvGK0EL5xJRr8NdNlxIL6usUx+1Bwj8Ig6gKSpXvfVYrf2 HWU2BqS6BDQ7UjiUytpyTMj5N7vQP/ACG91fxSgvJUrZYRpL66Ix43hQ37qvVNhuCxb2 dWu6r3/BgJ+fRRW3r35SkEhIcLYQuPja0psBw9XG2hvoqzIK6CwtQowjqOefREqAQq1Y Qqu4kszvvGuPyNkKX0NrKWLuAbxiAlqj1SHUng6dH/hA4L6+zoZ8c5A+CsZms8VXLQPN 4vi7duu9OsLEkRZLbR3FNKtFdtmbjSW4F9uYNV20eMpOe08ttuhJngPIhrvEeQfYF709 J0KQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gG6Tt5ucqZ1LVwTTxOv11xuK8piBkn2WHdwrVhBhGDM=; b=lHuCzAEa6MHTVMXI5Ps2CNsoP2nyf5mYDj97LvAboWaLHb1ewR+UZtUO6pfaKonI6G n5pOAmD+cuvPhdyeI3vCPTD4peQs8fgVEzjF6HFvIdC0Yvm8SlbFG7RMHNgxCgGqe1SK birNh4V8hQ8oHRFspzE1/kD9q2cQLDF3VgNPfzpfsodwkH85d9IWRBjWjDDjk9zXgavY sMwYsnGSWpFaIFIjyLTcWXkUBNGxsD3IbmiPFzoUgSgnpkhwfIzBVojbyXEzRvzyAn6/ 2z31hTGeM9c+9uxHxLj1YjejgP3Pwdz7QtRBIvRLuyjHnLSOIhwNZ6N1mp6kFNRobTgU yb2A== X-Gm-Message-State: AKGB3mIPt47/td2KveqPzy52hiS8qkwZBLR89SMto5y1Zj55fwrqGVMG rN1+OAV3L3Ajzpni9ctYAXqVRMsz X-Google-Smtp-Source: ACJfBosbuxun8GwFmwaSKyP1awCB0tiYlxeFtTklhBunQANgqb8nRxCkbJjUnA8DAHGDUNkNCD7cgQ== X-Received: by 10.107.12.212 with SMTP id 81mr10650014iom.75.1513816516569; Wed, 20 Dec 2017 16:35:16 -0800 (PST) Received: from mail-io0-f174.google.com (mail-io0-f174.google.com. [209.85.223.174]) by smtp.gmail.com with ESMTPSA id c196sm10114217ioc.55.2017.12.20.16.35.15 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Dec 2017 16:35:15 -0800 (PST) Received: by mail-io0-f174.google.com with SMTP id f18so14161297ioh.1 for ; Wed, 20 Dec 2017 16:35:15 -0800 (PST) X-Received: by 10.107.201.1 with SMTP id z1mr11011562iof.83.1513816515470; Wed, 20 Dec 2017 16:35:15 -0800 (PST) MIME-Version: 1.0 References: <20171219171548.EA07418299CE@ary.qy> <4DABC2A5-714C-4FA8-A44E-C48EE1C81518@wordtothewise.com> In-Reply-To: <4DABC2A5-714C-4FA8-A44E-C48EE1C81518@wordtothewise.com> From: Brandon Long Date: Thu, 21 Dec 2017 00:35:01 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Laura Atkins Cc: John Levine , dmarc@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0b77c0a97b950560cedfd7" Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 00:35:20 -0000 --94eb2c0b77c0a97b950560cedfd7 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Wed, Dec 20, 2017 at 1:54 PM Laura Atkins wrote: > > On Dec 20, 2017, at 11:55 AM, John R Levine wrote: > > SPF doesn't have sub-domain level protection like DMARC does, would it be > useful to look at adding it? > > Obviously the word "protection" is wrong, I meant coverage. > I doubt it. SPF was written and implemented a decade ago and it's > unlikely anything new would be widely deployed. > > And there are way bigger issues with SPF that everyone is avoiding. Bring > up one leetle bit and all of a sudden we=E2=80=99re looking at a full rew= rite of > the spec. > > That is just not going to happen. > I sometimes think there needs to be a secret history repository to help newcomers with the unknown politics and disagreements going on, or maybe I need to make it to more conferences to ask these things in person. Obviously there's nothing preventing a receiver from doing it, in fact I think our bestguess code does do a fallback to primary domain already, but what's requested is more widespread adoption. And we probably don't fall back to the TLD. Brandon --94eb2c0b77c0a97b950560cedfd7 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On= Wed, Dec 20, 2017 at 1:54 PM Laura Atkins <laura@wordtothewise.com> wrote:

On Dec 20, 2017, at 11:55 AM, John R Levine <johnl@taugh.com> wrote= :
SPF doesn't have sub-domain = level protection like DMARC does, would it be
useful to look at adding i= t?
O= bviously the word "protection" is wrong, I meant coverage.=C2=A0<= /div>
I doubt it.=C2=A0 SPF was written and implemented a decade ago and it'= ;s unlikely anything new would be widely deployed.
=
And there are way bigger issues with SPF that everyone is avoiding. Br= ing up one leetle bit and all of a sudden we=E2=80=99re looking at a full r= ewrite of the spec.=C2=A0

That is just not going t= o happen.

I sometimes thi= nk there needs to be a secret history repository to help newcomers with the= unknown politics and disagreements going on, or maybe I need to make it to= more conferences to ask these things in person.

O= bviously there's nothing preventing a receiver from doing it, in fact I= think our bestguess code does do a fallback to primary domain already, but= what's requested is more widespread adoption.=C2=A0 And we probably do= n't fall back to the TLD.

Brandon
<= /div> --94eb2c0b77c0a97b950560cedfd7-- From nobody Wed Dec 20 16:40:04 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 181C6124D37 for ; Wed, 20 Dec 2017 16:40:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gx8io02JMIHl for ; Wed, 20 Dec 2017 16:39:59 -0800 (PST) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3A811242F5 for ; Wed, 20 Dec 2017 16:39:59 -0800 (PST) Received: by mail-it0-x233.google.com with SMTP id d137so8905556itc.2 for ; Wed, 20 Dec 2017 16:39:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=i7bikRFbc61KQeLdz8JHKRIbIpldxJjkCDEZCaICIOQ=; b=SAH5zCaycOjx2miorL2hcatjiYDk3d2N7l1hXOq8q0WCQo9+Mx6DXcu2U9gvjNbEyR dqzJu9We1yVNOxPLbQZU7LAIGeI9NGKFRCecZr8P7tjLA+eBrrRgtd6Q4MQTnS4FIKIY rrBqGM/Fu3WIIn88beTFazSt0ObKEO0/MBf0iyYKP4nH+7Q8D5GRI3Yr/3F9GBiyvCav pHzo2BZqAusMN0Nnu8H9998BiPgTQIHhuC4JCIllROvKJCAqhblL2j1c2iW/MXmtaGhN y+8cf828J3fF3IQJI/LC1pV+v0R2UeAfgN6tvZjIeREX1u27LVrcDYU0bCXsgedFA0ke erGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=i7bikRFbc61KQeLdz8JHKRIbIpldxJjkCDEZCaICIOQ=; b=Pm2FkHUqPIpmshQFaz+CrovzsTIeIF3z0A8xBp6ayjmt6BFFcH5kqWfs1HghN4+LRu aDfl8D7iS3800Kwcn6ottWcDxV2M/33QJO/vnZhL8gUGN0uztpggOMw7T+VkEOTx5wW0 0exGLz1OcLnhXiLApEZ5orAeA05KDnr4u85XMVVexV3ozNA/0vzHwe+Qwv91klKVw8w6 fb2vcObeYC8WFD1z5AzA3vSnDmtjSfBcq/VFo05mEqqJoY2dBw93o9j2vjRqwQG6CahU oxRj88kDuu4VD+4g3lHPL76t/NVgrlKqupNe1KfcBpFfZ8BT/+DAeN5RjeeecI6bUMuy iC7w== X-Gm-Message-State: AKGB3mK7ZKPhVYHJIu8ewxvGg7hXiKXhvAKoWQBgejnYCFSzt1blyhjF /ehc9SNs0erhPD90cLqxla2KVvw7 X-Google-Smtp-Source: ACJfBov6kpi/8MEmTIG/rje7nb3IzrlZiOVxGRdDiRbVl90IGmI+04wzva37yBZhXqidbrQQwo/XEQ== X-Received: by 10.36.69.4 with SMTP id y4mr10970723ita.75.1513816798788; Wed, 20 Dec 2017 16:39:58 -0800 (PST) Received: from mail-it0-f51.google.com (mail-it0-f51.google.com. [209.85.214.51]) by smtp.gmail.com with ESMTPSA id 125sm9282204ioo.68.2017.12.20.16.39.57 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Dec 2017 16:39:57 -0800 (PST) Received: by mail-it0-f51.google.com with SMTP id z6so8765713iti.4 for ; Wed, 20 Dec 2017 16:39:57 -0800 (PST) X-Received: by 10.36.175.27 with SMTP id t27mr831102ite.124.1513816797368; Wed, 20 Dec 2017 16:39:57 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Brandon Long Date: Thu, 21 Dec 2017 00:39:46 +0000 X-Gmail-Original-Message-ID: Message-ID: To: "Murray S. Kucherawy" Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="f403045db2e8772a110560cef077" Archived-At: Subject: Re: [dmarc-ietf] New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 00:40:02 -0000 --f403045db2e8772a110560cef077 Content-Type: text/plain; charset="UTF-8" On Wed, Dec 20, 2017 at 11:40 AM Murray S. Kucherawy wrote: > On Tue, Dec 19, 2017 at 6:49 AM, Kurt Andersen (b) > wrote: > >> * Update the AAR definition section (formerly 5.1) using Seth's suggested >> 7601bis wording (also adjusting for feedback that came in on the list) and >> annotating the section to be adjusted if we can kick off the 7601bis work >> in a timely fashion; >> > > I plan to start a 7601bis effort to support what ARC needs, possibly over > the holidays, certainly in time for IETF 101. > > Usage: >> * Incorporate Seth's "experiment" write-up as an "open questions" section >> with various adjustments to the wording to reflect the "open questions we >> would like to understand" adjustment. >> > > Whoa, no. This belongs in the main protocol document, because it is the > experiment. And that document is still showing "Standards Track". Didn't > we reach consensus on the experimental route for the protocol document? > > Some other stuff after a quick glance at the diff: > > I like the addition of a "Protocol Elements" section. However, I'm > becoming increasingly uneasy with the term "Chain of Custody". To me, > perhaps from watching too many legal shows, that term is in effect a blob > of metadata applied to some object as a way of showing who transported it > from A to B (i.e., a handling chain), but in no way is that material > modified in transit. If we have such an immutable payload here, I'm not > clear on what that is. To me, ARC is more of an audit trail that > incorporates a record of changes to the object as well as who handled it. > > I thought discussion had led to registration of "header.s" instead of > "header.ds" and ARC would just use that plus "header.d" to provide the > required information. This version still contains "header.ds". > > Finally, not specific to this version, but: Do we need the section on > algorithm rotation? DKIM didn't have that in RFC7601, and DCRUP which is > adding ECC to DKIM has far less to say on the matter ( > https://tools.ietf.org/html/draft-ietf-dcrup-dkim-crypto-07#section-6). > I suspect, therefore, that we could get away with a more minimalist > approach. Alternatively, do we have experience in any other protocol of > doing this kind of algorithm rotation pattern to success? > I think algorithm rotation is more challenging for ARC than it is for DKIM, since with DKIM you can just sign with both... but for ARC, there's a chain of signers and the you have to handle links not being able to verify intermediate states in the other algorithm. Brandon --f403045db2e8772a110560cef077 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On= Wed, Dec 20, 2017 at 11:40 AM Murray S. Kucherawy <superuser@gmail.com> wrote:
On Tue, Dec 19, 2017 at 6:49 AM, Kurt A= ndersen (b) <kboth@drkurt.com> wrote:
* Update the AAR definition section (formerly 5= .1) using Seth's suggested 7601bis wording (also adjusting for feedback= that came in on the list) and annotating the section to be adjusted if we = can kick off the 7601bis work in a timely fashion;

I plan to start a 7601bis effort to support what ARC need= s, possibly over the holidays, certainly in time for IETF 101.
<= br>
Usage:
* Incorporate Seth's "experiment" write-up as an &= quot;open questions" section with various adjustments to the wording t= o reflect the "open questions we would like to understand" adjust= ment.

Whoa, no.=C2=A0 This belon= gs in the main protocol document, because it is the experiment.=C2=A0 And t= hat document is still showing "Standards Track".=C2=A0 Didn't= we reach consensus on the experimental route for the protocol document?

Some other stuff after a quick glance at the dif= f:

I like the addition of a "Protocol Elements"= section.=C2=A0 However, I'm becoming increasingly uneasy with the term= "Chain of Custody".=C2=A0 To me, perhaps from watching too many = legal shows, that term is in effect a blob of metadata applied to some obje= ct as a way of showing who transported it from A to B (i.e., a handling cha= in), but in no way is that material modified in transit.=C2=A0 If we have s= uch an immutable payload here, I'm not clear on what that is.=C2=A0 To = me, ARC is more of an audit trail that incorporates a record of changes to = the object as well as who handled it.

I though= t discussion had led to registration of "header.s" instead of &qu= ot;header.ds" and ARC would just use that plus "header.d" to= provide the required information.=C2=A0 This version still contains "= header.ds".

Finally, not specific to this ver= sion, but: Do we need the section on algorithm rotation?=C2=A0 DKIM didn= 9;t have that in RFC7601, and DCRUP which is adding ECC to DKIM has far les= s to say on the matter (https://tools.ietf.org/htm= l/draft-ietf-dcrup-dkim-crypto-07#section-6).=C2=A0 I suspect, therefor= e, that we could get away with a more minimalist approach.=C2=A0 Alternativ= ely, do we have experience in any other protocol of doing this kind of algo= rithm rotation pattern to success?
=

I think algorithm rotation is more challenging for ARC = than it is for DKIM, since with DKIM you can just sign with both... but for= ARC, there's a chain of signers and the you have to handle links not b= eing able to verify intermediate states in the other algorithm.
<= br>
Brandon=C2=A0
--f403045db2e8772a110560cef077-- From nobody Wed Dec 20 22:12:43 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD1AD127275 for ; Wed, 20 Dec 2017 22:12:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.698 X-Spam-Level: X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4IbbDAxH7RBy for ; Wed, 20 Dec 2017 22:12:40 -0800 (PST) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D211201FA for ; Wed, 20 Dec 2017 22:12:40 -0800 (PST) Received: by mail-qk0-x235.google.com with SMTP id 143so14938804qki.2 for ; Wed, 20 Dec 2017 22:12:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=w5FpWaDky3BPyG9vh2doi2S4K4q/dlz1JpkBiQh3/cI=; b=QsvMM/edPMN261uKLp/9l1Kg/XZlVrtqDBB7ssT2Jd4wzuQW93E+5MEQx4Xk3nPmyb 14pnJHVam0L5fJST0DuFUNYqAV2FhxT+cvBdpme5nlAhDni037eNzHK4/2jk5oGLyLzU 8wUv86u3jgoc+OyqmtOLIKKEtlqvyF42whEFp6hvCkiNV1Lv+Pxsa10q1TNMG1bLermg 7CAgsOE/rD8iWIeF6oKBp7WcIAhZWwOJCGTFfYAwk7nhzVjXbH9RN9nBFntNYefAWpev l1/Knexd0cz1F84P7C+nIjE9LwhqNK3kkL81zkCFf+83dr55EBPmdOrVkHc+QQs/ZVjl zMyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=w5FpWaDky3BPyG9vh2doi2S4K4q/dlz1JpkBiQh3/cI=; b=N1M45X+Gkvqz4+OrR8KtaYKFosILIxSRmdejhiXKCGdikt6Cv6dqC/AeUNZyQbJky+ t/PMIh8Aa0ZBtx8y4wvbTa261VdmlSm9cHHZUp+Zd8uCVslWHibxeaMQMHWAuz0Sgfrl kS0uqKSi/TiSvI9FCDZ6LbmB3df/eogUMydZUA3RwsjC+cBLOMig1fStNVqkikgyvh6b RTD/9VNFzw3VxkfI8snlWHxwmf0wvy6QFxuNGixrZjipP1J8/YZtMOAGbgnF/JZi8emU dQ9ULGBD+nO/mZdR4gxaXdkiqwylmLvuRPz41QfaWYNYonOu9PM9EWFdxYe48LTWwzNA LPOQ== X-Gm-Message-State: AKGB3mJIX/w3ETUPLcAVdWVfFp5soAjpIokDwga3PDIntiLY8bkUju1j mLq9Qkfjq/9gMGcSfH66N72PSO0Ul0z7VWNbwEAKWg== X-Google-Smtp-Source: ACJfBovnkc8R4/d8EKjTBtH87awaTsjVKHnhnaIE7JjiUqrBXqDPC0wAOpyVjniMd7GOdjRthpMCyt3ixItDcZds20o= X-Received: by 10.55.197.6 with SMTP id p6mr12501774qki.223.1513836759094; Wed, 20 Dec 2017 22:12:39 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Wed, 20 Dec 2017 22:12:38 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Wed, 20 Dec 2017 22:12:38 -0800 Message-ID: To: Brandon Long Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a1149a18c461c0d0560d396a5" Archived-At: Subject: Re: [dmarc-ietf] New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 06:12:41 -0000 --001a1149a18c461c0d0560d396a5 Content-Type: text/plain; charset="UTF-8" On Wed, Dec 20, 2017 at 4:39 PM, Brandon Long wrote: > I think algorithm rotation is more challenging for ARC than it is for > DKIM, since with DKIM you can just sign with both... but for ARC, there's a > chain of signers and the you have to handle links not being able to verify > intermediate states in the other algorithm. > If the group concurs, then it would seem this section needs quite a bit more development. Who's up for proposing text? -MSK --001a1149a18c461c0d0560d396a5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Wed, Dec 20, 2017 at 4:39 PM, Brandon Long <blong@fict= ion.net> wrote:
I think algorithm rotation is more= challenging for ARC than it is for DKIM, since with DKIM you can just sign= with both... but for ARC, there's a chain of signers and the you have = to handle links not being able to verify intermediate states in the other a= lgorithm.

If the group concurs, then it would seem this section needs q= uite a bit more development.=C2=A0 Who's up for proposing text?

-MSK
--001a1149a18c461c0d0560d396a5-- From nobody Thu Dec 21 03:58:14 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABDAC126DFB for ; Thu, 21 Dec 2017 03:58:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.719 X-Spam-Level: X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmailteam.com header.b=gHtBiAAT; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=h85Tmp3e Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MHSKbBGxK7Ku for ; Thu, 21 Dec 2017 03:58:10 -0800 (PST) Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4C2712421A for ; Thu, 21 Dec 2017 03:58:10 -0800 (PST) Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id E9D3520B0D for ; Thu, 21 Dec 2017 06:58:09 -0500 (EST) Received: from web2 ([10.202.2.212]) by compute6.internal (MEProxy); Thu, 21 Dec 2017 06:58:09 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= fastmailteam.com; h=content-transfer-encoding:content-type:date :from:in-reply-to:message-id:mime-version:references:subject:to :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Fg/4vx58QjDRmsCTw nYYTwevLpF9dctQX3ysqqt9usM=; b=gHtBiAATbpZSCN2ELvUwEaO4RPCEkAlet wDKmCbSE1kVkraUkvlpSqhKDGTjPL1h+/4YdNW4RPlaYM9lSXIzyK8MBKHDsNfdn PexGnKfCmrOcvb3vVmDPe/Nxu0ifF/sqBlHXV0rGQjkHX+aIgoXYA3GV3zzF5qw8 w/GdLZqsfJn7dAQsF4oBBSeG8/o6CBY/8gtkS71TnRLnPXJcHPv3rOGwhShElSqU fbCjcIx6+kP1Da+dQCV3fBzXsoHLQUBYyAaWovtWULMgtf4msKT5Y5adEniV3lf2 tH8Gw11+Q6vuaSE7nVVFfKwXRiMPf6CwZSWQ0s+Q3bxLHTeYoM9oA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=Fg/4vx 58QjDRmsCTwnYYTwevLpF9dctQX3ysqqt9usM=; b=h85Tmp3eAuDXhtBXb2VgM4 cPI0hJe/zZUIV9RSWjiJQJmwZQ0sJFNp4lZdx4KCemeBhPWfy9FG1FzjIGzTDWSQ DjCsThm6Pu2O5S2hxXlR6HzJQ56g8tZvYvQNstmLRJTlPEhvw5IqTenpngE+x7lu 00EPT/e8AeX3mof9mjVAoFQAH6xSNxQurvGdOa6O9ZQFCUMOuKuDV5Bs9EwonvTn SJRjrffBP6CJ98FNosTWztPDuF4qDbaBoZkPVCtdxzR78y6IBV+s33zmNeebPpf6 4O3KDnH8OZp+m1PH8D61gptc8mQCYONrvJg0C5sVhe0z6Jpdyg2l/kKVNQy4m/gg == X-ME-Sender: Received: by mailuser.nyi.internal (Postfix, from userid 99) id B84AB62B9E; Thu, 21 Dec 2017 06:58:09 -0500 (EST) Message-Id: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> From: Bron Gondwana To: dmarc@ietf.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: multipart/alternative; boundary="_----------=_151385748935313190" X-Mailer: MessagingEngine.com Webmail Interface - ajax-bb99f02b In-Reply-To: References: Date: Thu, 21 Dec 2017 22:58:09 +1100 Archived-At: Subject: Re: [dmarc-ietf] New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 11:58:13 -0000 This is a multi-part message in MIME format. --_----------=_151385748935313190 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="utf-8" On Thu, 21 Dec 2017, at 17:12, Murray S. Kucherawy wrote: > On Wed, Dec 20, 2017 at 4:39 PM, Brandon Long > wrote:>> >> I think algorithm rotation is more challenging for ARC than it is for >> DKIM, since with DKIM you can just sign with both... but for ARC, >> there's a chain of signers and the you have to handle links not being >> able to verify intermediate states in the other algorithm.>> > > If the group concurs, then it would seem this section needs quite a > bit more development. Who's up for proposing text? I certainly concur with Brandon here - changing ARC algorithm looks like a very messy proposition, I expect you'd pretty much have to do a window where both the old and new algorithm were supported - with a dealine where the old algorithm gets treated like a broken link. It's probably a strong reason to MUST that every implementation support signing and verifying at least two currently presumed strong algorithms at the start, so if one is found wanting we can immediately deprecate it and everyone can just turn on the other algorithm in their software configuration. Bron. -- Bron Gondwana, CEO, FastMail Pty Ltd brong@fastmailteam.com --_----------=_151385748935313190 Content-Transfer-Encoding: 7bit Content-Type: text/html; charset="utf-8"
On Thu, 21 Dec 2017, at 17:12, Murray S. Kucherawy wrote:
On Wed, Dec 20, 2017 at 4:39 PM, Brandon Long <blong@fiction.net> wrote:

I think algorithm rotation is more challenging for ARC than it is for DKIM, since with DKIM you can just sign with both... but for ARC, there's a chain of signers and the you have to handle links not being able to verify intermediate states in the other algorithm.


If the group concurs, then it would seem this section needs quite a bit more development.  Who's up for proposing text?

I certainly concur with Brandon here - changing ARC algorithm looks like a very messy proposition, I expect you'd pretty much have to do a window where both the old and new algorithm were supported - with a dealine where the old algorithm gets treated like a broken link.  It's probably a strong reason to MUST that every implementation support signing and verifying at least two currently presumed strong algorithms at the start, so if one is found wanting we can immediately deprecate it and everyone can just turn on the other algorithm in their software configuration.

Bron.

--
  Bron Gondwana, CEO, FastMail Pty Ltd
  brong@fastmailteam.com


--_----------=_151385748935313190-- From nobody Thu Dec 21 08:57:50 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59A82129C6A for ; Thu, 21 Dec 2017 08:57:48 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.76 X-Spam-Level: X-Spam-Status: No, score=-1.76 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Bz6v5BH1; dkim=pass (1536-bit key) header.d=taugh.com header.b=cS0soxcs Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h-j3qHbRzV_y for ; Thu, 21 Dec 2017 08:57:47 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD80012D779 for ; Thu, 21 Dec 2017 08:57:46 -0800 (PST) Received: (qmail 16016 invoked from network); 21 Dec 2017 16:57:45 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=3e8d.5a3be809.k1712; bh=DMm+V6SNWukeOhX0ekWYN6F11JTPtBSAnZnk37Kp9m8=; b=Bz6v5BH1sh3sVjU0wr9pnXdsxYI4Re4wVVAqglShU4/QTXdyCxb3dlmPxCxZQZ23B3lQsRpjZjBjJDuyTBHilGjH1ZjcYE01cOyv/Bx37NrZrCrNE/q0u5y1l5dN21ATKivUmXlYKkHVXnceIKSoeV2RbR42ZxoilM5ujBMg2z+6B8SwJTgs/EZ+R8rkHbYgRlPnC8IkNPQa+eeKRT9pzD7rgbXmE+X8wvO+cGK/WvuBn5ZdMWJYH4h8ji7piL6B DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=3e8d.5a3be809.k1712; bh=DMm+V6SNWukeOhX0ekWYN6F11JTPtBSAnZnk37Kp9m8=; b=cS0soxcs/Gi/32gFl7V2cxUkURX2upqYUmFem4BV7Uqa+h4osnPAe6FaNpMdiOLPCDwVObilLpaOzAzHyunJlJyV+Ks8X9ZJ3yUArJGagowyjt73K6FJQMTHQ4VG1v2bO8Zc3wvosOV8JRy77pUy6eZ+NPFfShsBes74qkH+iM93ii34rjX6deF8qqA5//6i7XjCMJagSNWDnYuBO6pkNc+CVck12c0JUTPfGzD3h6Q/RnLCTXnEotYAgl9KfKx7 Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 21 Dec 2017 16:57:45 -0000 Received: by ary.qy (Postfix, from userid 501) id 3AF54183C822; Thu, 21 Dec 2017 11:57:44 -0500 (EST) Date: 21 Dec 2017 11:57:44 -0500 Message-Id: <20171221165745.3AF54183C822@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: brong@fastmailteam.com In-Reply-To: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 16:57:48 -0000 In article <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> you write: >I certainly concur with Brandon here - changing ARC algorithm looks like >a very messy proposition, I expect you'd pretty much have to do a window >where both the old and new algorithm were supported - with a dealine >where the old algorithm gets treated like a broken link. ... Complex technical approach: Invent a new ps= tag for peer selector. If using two signing algorithms, add two AS and AMS headers with the same d= but different s=, one for each algorithm, each with a ps= pointing to the other header, and each signature covering both headers, and you have to check when signing and validating that the ps= in this header matches the s= in the other. The chain is valid if either AS is valid. Simple administrative approach: Stall ARC for a few more months until we can get ed25519 into the libraries, then adjust the document to make it MUST verify both. R's, John From nobody Thu Dec 21 09:23:27 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC01126CE8 for ; Thu, 21 Dec 2017 09:23:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -0.371 X-Spam-Level: X-Spam-Status: No, score=-0.371 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tzr2kl6OgecK for ; Thu, 21 Dec 2017 09:23:24 -0800 (PST) Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F52D126CD8 for ; Thu, 21 Dec 2017 09:23:24 -0800 (PST) Received: by mail-qt0-x229.google.com with SMTP id i40so33290451qti.8 for ; Thu, 21 Dec 2017 09:23:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=8te62zVz7rLuI6JvNXRmcUMxQRdw+eUxaufgB5a9x/s=; b=FiYhJx4WrKKnT1XncYg+3r91bokSvbka/p66X611rGAh8Jz6jPIepWuObnEYD9vfYl t+AkqLSlVA69uzZHsilU+kKVFJAqPrtP1eewKlTzmnCQkYYgji+vGE3ABgquFUqjw6aB hWJPgf78h72etsb2UriK0h1byfQwMI4AcTygwYgIOME3iyAP5t7aRX2PrD0G9X2GcVmm 82KXyDQpqNyW5htpVAl9iy+DrPpGMI87l1qhXiJSwDA0I3wsMeuwU4QG16vqjF4B3z7a tbAnCdpekEG8AvdhNz/OnPd0BhgI2h3Nqfv6iTnC8l90gBfaB2oSHUYGYAyuuJc9m8R5 G3TQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=8te62zVz7rLuI6JvNXRmcUMxQRdw+eUxaufgB5a9x/s=; b=FiClIQvDWu2zB3ePCbcxZULLsKy6SqjcXExUkzhzwfZ2jD9m1RMU4zx448llq42Gsm /uENQwuRNVlwCk2ugzr3c0fC4B5PN+QhKCk3huI0Lk0oxQQcSuh+o5MhvOyDwOGhc8Jl aGuYL5L93PcVPklq4J4JEv6c8iao8fuqqYKF14RrThxQ9lbmY/siefgj7UlA62Z1tgIY c1ZNtk7reu/VxLSTZOFKmJ43XWDDzGJhgKu/nTP96a4pSMSjrn8ySYaXtl7vsC5ZKRWv MmQtWZqmRfzS/IR04NYYTOuT3/ROjL+QQbqQYzAPUUMIrdatEeMU0rid4DwpcIX32fGv xHZw== X-Gm-Message-State: AKGB3mJa8JafWueYGsfKRoN+HdR9i3r9H0ZPOAtJ9FMypdhhponLTjip pJweJ0SHcxfGjcvRaUGW5VuLzA1G23OTtM8Wed7KLAxu X-Google-Smtp-Source: ACJfBotsEVU5whavXq6p93XfItRnhhMySVi7SoYu9D3PhJqoxYcBHwcoqpeL44dic0WrkLfI03ZPngQ+tufjb6GTGGw= X-Received: by 10.237.54.138 with SMTP id f10mr15244299qtb.261.1513877003085; Thu, 21 Dec 2017 09:23:23 -0800 (PST) MIME-Version: 1.0 Received: by 10.200.45.16 with HTTP; Thu, 21 Dec 2017 09:23:02 -0800 (PST) In-Reply-To: <20171221165745.3AF54183C822@ary.qy> References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> From: Seth Blank Date: Thu, 21 Dec 2017 09:23:02 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a1149e90e00c2a10560dcf5d8" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 17:23:26 -0000 --001a1149e90e00c2a10560dcf5d8 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 21, 2017 at 8:57 AM, John Levine wrote: > Simple administrative approach: > > Stall ARC for a few more months until we can get ed25519 into the > libraries, then adjust the document to make it MUST verify both. > Is there any appetite in the group to handle rotation in a separate document? -- [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Director of Industry Initiatives seth@valimail.com +1-415-894-2724 <415-894-2724> --001a1149e90e00c2a10560dcf5d8 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= hu, Dec 21, 2017 at 8:57 AM, John Levine <johnl@taugh.com> wro= te:
Simple administrative approach:

Stall ARC for a few more months until we can get ed25519 into the
libraries, then adjust the document to make it MUST verify both.

Is there any appetite in the group to handle rota= tion in a separate document?=C2=A0

--

3D"=

Bringing Trust = to Email

Seth Blank | Director of Industry Initiatives<= /font>

seth@valimail.com
+1-415-894-2724
--001a1149e90e00c2a10560dcf5d8-- From nobody Thu Dec 21 09:30:17 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF70712D947 for ; Thu, 21 Dec 2017 09:30:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fiction.net Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pOTxL5fz2iVB for ; Thu, 21 Dec 2017 09:30:08 -0800 (PST) Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26FBD124B17 for ; Thu, 21 Dec 2017 09:30:08 -0800 (PST) Received: by mail-io0-x229.google.com with SMTP id g70so9265511ioj.6 for ; Thu, 21 Dec 2017 09:30:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fiction.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=S69/uyjlM2DUuPIlJJ2pY1LgrAn2ccGXWeIDe5PzoOI=; b=fL1w0AEQ+X9rHCJ9A2fl57N00zsqUFbGDKmDRn48GEMxI9E08bvDQ5qw927sE95gec /tZF7gP5gVxEbVpgCzImZLbFs43ZL9IYaP2RH744hSUH0uJ/kgjrCre9tE5ext00KF8r LRbRqUHWaZO65xGflseIXvnfvu+uxEJtkJAGTjwv9RGWvVO4RlBD4+tfpuBGepZ6E5IQ 6xdWoTlzrRyceTvObPjbAaJxxqL2fr6rrhsDv4+rmu6M0OV+VDM+mqJMERp6xxxK5lKC cxdwB24dMLiTR8ofRlS+Xy/eqk7rzgZtZa1E0rtqtPlB4hWb1uGUSX1oeITiBlea5h7R n15w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=S69/uyjlM2DUuPIlJJ2pY1LgrAn2ccGXWeIDe5PzoOI=; b=c7M9dyO5estYphOQb1Mnl7kEAXqF3K2beFbg5y0Qby1JnNd6+9S2fKWLIphcbYcNHV QDMddKFq02u1j6Wh+ZHT9gXjoTwmZzyEj+f0lmISfI/kt7QBg7Z2Yrm5wRKniNowZDaF 06Axq7Tlalg6ABhtrDlEH8UAs10cSuHhItc2ZotYLnaj+JKDH9AsX6taAKOvdnn6ErgE EgqU87tB268kWTeowLocsUzKWXgF9+lxYm3XoNQiiBDe1otvNjno9BbbQcGGPu0t7L7X x6ChigqAaxdRungv5EdDBKCPcIhe1HPQrehEO8InJHAngDiN/PHiOhiwWoP0YLQcjDbn 2cLw== X-Gm-Message-State: AKGB3mLBlLy836T6xpWdOZfrJZ23zdi3JYxT1QcpooEiYsjWLvjyiUvk oB+gV6DO85AUemjT/oaQ0qw1kPtc X-Google-Smtp-Source: ACJfBou9UCF7jpI0+nQdcz0H2UJZ0DvYfnrcdVnZyn0jnlNfr94eTxL0ajosD1T+cw5CwHLZ2G+COA== X-Received: by 10.107.32.70 with SMTP id g67mr14617712iog.69.1513877407269; Thu, 21 Dec 2017 09:30:07 -0800 (PST) Received: from mail-io0-f172.google.com (mail-io0-f172.google.com. [209.85.223.172]) by smtp.gmail.com with ESMTPSA id o1sm4472003ite.2.2017.12.21.09.30.06 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Dec 2017 09:30:06 -0800 (PST) Received: by mail-io0-f172.google.com with SMTP id f7so1407393ioh.1 for ; Thu, 21 Dec 2017 09:30:06 -0800 (PST) X-Received: by 10.107.35.140 with SMTP id j134mr15177996ioj.166.1513877406194; Thu, 21 Dec 2017 09:30:06 -0800 (PST) MIME-Version: 1.0 References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> In-Reply-To: From: Brandon Long Date: Thu, 21 Dec 2017 17:29:54 +0000 X-Gmail-Original-Message-ID: Message-ID: To: Seth Blank Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114028e00861530560dd0de9" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 17:30:15 -0000 --001a114028e00861530560dd0de9 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 21, 2017 at 9:23 AM Seth Blank wrote: > On Thu, Dec 21, 2017 at 8:57 AM, John Levine wrote: > >> Simple administrative approach: >> >> Stall ARC for a few more months until we can get ed25519 into the >> libraries, then adjust the document to make it MUST verify both. >> > > Is there any appetite in the group to handle rotation in a separate > document? > I would have preferred not to defer it when arc was on standards track, but now that it's experimental, I could see deferring it. I'm also fine with John's approach to wait for dcrup, though I don't know many folks are waiting for arc to be released as an rfc before working on it, I would think openarc going 1.0 is probably the main thing folks were waiting for. Brandon --001a114028e00861530560dd0de9 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable



On= Thu, Dec 21, 2017 at 9:23 AM Seth Blank <seth@valimail.com> wrote:
On Thu, Dec 21, 2017 at 8:57 AM, John Levine <johnl@taugh.com> wrote:
Simple administrative approach:<= br>
Stall ARC for a few more months until we can get ed25519 into the
libraries, then adjust the document to make it MUST verify both.

Is there any appetite in the group to handle rota= tion in a separate document?=C2=A0

I would have preferred not to defer it when arc was on stan= dards track, but now that it's experimental,
I could see defe= rring it.=C2=A0 I'm also fine with John's approach to wait for dcru= p, though I don't know many folks=C2=A0
are waiting for arc t= o be released as an rfc before working on it, I would think openarc going 1= .0 is probably the
main thing folks were waiting for.
<= br>
Brandon
--001a114028e00861530560dd0de9-- From nobody Thu Dec 21 09:43:21 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A0EE126B71 for ; Thu, 21 Dec 2017 09:43:19 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_32=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OPSClC-19APN for ; Thu, 21 Dec 2017 09:43:17 -0800 (PST) Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33B0F124B17 for ; Thu, 21 Dec 2017 09:43:17 -0800 (PST) Received: by mail-qt0-x22e.google.com with SMTP id i40so33365212qti.8 for ; Thu, 21 Dec 2017 09:43:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=9eFeiPXGYdeDClxDR4VFzm+u6t9kFSk2bnckcZoHoiE=; b=STz1xZMMvQktzoLiPar9lfBWm/s1pKVyQ7wKZHjRaCndNu2iLxOGAu3bwWUIOoghhJ O5J3s/1E9qEJ6NRGZ9A0IXjKNhrQIZq/pHzpVP79j58M0ko0PrsPzlC98Cp9kiexMcXJ LeGLFYCWG2ZR8iToxlDZB7LqHewVYclVOeBD0Ew+mvZcqfsfvdTIEFivAJt2g9pvx/lB epw/UsKCC6zxL6e2AzD79d43MgA43xmAVpgkpYRF2ABK21TPpfZFmgHLg8ZC+biu5BWN MuLLOMh+NfTWMEmMSHW1tWFljr4VJLbRk0i6jJfILylUNXRLLPDPhvK9V3pO6OcgSKsw hrsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=9eFeiPXGYdeDClxDR4VFzm+u6t9kFSk2bnckcZoHoiE=; b=IM37bvlrVArlZ3pK7EIn2BP9IGD8uRcOKUF2MCe00z5oCpyh7+Jdb2+l4MEUtrOxUh uavw+hbAwapJzwNGWcNP1nNwP3o1RFxIr1daBWJEJeyANfGzRH/ec2blX+b1QAHgIPBF WuSVpJ5qMkrzGok4j1GrLJFCNidc2bEdvITzgS9WNpS2cdJzNFkAY0NCoG02R57HWqyi RgMrPdlFf55M2irmokLx0v8tqwVVl/bql0ryKJsDFnS8gIYQ5VqShNHCBr2KHJwayRrI a1aITGtq2Q5c/Esxgx8fZ/5IWEHers4bajirCbCsiJGEzm85h/ewdTORwTPFMAfo5yEM lRPA== X-Gm-Message-State: AKGB3mLF23R6merztz7M5OD0WDj4tDLnaVUUmCUXZgLudnhAFYCVjYW3 4+a0p+VDojK2bFemDN/4dsjJOr8rsEPwUBB4i9vvGRY3 X-Google-Smtp-Source: ACJfBovOIxojUWHgipLX3ip995eobNWKlrBoSu03gcF1krYNVW9t1vXEg50E3zJa1eyYQPtm4zN8NrT2wbSpc8flzI0= X-Received: by 10.200.12.196 with SMTP id o4mr15520184qti.232.1513878196042; Thu, 21 Dec 2017 09:43:16 -0800 (PST) MIME-Version: 1.0 References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> In-Reply-To: From: Seth Blank Date: Thu, 21 Dec 2017 17:43:05 +0000 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="089e082285501bd07d0560dd3ce4" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 17:43:19 -0000 --089e082285501bd07d0560dd3ce4 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Now from my personal email. On Thu, Dec 21, 2017 at 09:30 Brandon Long wrote: > I would have preferred not to defer it when arc was on standards track, > but now that it's experimental, > I could see deferring it. I'm also fine with John's approach to wait for > dcrup, though I don't know many folks > are waiting for arc to be released as an rfc before working on it, I woul= d > think openarc going 1.0 is probably the > main thing folks were waiting for. > I agree OpenARC 1.0 will help, but many are looking for the technical components of the draft to be =E2=80=9Cstable=E2=80=9D and this could reope= n that hesitation to implement. > -- [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Director of Industry Initiatives seth@valimail.com +1-415-894-2724 --089e082285501bd07d0560dd3ce4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Now from my personal email.
<= br>

On Thu, Dec 21, 2= 017 at 09:30 Brandon Long <blong@fi= ction.net> wrote:
I would have preferred not to defer it when arc was = on standards track, but now that it's experimental,
I could s= ee deferring it.=C2=A0 I'm also fine with John's approach to wait f= or dcrup, though I don't know many folks=C2=A0
are waiting fo= r arc to be released as an rfc before working on it, I would think openarc = going 1.0 is probably the
main thing folks were waiting for.

I a= gree OpenARC 1.0 will help, but many are looking for the technical componen= ts of the draft to be =E2=80=9Cstable=E2=80=9D and this could reopen that h= esitation to implement.
--
<= div>

3D"logo

Bringing Trust to Email

Seth Blank | Direc= tor of Industry Initiatives

seth@valimail.com
+= 1-415-894-2724
--089e082285501bd07d0560dd3ce4-- From nobody Thu Dec 21 13:56:55 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00411126D0C for ; Thu, 21 Dec 2017 13:56:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=drkurt.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsN1g-3BvNNp for ; Thu, 21 Dec 2017 13:56:52 -0800 (PST) Received: from mail-lf0-x229.google.com (mail-lf0-x229.google.com [IPv6:2a00:1450:4010:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7A65120726 for ; Thu, 21 Dec 2017 13:56:51 -0800 (PST) Received: by mail-lf0-x229.google.com with SMTP id a12so29496095lfe.4 for ; Thu, 21 Dec 2017 13:56:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=drkurt.com; s=20130612; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aV7bVZjUunVQmIjasw2usCYKA51/5WTBmFCV1FBPL54=; b=PCROfe8N+RYyaJ0qER1ACr2vsqJ/VX7BVo/Y8NLVcoziB2ayWEpJHMFweE/C8efl0E ZqxkTyZ813ZD0LE2bKGXKzHwTa7iERZgBt+51XCfHiwEmoJt+MC2c2UF1W66I5QuQ3r9 1U4899k44VpoVQ2c+ABh2SmS9ysLSVGJtN984= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aV7bVZjUunVQmIjasw2usCYKA51/5WTBmFCV1FBPL54=; b=qTvoDXX2AE074BIet0Da3Gk86+JC2kOP4oBdcYKCBZ2rZxeZcvfG546a868oFggy6l BhIcigXBiFrcdwmwLEWGgzoxWRAHXV4T6Dm1B814gKcqeEpNXY6PWNgPO8t+uhjAzO+f 0VpgRfslYcZkhmGQd+Qdojupq1P8p+o++Hk9czLxs8PxrfJVNSAt020i/CAtdadweyZx C0CGmrup5f0ab1zzHmipMElpVxY/ONAaBQTGivKI05RwNeRNqP24hYv4qIzcelzSCi8f a69HbrWy5GTsHzbHK12hpyND6XkxtLl+RvJFGQrToobU0wSI47Krw9yNq5A+q5HZPzm3 7JDQ== X-Gm-Message-State: AKGB3mLVOi/IXuUqXXMv/tvvGhBIAE8pnRm+6UM8+ssCl9e5uBL2RscZ 7dzRyvTc11rsNhXn4S/HQ4URPPMmRxgG+wcW+tOHepjl X-Google-Smtp-Source: ACJfBovvbKtgO646qOK7Er3Q0MsDcifVR8WamKCmytNs/G8wu0cRzRahxt7iNRh7oPC7NQ8NrizKW7VNDD63kbfcgSw= X-Received: by 10.25.43.200 with SMTP id r191mr7223187lfr.34.1513893409841; Thu, 21 Dec 2017 13:56:49 -0800 (PST) MIME-Version: 1.0 Sender: kurta@drkurt.com Received: by 10.25.56.11 with HTTP; Thu, 21 Dec 2017 13:56:49 -0800 (PST) In-Reply-To: References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> From: "Kurt Andersen (b)" Date: Thu, 21 Dec 2017 21:56:49 +0000 X-Google-Sender-Auth: JheKV_C0m3jNRu_kh3bp5aWwi8o Message-ID: To: Brandon Long Cc: Seth Blank , "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a114053d0ec18110560e0c60c" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 21:56:54 -0000 --001a114053d0ec18110560e0c60c Content-Type: text/plain; charset="UTF-8" On Thu, Dec 21, 2017 at 5:29 PM, Brandon Long wrote: > > > . . .when arc was on standards track, but now that it's experimental . . . > It's not experimental - that was a proposal in Prague when we were considering pushing for WGLC before Singapore. Since we are continuing to iterate and clean up the language in the standards track protocol, I've left it on standards track. --Kurt --001a114053d0ec18110560e0c60c Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= hu, Dec 21, 2017 at 5:29 PM, Brandon Long <blong@fiction.net> wrote:

. . .when arc was on st= andards track, but now that it's experimental . . .

It's n= ot experimental - that was a proposal in Prague when we were considering pu= shing for WGLC before Singapore. Since we are continuing to iterate and cle= an up the language in the standards track protocol, I've left it on sta= ndards track.

--Kurt
--001a114053d0ec18110560e0c60c-- From nobody Thu Dec 21 14:25:15 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B4F3124239 for ; Thu, 21 Dec 2017 14:25:13 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zEJsUQ-Upry6 for ; Thu, 21 Dec 2017 14:25:11 -0800 (PST) Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C3526120454 for ; Thu, 21 Dec 2017 14:25:11 -0800 (PST) Received: from kitterma-e6430.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 33BA3C401CA for ; Thu, 21 Dec 2017 16:25:10 -0600 (CST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1513895110; bh=UQGvzf8TZipRAaewFmAOQ4DtCnTsHX91ajaVy9E43yc=; h=From:To:Subject:Date:In-Reply-To:References:From; b=pJScUE/nuozwSgJZ41ZLQnQiUjw0q6YP/vORIdWrrMFeSzEgcu7faHlSyyzVMeIV0 cUuVfqrGloDiwJqD2civkgghtzuwClF/gtyQvQjlglpVV3krknNKJBdo5MTkHcEOgc D3+m9G181JcPt9YuncHj5as0a+Rz8IFe7ElLX0ns= From: Scott Kitterman To: dmarc@ietf.org Date: Thu, 21 Dec 2017 17:25:09 -0500 Message-ID: <13429029.WxFjRkil8E@kitterma-e6430> User-Agent: KMail/4.13.3 (Linux/3.13.0-133-generic; KDE/4.13.3; x86_64; ; ) In-Reply-To: <20171221165745.3AF54183C822@ary.qy> References: <20171221165745.3AF54183C822@ary.qy> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 22:25:13 -0000 On Thursday, December 21, 2017 11:57:44 AM John Levine wrote: > In article <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> you write: > >I certainly concur with Brandon here - changing ARC algorithm looks like > >a very messy proposition, I expect you'd pretty much have to do a window > >where both the old and new algorithm were supported - with a dealine > >where the old algorithm gets treated like a broken link. ... > > Complex technical approach: > > Invent a new ps= tag for peer selector. If using two signing > algorithms, add two AS and AMS headers with the same d= but different > s=, one for each algorithm, each with a ps= pointing to the other > header, and each signature covering both headers, and you have to > check when signing and validating that the ps= in this header matches > the s= in the other. The chain is valid if either AS is valid. > > Simple administrative approach: > > Stall ARC for a few more months until we can get ed25519 into the > libraries, then adjust the document to make it MUST verify both. I doubt you'll see it in OpenARC until after OpenSSL has a release that supports ed25519. That may be a large value of few. Does anyone know? Scott K From nobody Thu Dec 21 15:11:00 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3396012DA00 for ; Thu, 21 Dec 2017 15:10:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yfDreUQooISA for ; Thu, 21 Dec 2017 15:10:57 -0800 (PST) Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9BA612D7FC for ; Thu, 21 Dec 2017 15:10:57 -0800 (PST) Received: by mail-pg0-x233.google.com with SMTP id f12so13814172pgo.5 for ; Thu, 21 Dec 2017 15:10:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=H2NIa/eRH9lGU5Ww7d4dXEnHyzA6fbgXkQmlwasap3E=; b=AY5a59gkQyPu1y4FKqGo2tI+7lf1bSpJnqljvhBq3VIiyoditRxT078Z7gNwR7KFPb V5Ei+YYg0c0ZBnZ5s91vm8IettekzXuj3bPlgrq60qxDYGTcPUEuSZ/HgDvBC0HRp1Wq 9a+G7cQr29HA/3jG866T5x8fbuXpf8THnoAHpOpqTww/GNgygm5vhB6CIkTjcIHABbgj S0KK9OQu5RH+HK/ILk67/XmIDrwJ9oz7kFV3CPholwLLp98DsrNBYbS/+13ARZmthxoC GSesPOsK7eQfMZBixw01dPxIPxRafQA3hcF+Et6ggkgevel2NqWOh8oZagOfxiU/YksG 3pnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=H2NIa/eRH9lGU5Ww7d4dXEnHyzA6fbgXkQmlwasap3E=; b=SkQZ7M0cw8Bq652fepCvFusPSna367b+5p5sV1JE1MAmtgOFAPVTXuqo9zhvs3dBPu fGFEYtLIs5cJV/GNM2LTCBZdy0qzTmvU1KRPC1XAowGgfEYPKIz3Wq4dHg+XhkSM7PO2 3X70SAcwczqZT16P9vAoGn0bnRMMPod8wiWO/VfNucT6EZgC9MU+I6X314ng3dpXsqGC 8N97LB66+fey2HJV2JbYJt57n6mA3s8JfgwQNUjp5mJeTT7mcF5tbWVmprd2WcKA1Pzk IlHoSgd+mxvC0PHGugWfTQN7c4oRzRDIDMo+Oc4xkJxQ28hfvKe9bkerBAbMJEmpW7cm 0u5Q== X-Gm-Message-State: AKGB3mI2cLyPV1O/YoncIRFl4gfpIV8cXJ85staRgJQyBvKE+BBlD4e3 b/OMHIwcewzUu8FjgJXrqrmEg1LO X-Google-Smtp-Source: ACJfBovCT78M9+GNE+iRcoxs0tN9M5JvfCbX4LeijhLkk81jJ8PZlqh0ptrW8UQhn/NeWqEdFh46sQ== X-Received: by 10.98.207.70 with SMTP id b67mr12056040pfg.220.1513897856768; Thu, 21 Dec 2017 15:10:56 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:c4e8:d795:bbab:6d47? ([2600:1700:a3a0:870:c4e8:d795:bbab:6d47]) by smtp.gmail.com with ESMTPSA id p126sm35672646pga.58.2017.12.21.15.10.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Dec 2017 15:10:54 -0800 (PST) To: Brandon Long , Seth Blank Cc: dmarc@ietf.org References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> From: Dave Crocker Message-ID: Date: Thu, 21 Dec 2017 15:10:32 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 23:10:59 -0000 On 12/21/2017 9:29 AM, Brandon Long wrote: > I would have preferred not to defer it when arc was on standards track, > but now that it's experimental, I recall an extended discussion that produced agreement on experiment. I don't recall seeing a discussion to reverse that, nor a change in circumstances that makes obvious the need for the change. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Thu Dec 21 15:18:23 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79BC31275C5 for ; Thu, 21 Dec 2017 15:18:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id btCX-oA7HQ7d for ; Thu, 21 Dec 2017 15:18:19 -0800 (PST) Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49E9F12D956 for ; Thu, 21 Dec 2017 15:18:19 -0800 (PST) Received: by mail-ua0-x229.google.com with SMTP id q13so18578991uaq.8 for ; Thu, 21 Dec 2017 15:18:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=BTENe4cntpAfwx/GestDahupAdA0CXgHlnQuUdYNgsY=; b=whmT8/4jKDE9NccNk1sXxmK7Xgt+yYOO5YHww9E36ra6OLNJrL1gMFetOnUCdLihns EuX8/9uZ9lyBdIUkCndU25k1np8xPlwdwGwzbAJeMvRSX6nZhz7YlKSgLiUoTbdVDK7R f6Ui2rF86EbCTLu8NBurbK9mtMvOTLR+sG1w82o00myTNF3OimzAjkm5YI+BkTcYaUza E+pRmIkdaPErLZs4teBpp8Ogw7AO6KtTp3x7gd5iK0G/s7aOq6VZ2WZthcqHv3TQAt8F +A8+nBh43Kht3vfcEF3IctyJ8ZDJhqC1fftVpomWrbPisY8u4v3OqJSnKgzCRfh7tFtN OiGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=BTENe4cntpAfwx/GestDahupAdA0CXgHlnQuUdYNgsY=; b=evgjptnJ0exKja4tz5ZUrHZZkrSF35pI+cglyJgFmlMznQugeTNMKL6CluNAPYnt6k lglKykjUD6KcXZE/88oATKs2OQUJoAPjzCbMbyRqB+LFkQnyMBBHzh3F54XgnC3/5ASM Vv4ee8lU7MeCrFkMLCPrigMsLHQlhHSImO4t/VBA+noSSORu4CL6mR/uS05EwvR/DYoF cZ937rhzkAsffc2dvyFY8EGIGuutRIU75SLq/+bKDSlCeHbpFMP16OSxLLmb7EsnXhYj 5NsVXTNDFvOxs3QGtJP1Xaenre6BVmuX2AkPgU9zqfcyM4yXNBare8tn7O/LfooFqPzH 82BA== X-Gm-Message-State: AKGB3mJUjZyVV01hkZHA6OhUTownTwDV0PlDkT4/knbqe6bHh7lusm42 INKjFwnzuTzzGQmzQYJZMnovpsBydAD95CSgSwMZmzUV X-Google-Smtp-Source: ACJfBosPdoEGYH97RpqfOc7kSLlMF1b93O+9CEq148g4hv/NpItThSipnRuV1CW24W/6ugSc4dzmy23JUsB+pwLntEQ= X-Received: by 10.159.49.88 with SMTP id n24mr13664076uab.116.1513898298079; Thu, 21 Dec 2017 15:18:18 -0800 (PST) MIME-Version: 1.0 References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> In-Reply-To: From: Seth Blank Date: Thu, 21 Dec 2017 23:18:06 +0000 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="f403045dd5d84895740560e1ea78" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Dec 2017 23:18:21 -0000 --f403045dd5d84895740560e1ea78 Content-Type: text/plain; charset="UTF-8" That is also what I remember, and why I proposed the Experimental Considerstions as part of the primary draft and not the usage guide. Kurt had some strong opinions on why they belonged in the usage guide, which I suggest we revisit in another thread. On Thu, Dec 21, 2017 at 15:11 Dave Crocker wrote: > I recall an extended discussion that produced agreement on experiment. > > I don't recall seeing a discussion to reverse that, nor a change in > circumstances that makes obvious the need for the change. > > d/ > > -- > Dave Crocker > Brandenburg InternetWorking > bbiw.net > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --f403045dd5d84895740560e1ea78 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
That is also what I remember, and why I proposed the= Experimental Considerstions as part of the primary draft and not the usage= guide.

Kurt had some st= rong opinions on why they belonged in the usage guide, which I suggest we r= evisit in another thread.

On Thu, = Dec 21, 2017 at 15:11 Dave Crocker <dcrocker@gmail.com> wrote:
I recall an extended discussion that produced agreement on experiment.

I don't recall seeing a discussion to reverse that, nor a change in
circumstances that makes obvious the need for the change.

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--f403045dd5d84895740560e1ea78-- From nobody Thu Dec 21 18:50:38 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1282412D7EE for ; Thu, 21 Dec 2017 18:50:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.761 X-Spam-Level: X-Spam-Status: No, score=-1.761 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Saj6/opo; dkim=pass (1536-bit key) header.d=taugh.com header.b=HS9c6C3y Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YDtRAfYLxxnd for ; Thu, 21 Dec 2017 18:50:35 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9351D120713 for ; Thu, 21 Dec 2017 18:50:35 -0800 (PST) Received: (qmail 35640 invoked from network); 22 Dec 2017 02:50:34 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=8b36.5a3c72fa.k1712; bh=GU7WJcC/3jIf1fEA7JG8XbZyBfPB1iFOWiG6eGcifTM=; b=Saj6/opoMVLNrkK5SjSHDPgh8LIkBza+4qByEiGM4dtqm0Eij2CIqWE/d96t2C/aMQToz/AHT0KVPnit9DYWHUgvOYExslLsG+Mso+34HxTxyli4oEoAvCjBzqfVBh/qI466I/SS1VZbWIaGNOjR8S3ydiLIp0k0euMFAKLZRO5daW3UcORn3BVVIQ20xmAzK43eMElX9lsDjftSjCd/Mk+KVqw/xarg6hXmWa5kzRAVjO2P25AAYwKi9L4qPenE DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=8b36.5a3c72fa.k1712; bh=GU7WJcC/3jIf1fEA7JG8XbZyBfPB1iFOWiG6eGcifTM=; b=HS9c6C3y/7Cvg1nx4q8dBF9HZxUVv6Ard5PC5T4CLvCpAVtrvQDAhOzG/9+FgdNat8wsImSXN36ziCzuR7LUQuAyivnQUBWmoQ91p5hNslFtUErcMtdgrFHvVTtRWrZ+BL167PMWx8F4xytL7/cHMFr/fai3vfSE23siSV/ToOwwRoFzujGCDcff1EeiqsK3Dk+BCOJcubBv2b8RocaudKxcFb7bE1xNczUKrP5VqHeFuXIfZCBDYcUO8NZV1gBg Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 22 Dec 2017 02:50:33 -0000 Received: by ary.qy (Postfix, from userid 501) id E4071186D73F; Thu, 21 Dec 2017 21:50:33 -0500 (EST) Date: 21 Dec 2017 21:50:33 -0500 Message-Id: <20171222025033.E4071186D73F@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: sklist@kitterman.com In-Reply-To: <13429029.WxFjRkil8E@kitterma-e6430> Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 02:50:37 -0000 In article <13429029.WxFjRkil8E@kitterma-e6430> you write: >> Stall ARC for a few more months until we can get ed25519 into the >> libraries, then adjust the document to make it MUST verify both. > >I doubt you'll see it in OpenARC until after OpenSSL has a release that >supports ed25519. That may be a large value of few. Does anyone know? Rich Salz says it's supposed to be in the next release. The ed25519 code has been in the github source for several months. R's, John From nobody Fri Dec 22 00:32:45 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11E8D1205F0 for ; Fri, 22 Dec 2017 00:32:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VUvLuPs4Bmg4 for ; Fri, 22 Dec 2017 00:32:39 -0800 (PST) Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 281CF1250B8 for ; Fri, 22 Dec 2017 00:32:39 -0800 (PST) Received: by mail-qt0-x232.google.com with SMTP id w10so35400004qtb.10 for ; Fri, 22 Dec 2017 00:32:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Gzxt9DujyklO0/wC9NRGvjfY7oa9FpkbCqZKz1tZmpI=; b=LSHfEQDR2pe1f7xKGIew71tO8FvIRlgnWNIChLSbXkYFmPsDptAcRdKs2bk4oGOFt6 zfn6961ZEXcDRDA0aquTrZbhn6P5VXy+7MuJbsV8HBmNVBzVDIMjuXHnn2q91231mGJd PPmsRr8k3vv4ZZC/GPZ5C0gILrOk8+qxZblxJ0cv10dqK5bAyu+owQdcIlJP305Sd0wr 5wIQazJYC7tDQzdOAnMvfmpa+qffuC4E89hfdva4JXzGzk4wnla4F2t8+ctK9LlyWk5f TB9GH73Ont833yKMy7j6txysIbeBpfs28871cz8dbIZjcHcj4AhEArG/bFxLmaq1M1wC KqtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Gzxt9DujyklO0/wC9NRGvjfY7oa9FpkbCqZKz1tZmpI=; b=coGdJNbUF3T07RulA8glyxqfSjhG7LX7T6cV9+1LZ3kq31jTzrJ3y89q0Clqr2oSd4 ZcRHnrSUB2AwfNDYlvlEAnCPsZBmDqpl+o/Hou/TbpWSsb2Ly3y6aFDKkYjWQ2L7jaIF UcouPy5Cdtsw4fKs+kDKsUEgvaVvMw3uotLNyyfXiJrYWUzx6rBxNcgYG16+pJwDUOtB iSrDc52xvqHZ1yeFHWROh6rZVisdfQ+DoyXfQkT4wb5b/5xhKnh5A8frU/3izXaiEnUl XGTIGvJchZD5wYFYi9qTFTyS/wfZbyH0ibm8wVvcsXZTnC08Qefn+XSywz9ML7fGzbQZ xdYw== X-Gm-Message-State: AKGB3mK9hA1GFB8HMQi/p7rCF2U2Nb4PWAOPplQDnpBaVGigGzKyV/uA hPoo+cgqj6YCgfX7M7QLvNB7iOX4du/zQFys0rbAdQ== X-Google-Smtp-Source: ACJfBosCH6sN7ABOtSX3Cx/i9NQHnq7471UR/Hf29dcH9Q8egaxD2ANiye21eYiQXS8eQzu6RPTegwNHUQZUnkzQBzQ= X-Received: by 10.200.3.158 with SMTP id t30mr18480992qtg.149.1513931558127; Fri, 22 Dec 2017 00:32:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 22 Dec 2017 00:32:36 -0800 (PST) In-Reply-To: References: <1513857489.3531319.1212273208.18FE87CD@webmail.messagingengine.com> <20171221165745.3AF54183C822@ary.qy> From: "Murray S. Kucherawy" Date: Fri, 22 Dec 2017 00:32:36 -0800 Message-ID: To: Seth Blank Cc: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="f4030435d08cbc8d180560e9a8d0" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 08:32:41 -0000 --f4030435d08cbc8d180560e9a8d0 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 21, 2017 at 3:18 PM, Seth Blank wrote: > That is also what I remember, and why I proposed the Experimental > Considerstions as part of the primary draft and not the usage guide. > > Kurt had some strong opinions on why they belonged in the usage guide, > which I suggest we revisit in another thread. > > On Thu, Dec 21, 2017 at 15:11 Dave Crocker wrote: > >> I recall an extended discussion that produced agreement on experiment. >> >> I don't recall seeing a discussion to reverse that, nor a change in >> circumstances that makes obvious the need for the change. >> > This was also my understanding. "Experimental" is perfectly fine. As I understand it, EAI did that first and went to the standards track after it had some field use. -MSK --f4030435d08cbc8d180560e9a8d0 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Dec 21, 2017 at 3:18 PM, Seth Blank <seth@sethbl= ank.com> wrote:
That is a= lso what I remember, and why I proposed the Experimental Considerstions as = part of the primary draft and not the usage guide.
<= br>
Kurt had some strong opinions on why they belong= ed in the usage guide, which I suggest we revisit in another thread.
<= span class=3D"">
On Thu, Dec 21, 2017 at= 15:11 Dave Crocker <dcrocker@gmail.com> wrote:
I recall an extended discussion that produced agreement on experiment.

I don't recall seeing a discussion to reverse that, nor a change in
circumstances that makes obvious the need for the change.
<= /div>

This was also my underst= anding.

"Experimental" is perfectly fine.=C2=A0= As I understand it, EAI did that first and went to the standards track aft= er it had some field use.

-MSK
=
--f4030435d08cbc8d180560e9a8d0-- From nobody Fri Dec 22 05:49:01 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F22D12EA54 for ; Fri, 22 Dec 2017 05:49:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.002 X-Spam-Level: X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ncsc.gov.uk Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wer4g5hy7Xoy for ; Fri, 22 Dec 2017 05:48:57 -0800 (PST) Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0110.outbound.protection.outlook.com [104.47.1.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB6EE12E891 for ; Fri, 22 Dec 2017 05:48:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ncsc.gov.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=JvYJhe8AlsO36GjuqCqEi3Fp8gwtStioQgPmA1kNOzI=; b=dtHKlMk30SvmnuiXhYzqF8FO6bDp5oLuxXo3c2AxK88ENWMCylWjNGJFzrTvyxHtiz2KnuwZBMfrAbb522vVotvAFjZdCXAU4wbxLJ4zoXqjWk64ODq6n8RyuO7TiW5eumhyw93bSIsaY78a2sl+7gtq9crJ1GEG6+oc7aKj1U0= Received: from MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM (10.166.240.152) by MMXP12301MB1664.GBRP123.PROD.OUTLOOK.COM (10.166.242.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.345.14; Fri, 22 Dec 2017 13:48:53 +0000 Received: from MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM ([10.166.240.152]) by MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM ([10.166.240.152]) with mapi id 15.20.0345.013; Fri, 22 Dec 2017 13:48:53 +0000 From: Ian Levy To: John R Levine , "Kurt Andersen (b)" CC: "dmarc@ietf.org" Thread-Topic: [dmarc-ietf] Preventing abuse of public-suffix-level domains Thread-Index: AQHTdevoT2ysiWzEvUO1V0Z1nq0wk6NHbc2AgAOAYQCAAPZqoIAAnvOAgAAIy4CAAtzJ4A== Date: Fri, 22 Dec 2017 13:48:53 +0000 Message-ID: References: <20171219171548.EA07418299CE@ary.qy> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: spf=none (sender IP is ) smtp.mailfrom=ian.levy@ncsc.gov.uk; x-originating-ip: [51.141.26.231] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; MMXP12301MB1664; 6:qqWKYSZJ6GqECvXP8NAPJMZcJgZYi9eN5yg3CLkU1KYkBVYKw8suBgh8aco88MZpYPOhkQa/CkNQKBMMgi7dX0OP0ZR9+zPvALPiNetvbhLXEiL4d8qu92l8Ra6ch6XgFaFo6qXsgbJtXmErv1tG1NGTv2K/zet5QE2bv2AKIWypX8NEPWHzUaq3ij9pzsQFwqMs9M19u+tY339MhwpNL3Dv6L3WzNqOEbbvmRAVsl3YVUxbPiTHW75QXplFuRI40niPe4VlyY0tE6xvOdjrPNbN/6WB97WaiyWx94ppwOy1//6TyVKr12W5ZbSTOsJZjgTjBJwUEGFPlHdKgd1l90fhTKAsoPmctd8kZUC951c=; 5:GhXekjA78Q+WHrz8ma1gM4WrcOQdA4GLVMVXxevRT4dB1kX3StgFjt9Q6OsLERPO39aWb+BYXujIra8KLw2pcraJScUKeflc5SEnxdSGjBvGW2uFrOkZOgV0FILZtlq3iDqE5revf5CNRTWUKTNeTWB5KjrhzgEd7+inCzPmhKY=; 24:gUA+CawyJ4q/f2y14li7JLFt75RwnIrP10ZrmnN29anARNJr65GBcNdOU6DsEdmQ+qG+wi0ywAb6ASkPfo4ofjmIcX1f5sqnxFudrgP1GnA=; 7:m4Xl8fRlP2RbwUbo4cAZpzhRIthjJ5DD2qazNpsx/aOiRpyAL26zHkP1z81kiGdJQHxX0jOWViBgS4RMCxIWzx8u2Mud5Va5UcX1DrNgzfazhLFJX+H+Xr92HYNa1J4FRpqMZnNU4l1MBaZk0NrKfpw+UpkDJSxYxP7nMR5uDkhsxIpfoQi91KC1H7FK7bm7RpjwDbYsqhdS94Rl58Fxu3wSiRf+m8+odEvXZ9JPP2d15l+PKlP+1FsSa1DOUUqg x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: 183753ee-a460-47f4-a05d-08d54942bd6b x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(7168020)(4627115)(201703031133081)(201702281549075)(5600026)(4604075)(3008031)(2017052603307)(7153060); SRVR:MMXP12301MB1664; x-ms-traffictypediagnostic: MMXP12301MB1664: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(189930954265078)(45079756050767)(27231711734898); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040470)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231023)(10201501046)(6041268)(20161123558120)(20161123562045)(20161123560045)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:MMXP12301MB1664; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MMXP12301MB1664; x-forefront-prvs: 05299D545B x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(39850400004)(346002)(396003)(366004)(376002)(13464003)(24454002)(43784003)(189003)(199004)(53546011)(86362001)(6246003)(9686003)(316002)(2950100002)(6506007)(42882006)(25786009)(33656002)(8936002)(14454004)(6436002)(77096006)(97736004)(3280700002)(478600001)(966005)(45080400002)(53936002)(3660700001)(55016002)(110136005)(93886005)(305945005)(81166006)(5660300001)(76176011)(4326008)(6306002)(81156014)(229853002)(2906002)(3846002)(74482002)(6116002)(59450400001)(74316002)(7696005)(230783001)(99286004)(8676002)(105586002)(106356001)(55236004)(75922002)(102836004)(7736002)(68736007)(2900100001)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:MMXP12301MB1664; H:MMXP12301MB1663.GBRP123.PROD.OUTLOOK.COM; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en; received-spf: None (protection.outlook.com: ncsc.gov.uk does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: ncsc.gov.uk X-MS-Exchange-CrossTenant-Network-Message-Id: 183753ee-a460-47f4-a05d-08d54942bd6b X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Dec 2017 13:48:53.6628 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 14aa5744-ece1-474e-a2d7-34f46dda64a1 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MMXP12301MB1664 Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 13:49:00 -0000 John, Thanks for this. I think we'd decided this wouldn't work (along with JISC, = who currently run the authoritative DNS for gov.uk). For the life of me, I = can't remember why though! We'll have another look at it after the holidays. We have every intention o= f making delegates responsible for doing something sensible in their namesp= ace as well. Thanks again. Ta. I. -- Dr Ian Levy Technical Director National Cyber Security Centre Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk -----Original Message----- From: John R Levine [mailto:johnl@taugh.com] Sent: 20 December 2017 17:58 To: Kurt Andersen (b) Cc: Ian Levy ; dmarc@ietf.org Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains On Wed, 20 Dec 2017, Kurt Andersen (b) wrote: >> I need to be able to emulate in some way the effect of SPF and DMARC >> records for non-existent first level subdomains under the PSL gov.uk >> - to stop spoof mail apparently coming from them being delivered. > I'm quite sure that you will need to do this via synthetic records > being returned either by the gov.uk name servers or by having gov.uk > refer to a general "parked domain" name server (farm) for all of the > non-existent subdomains ... With your current DNS setup, you could add this, no new name servers needed: *.gov.uk. IN TXT "v=3Dspf1 -all" *.gov.uk. IN TXT "v=3DDMARC1; p=3Dreject; rua=3Dmailto:; ruf=3Dm= ailto:" This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and abc= .def.gov.uk. It won't cover names under existing subdomains, e.g. abc.mod.gov.uk but it's better than nothing. Unless the people who host your DNS are willing to let you use customized s= tunt servers, which seems unlikely considering who they are, that's about t= he best you can do without getting the cooperation of your delegatees. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please c= onsider the environment before reading this e-mail. https://emea01.safelink= s.protection.outlook.com/?url=3Dhttps%3A%2F%2Fjl.ly&data=3D02%7C01%7Cian.le= vy%40ncsc.gov.uk%7Cbd63e2124c974606c8a808d547d33b16%7C14aa5744ece1474ea2d73= 4f46dda64a1%7C0%7C0%7C636493894920036818&sdata=3DiUTep54zAORBtIwqsMU%2BjEg5= 1F%2FhxgAEPX%2BXl9IEfmU%3D&reserved=3D0 This information is exempt under the Freedom of Information Act 2000 (FOIA)= and may be exempt under other UK information legislation. Refer any FOIA q= ueries to ncscinfoleg@ncsc.gov.uk From nobody Fri Dec 22 07:39:19 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22F6812EB1C for ; Fri, 22 Dec 2017 07:39:17 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=GyrH5l+H; dkim=pass (1536-bit key) header.d=taugh.com header.b=Zu4VtlUh Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0kRo7LpPKnqL for ; Fri, 22 Dec 2017 07:39:14 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC5612EB16 for ; Fri, 22 Dec 2017 07:39:14 -0800 (PST) Received: (qmail 67147 invoked from network); 22 Dec 2017 15:39:13 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=10648.5a3d2721.k1712; bh=j20HdJgxmBO5Lr3vImtbfRd6+XP3Q8XAcliIuWUUwnc=; b=GyrH5l+HL2wKpbgl1qS8cyNWeBKbJ8K2QLAhNjoCQfc5wgl4g4i78cMS4OfjHWcRffuqc0+LV4qjvm3lImEAhE8+09plbSw/1qe9/HIcuvnBtlf0vX5DyIwowIWEJ9Zim5wXCAaRInZns5/GE2eXaT2SKbmF19GS3FYDWEAuz08YiPbZT3s69VMJd+kwFkW+/VmGI5tW+g6ypObZTBKnzM1hp3Bvdi4ac683GHUCPk8L/EbnuuARIvuRw7hAKmoO DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=10648.5a3d2721.k1712; bh=j20HdJgxmBO5Lr3vImtbfRd6+XP3Q8XAcliIuWUUwnc=; b=Zu4VtlUhzye0zPgYxxZG88eayGWwfNZaY4VEub+b50EBiVK9vS+VBjtz6VfCbM6LXdU7GVNqlhX9X/VdeMGmeILfEnK3B3M1CMc19/xOpmY/xPsVp8YFsJ5CzKu5qjQ1zAxtb4ivizg/je0LWxPt1zjXOD8DcH2ckek5R7t+ekl6zl8ZeAHReNEmirF4hRFgDtR+O+Ojv/EVe831yXQCr1qxxD3WtL6L80L3ahrJWctWpI3Ai4w9mCPLE+YRozv5 Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 22 Dec 2017 15:39:12 -0000 Date: 22 Dec 2017 10:39:13 -0500 Message-ID: From: "John R Levine" To: "Ian Levy" Cc: "Kurt Andersen (b)" , "dmarc@ietf.org" In-Reply-To: References: <20171219171548.EA07418299CE@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 15:39:17 -0000 > Thanks for this. I think we'd decided this wouldn't work (along with JISC, who currently run the authoritative DNS for gov.uk). For the life of me, I can't remember why though! It's worth reading RFC 4592, a fairly dense description of how DNS wildcards work, to be clear about what names *.gov.uk wil match and what they won't so you know what to expect. People even within the IETF can find them confusing. R's, John > > We'll have another look at it after the holidays. We have every intention of making delegates responsible for doing something sensible in their namespace as well. > > Thanks again. > > Ta. > > I. > > -- > Dr Ian Levy > Technical Director > National Cyber Security Centre > > Staff Officer : Kate Atkins, kate.a@ncsc.gov.uk > > -----Original Message----- > From: John R Levine [mailto:johnl@taugh.com] > Sent: 20 December 2017 17:58 > To: Kurt Andersen (b) > Cc: Ian Levy ; dmarc@ietf.org > Subject: Re: [dmarc-ietf] Preventing abuse of public-suffix-level domains > > On Wed, 20 Dec 2017, Kurt Andersen (b) wrote: >>> I need to be able to emulate in some way the effect of SPF and DMARC >>> records for non-existent first level subdomains under the PSL gov.uk >>> - to stop spoof mail apparently coming from them being delivered. > >> I'm quite sure that you will need to do this via synthetic records >> being returned either by the gov.uk name servers or by having gov.uk >> refer to a general "parked domain" name server (farm) for all of the >> non-existent subdomains ... > > With your current DNS setup, you could add this, no new name servers > needed: > > *.gov.uk. IN TXT "v=spf1 -all" > *.gov.uk. IN TXT "v=DMARC1; p=reject; rua=mailto:; ruf=mailto:" > > This will cover all undelegated names below gov.uk, e.g. abc.gov.uk and abc.def.gov.uk. It won't cover names under existing subdomains, e.g. > abc.mod.gov.uk but it's better than nothing. > > Unless the people who host your DNS are willing to let you use customized stunt servers, which seems unlikely considering who they are, that's about the best you can do without getting the cooperation of your delegatees. > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fjl.ly&data=02%7C01%7Cian.levy%40ncsc.gov.uk%7Cbd63e2124c974606c8a808d547d33b16%7C14aa5744ece1474ea2d734f46dda64a1%7C0%7C0%7C636493894920036818&sdata=iUTep54zAORBtIwqsMU%2BjEg51F%2FhxgAEPX%2BXl9IEfmU%3D&reserved=0 > This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk > > Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Fri Dec 22 09:37:46 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A177F127241 for ; Fri, 22 Dec 2017 09:37:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.761 X-Spam-Level: X-Spam-Status: No, score=-1.761 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=f+k85qqJ; dkim=pass (1536-bit key) header.d=taugh.com header.b=k2yxgf91 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7zLBFMefl6PG for ; Fri, 22 Dec 2017 09:37:42 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C12126DFF for ; Fri, 22 Dec 2017 09:37:42 -0800 (PST) Received: (qmail 91177 invoked from network); 22 Dec 2017 17:37:41 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=16427.5a3d42e5.k1712; bh=rPRCzpp9D/XWxH0vZGHZ73iQaWc15RwDEtCc39FUsMI=; b=f+k85qqJ52UO0FvgJ7ljZeND/PHr9mryf/dGp71jXnlvfr+Vwdkex8hax2IuoH5x0Rx9a3RSHBQ16swoIQhz4VuTi1OqS4wCRMMfmHWUi8r/45ogYqCqXkMZhPkuo8yvQYQ2ogblc0FT9x/WKZVwxij9kHfGScDsFX4GveigARRFFe68LJsgO9xkpFYN2eHagyR8p78phXDJX+XtUKS2y2/Q7SIQH9kl5xxgJ0yx7nKy2np8C8KAKqExRoq8ReR8 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=16427.5a3d42e5.k1712; bh=rPRCzpp9D/XWxH0vZGHZ73iQaWc15RwDEtCc39FUsMI=; b=k2yxgf91gYOTCvCGzak7LAVtNWKvkn8yuuY35MSqh1HFb+obR8HmiKK+Dbnt/+3wRgF7Qp6W0xvLVk08/fi52kCZ0NcbNHHcFIgxCB3a74g/HS3X0MkVCOgXJhIKQhQb5xDzsiK58fr/tOnhnPNhNAsK8hjgpubWUmx9PH+QUtcnRrNh/pa+MywtmnjDgLG6bRdqKXBNO7XtEf7k2e0ScDXILAAJXCjZuAA1vyp35pluKe60c9/YQk2kpaHRsF1o Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 22 Dec 2017 17:37:41 -0000 Received: by ary.qy (Postfix, from userid 501) id A73F3187069D; Fri, 22 Dec 2017 12:37:39 -0500 (EST) Date: 22 Dec 2017 12:37:39 -0500 Message-Id: <20171222173740.A73F3187069D@ary.qy> From: "John Levine" To: dmarc@ietf.org Cc: superuser@gmail.com In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 17:37:44 -0000 In article you write: >"Experimental" is perfectly fine. As I understand it, EAI did that first >and went to the standards track after it had some field use. That is true, but it's also true that the standards track version of EAI is fairly different from the experimental version, mostly by leaving out a feature that didn't work in the field (downgrading.) ARC is complex enough that I think it's likely that once we have experience with ARC 1.0, we'll find that the stanards track ARC 2.0 is somewhat different. Perhaps we should think about how to prepare for that, e.g., the dread version number field. R's, John From nobody Fri Dec 22 09:57:26 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB1AE1242F7 for ; Fri, 22 Dec 2017 09:57:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gM273aLNDWT for ; Fri, 22 Dec 2017 09:57:22 -0800 (PST) Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F96912025C for ; Fri, 22 Dec 2017 09:57:22 -0800 (PST) Received: by mail-yb0-x22f.google.com with SMTP id 5so18244801ybp.4 for ; Fri, 22 Dec 2017 09:57:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=7VpN45D5j1IYS/owu27dYAMGi1FE2huSjZGwLyqGR3I=; b=Ifr+wuO27LObHwaR4ztWbwwPwC8BjtOp7OQa83S2i+pvB+zM8BQrvqxVk4hSTDDInX MUC4TfYuzijz5hZ84G7m5D7HyUzs8J+blsT66eTleNxHT6U5wmiHO1hj9e61NS2P2hGO KUIh+xAKQBn208o4UTYfOZgvuzMcmzjr3hS/9LPAC1orPbzO3qhzQnXsZDH1mxryBtgn p1G/Q6nVMWEceeQdAeaP0eeTw4Zy2v0Zhy67z4TkTweRVIqg+PAo7zCHVgUccuu6g+HO Ypid1n+MBofRDEUk5R/blhEJfbHCPcoXkt+tMZwcmuNu+kUAnVDiE27nvnShxaFVyWYi LCSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=7VpN45D5j1IYS/owu27dYAMGi1FE2huSjZGwLyqGR3I=; b=DZb+0eVQ04osWVhsGY3w9P9yQk3FHTAiKU4WUBmhUlCVhopEr4UwEI6Etjo6cdpxcR HywtcdmWD1tg9eKvJNSNCaOJvYH04b+BWoSJ88uPaBk4Nno4/JnShEdOym6Q3CUulIpV jNhcP21dtzNltGCeYuMZwKDEDQZTTih8cd+WOEC/rTwxjG4cJgz4UexlpeqbppVR4jpa qMMsZSC24gIKZfe378Tn9HzsPQbZBtwnI//TzFrDLGHSx2VSd5sqg2rRxSymo4ic6GbE hfAMPFYNbDTNCqOBTXp8EqFVlDcVFeMYY9+CDI6iLhhpEwIplNPhiPGDOONFpKTeu6I9 kR0A== X-Gm-Message-State: AKGB3mK66inmNNeSaAxmfaoGYcGmOiRF8RxJzRkesCwUzgS76kFvBgHL yU+0XZsmPwvsKBa05qaf5YU= X-Google-Smtp-Source: ACJfBouEnd7RTebSoc5FyP7kUkzgCVJbHpvtd9x6AqSZ+W0ggBGB59zMKvm4OUNmECYXBBvu2MhFCQ== X-Received: by 10.37.206.198 with SMTP id x189mr3908636ybe.87.1513965441037; Fri, 22 Dec 2017 09:57:21 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:c4e8:d795:bbab:6d47? ([2600:1700:a3a0:870:c4e8:d795:bbab:6d47]) by smtp.gmail.com with ESMTPSA id v201sm10151647ywc.49.2017.12.22.09.57.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Dec 2017 09:57:20 -0800 (PST) To: John Levine , dmarc@ietf.org Cc: superuser@gmail.com References: <20171222173740.A73F3187069D@ary.qy> From: Dave Crocker Message-ID: Date: Fri, 22 Dec 2017 09:56:56 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20171222173740.A73F3187069D@ary.qy> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 17:57:24 -0000 On 12/22/2017 9:37 AM, John Levine wrote: > Perhaps we should think about how to prepare > for that, e.g., the dread version number field. To repeat my non-traditionalist view of version numbers: I've seen claims of effective uses for them, not mere promises of future usefulness, but I haven't retained the examples. Rather, my view is: 1. Added features: A revision often adds a feature or extends values, or the like. My claim is that the presence of that additional information also signals use of the later version of the specification. Hence the version field is, at best, redundant. 2. Deprecated features: Consider the above and then reverse it. The presence of a deprecated feature tells the receiver that the sender is using the older version of the spec. Again, the version field is redundant. 3. Incompatible features: This is the interesting case, where the previous and later versions have conflicting behaviors. My view is that this is not merely a new 'version' but, rather, is a new protocol. However the protocol itself -- not version -- has been identified by the lower layer, a new label should be used. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Fri Dec 22 10:03:32 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1092127522 for ; Fri, 22 Dec 2017 10:03:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=Pb1BAAmY; dkim=pass (1536-bit key) header.d=taugh.com header.b=RRVnxOq8 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZKFgFzszq5D for ; Fri, 22 Dec 2017 10:03:28 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA07124B18 for ; Fri, 22 Dec 2017 10:03:28 -0800 (PST) Received: (qmail 99219 invoked from network); 22 Dec 2017 18:03:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=18391.5a3d48ef.k1712; bh=jFnC0jFvaXVaNDlIbWsabgrrcktT1MVj2jlI0MH0Zjs=; b=Pb1BAAmYrjj16rDRZ929+Izkmv+85685fF2FPnL+FzGkis0QvF8dEGgB5G+iPyibhtMZZ1aO4P0KfHoO/U/fE4+odb2GGF3ohf94mbbVsOpkhlRMWHuiWewIfI8/Q0bkT2eysmhRYi5K1bs5VBomgYkM1vCp1W8SspOWEveqz7ZbF7pLxyGDSEa8sc50Muo/tyazn8JBLdJ8Y5ZPjUnTY3P9M+A8bhaMMNNOJS/a8BucWALoLLOMwgl28uNNsU7K DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=18391.5a3d48ef.k1712; bh=jFnC0jFvaXVaNDlIbWsabgrrcktT1MVj2jlI0MH0Zjs=; b=RRVnxOq82N9GgxUlXi4PW54lrequwYZnY58y8sv1PblUAx+RJzBKSwbUfFf3ikLqbyhyyH/U3225803ennBtWsoFhPbs/+7itV7oczLWBeFSE8sISVxO74eYUdtXPSt71+HPySjqbqHxbfUQFr+xBBNVOSpo6Hg21nJTqMDrv2RZSKwYRPx0sSlJ6JbzlbqCQ3zUwO/zfFZ36Vi9L+M/e6A/XFVB2Da/KKXnXjLrEx+wXK5gBlzYp9ssmJcC1YVX Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 22 Dec 2017 18:03:27 -0000 Date: 22 Dec 2017 13:03:26 -0500 Message-ID: From: "John R Levine" To: "Dave Crocker" Cc: dmarc@ietf.org, "Murray Kucherawy" In-Reply-To: References: <20171222173740.A73F3187069D@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset=US-ASCII Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 18:03:30 -0000 On Fri, 22 Dec 2017, Dave Crocker wrote: > 3. Incompatible features: This is the interesting case, where the previous > and later versions have conflicting behaviors. My view is that this is not > merely a new 'version' but, rather, is a new protocol. However the protocol > itself -- not version -- has been identified by the lower layer, a new label > should be used. As you note, in a tag=value system you don't need versioning to add or ignore tags. We'll have to agree to disagree about whether it's a good idea to invent a new name for every version tweak that's not fully backward compatible, particularly ones that don't change the parsing, just the interpretation. R's, John PS: But if you're saying that IPv6 should have had a different name, I totally agree. From nobody Fri Dec 22 10:07:26 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C747120725 for ; Fri, 22 Dec 2017 10:07:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jBTFcJ8q5_am for ; Fri, 22 Dec 2017 10:07:24 -0800 (PST) Received: from mail-yb0-x22f.google.com (mail-yb0-x22f.google.com [IPv6:2607:f8b0:4002:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1BD112025C for ; Fri, 22 Dec 2017 10:07:23 -0800 (PST) Received: by mail-yb0-x22f.google.com with SMTP id 5so18254951ybp.4 for ; Fri, 22 Dec 2017 10:07:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=5Dt+k7fm08AYe/xWCOLmJNR4wR7YDCrdT+ezUkDLsnw=; b=pgk2Ioj+1Nff9e+uGwsLgTwlecf4Q1s4hxJMCNZA3JJfFumHoRxd5k0SrXNi6OajJo Z88mQ2/EujP/kDRVEi+aFEnM/paKej0rxMT5A2XBRqdaaJKQ7b1nvcqw3EsnwPmdMQZ3 0QbhUQq26vGFYNTm/+cmLebMEBkEEPsy+qBcAk17jwqJ5JxnMsKF83o+yafR66ShglI6 hr+941pzr8/PRA+KkE6cZOIiw0b/SG0sQDRB3dslACwQlHWnUpPy+QVVC/bTiEw1ErjN M35W4KFkRTXhVBCr4mbW2GH83CZ6GFNGY/6EHH8z69a3LFVghW7KX04nPRcwIhPuRCDc /PcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=5Dt+k7fm08AYe/xWCOLmJNR4wR7YDCrdT+ezUkDLsnw=; b=tMHXyWtmTLBCG1ZtLzivw2u4I0TupgE4eugyIJgvuHTD0E27d4qifLnqIVTfq3L9Hj M2VaOdHO+Spl9zJ2X+/dI+fPllzgWRE0Yr/yJDVvHoEfYwzprt1WNi3nF1JLueTq6hwc 8vmFghieXCU0AegW5SMSgegML0fZEmlNSkHJYumQqFxa6Fp9jeT+4SzSMJkwMuEO4+iF AVRmIOhVkoPhkWlp4ja6pPa1Dj2fWUfMFD2P2K9rK0xmY1askB1AjzKpPpMjToNqZ3xk z8DzLEho1F4q3eU9vZbXFkiyGLOVcYh5HlSwiSOgr/HHodg9fxFFdGKmH2bbuz4uGtAg +GqA== X-Gm-Message-State: AKGB3mKf+y/3aum5aLMXbk0CPLfASoRzGjtI+Fs3SECQ+qItL1OBG6Yb apAuNRzaxZ4pwWZAKfapd7ZqK7Bo X-Google-Smtp-Source: ACJfBotwvjchmZcfQvJliRFIaj5Sz6nERcXuk36yJooa785l9+JtEubaVx/k/nbzeCB81zU9Yq8Wvw== X-Received: by 10.37.49.4 with SMTP id x4mr9530054ybx.246.1513966042860; Fri, 22 Dec 2017 10:07:22 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:c4e8:d795:bbab:6d47? ([2600:1700:a3a0:870:c4e8:d795:bbab:6d47]) by smtp.gmail.com with ESMTPSA id r7sm1134991ywa.103.2017.12.22.10.07.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Dec 2017 10:07:21 -0800 (PST) To: John R Levine Cc: dmarc@ietf.org, Murray Kucherawy References: <20171222173740.A73F3187069D@ary.qy> From: Dave Crocker Message-ID: Date: Fri, 22 Dec 2017 10:06:58 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Dec 2017 18:07:25 -0000 On 12/22/2017 10:03 AM, John R Levine wrote: > We'll have to agree to disagree about whether it's a good idea to > invent a new name for every version tweak that's not fully backward > compatible, particularly ones that don't change the parsing, just the > interpretation. 1. I believe such incompatibilities are relatively rare. 2. It should be viewed as a Very Big Deal. Compatibility is essential for operational stability, so something that breaks that is inherently traumatic. Using a new, lower-level identifier is the least of the issues. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Fri Dec 22 22:01:48 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C16F1124205 for ; Fri, 22 Dec 2017 22:01:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jGms3Z_gaMqT for ; Fri, 22 Dec 2017 22:01:45 -0800 (PST) Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C06A91200F1 for ; Fri, 22 Dec 2017 22:01:44 -0800 (PST) Received: by mail-qt0-x230.google.com with SMTP id g9so38554434qth.9 for ; Fri, 22 Dec 2017 22:01:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=m2Se7tmM9FvtTJWbveElOSpXj/foZ3hJ3rGJNvM0nUA=; b=XCW8RjvZ22l6LP0o/AMcG5oKOFSho9FmyRsHV0qmsoNJ/Mr0PhB9+0NROn0raGXu4N fPbhn435cdnooPXhD10thxsOZHW/bxckUYjDlld8JCz0JbuDGgru4ExnDuEq/A2IcaOD eJnNEIax6Y78MDXI0nJqmhdG7sIqdkF314haUogth4AqlWiMEaPXaLKD2aJg586YAOrS 7RGHivkXFkxJWba1lRCggYwdgm1OZOLTLXT/Wim3qYoYsPxfwbDvQ68AtCbBc3oOoW9a TpFW6d7mTJOb4+tDPXzjvYJUs6f9J8cvsfB/Szo40t5SEovZqx0wbdSXjS8/ZY9otRxZ bubA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=m2Se7tmM9FvtTJWbveElOSpXj/foZ3hJ3rGJNvM0nUA=; b=CZxUWBekQ5KD9+GWM8HFul1Wr8GWNyajUgoQ1dGfk1hTmGs+7k6kBk9ZUmowhZ9UVC C2PAiayOUi74rgb0SS6zlkZnOKe0EZbm+B7pk+kD79xk94HJ7eCJmdthFPc371roaPj3 gY1j4hIdcVSxypBKSHivB88GUUajla59lUcXNvtEzuhF0AH/2e+IM/j76E1noBjnjLAO AEX2d+wzw9kmxDX6RQQ+15FmbPVtThGEdNAb5bJ6CThg3h4gw5nqP/QYnalti4BK4EkE ax+UNPI3M1lyNLlbQsD+KQTPutgk2NiA7FqAe+Mk15FEpmeos3DwF3w60VzpP8e7d9HO NqRw== X-Gm-Message-State: AKGB3mIeauIHTocwi7SNAYgy+k6B6E4yw+C49X9CX2LEZs/gP0g8Bie5 mgCklt4jwrtEinRH60iEgTksCQS657ZYZRDF7CjZUw== X-Google-Smtp-Source: ACJfBoucmVeJNz+LPr445YRW4fXwMjdUZFhRgVkVhKDKVAgBfcENlTJZN0H7CiuTbh5k4MEhFI0VcRiJW2ziYOcKtts= X-Received: by 10.200.8.56 with SMTP id u53mr23347526qth.85.1514008903790; Fri, 22 Dec 2017 22:01:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 22 Dec 2017 22:01:42 -0800 (PST) In-Reply-To: <20171222173740.A73F3187069D@ary.qy> References: <20171222173740.A73F3187069D@ary.qy> From: "Murray S. Kucherawy" Date: Fri, 22 Dec 2017 22:01:42 -0800 Message-ID: To: John Levine Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a1144de92e5b7410560fbaa61" Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 06:01:47 -0000 --001a1144de92e5b7410560fbaa61 Content-Type: text/plain; charset="UTF-8" On Fri, Dec 22, 2017 at 9:37 AM, John Levine wrote: > In article X0Hjptg@mail.gmail.com> you write: > >"Experimental" is perfectly fine. As I understand it, EAI did that first > >and went to the standards track after it had some field use. > > That is true, but it's also true that the standards track version of > EAI is fairly different from the experimental version, mostly by > leaving out a feature that didn't work in the field (downgrading.) > Does that mean going with "experimental" first was a good choice or bad choice for them? -MSK --001a1144de92e5b7410560fbaa61 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Dec 22, 2017 at 9:37 AM, John Levine <johnl@taugh.c= om> wrote:
In article <CAL0q= Lwa-D+xkRuvMpWZ5UQ71m3i09hp5+bO9nrX21f=3DX0Hjptg@mail.gmail.com> you write:
>"Experimental" is perfectly fine.=C2=A0 As I understand it, E= AI did that first
>and went to the standards track after it had some field use.

That is true, but it's also true that the standards track versio= n of
EAI is fairly different from the experimental version, mostly by
leaving out a feature that didn't work in the field (downgrading.)
<= /blockquote>

Does that mean going with "experimenta= l" first was a good choice or bad choice for them?

-= MSK
--001a1144de92e5b7410560fbaa61-- From nobody Sat Dec 23 07:54:00 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B489129C6A for ; Sat, 23 Dec 2017 07:53:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b=bGkVy72Q; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b=HEyNWzy1 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U3RPqOExaVLc for ; Sat, 23 Dec 2017 07:53:56 -0800 (PST) Received: from dkim.winserver.com (mail.catinthebox.net [76.245.57.69]) by ietfa.amsl.com (Postfix) with ESMTP id E8237127863 for ; Sat, 23 Dec 2017 07:53:55 -0800 (PST) DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha1; c=simple/relaxed; l=1958; t=1514044425; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Message-ID:Date:From: Organization:To:Subject:List-ID; bh=2W5B0b66G/tW+s5MMfpeg+0pgeg=; b=bGkVy72QXm+Ni9sgFpR1Tv/IlbyplHtQz0QwNIx7WEt1qdrsuiVmqj00p07SDn DKq3PjtEn6Ky81rsLKS/05xE5qpkv10yMQKOzCNAV1yNHpvGsZ2BB4QQVYcU6fKn tiiLzaQWHHmjyJLfOyDalyFydd0PI7mJ82clOQfkZ+sm0= Received: by winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Sat, 23 Dec 2017 10:53:45 -0500 Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=pass policy=all author.d=isdg.net asl.d=beta.winserver.com; Received: from beta.winserver.com ([76.245.57.74]) by winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 3913127052.1.1836; Sat, 23 Dec 2017 10:53:45 -0500 DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1958; t=1514044219; h=Received:Received: Message-ID:Date:From:Organization:To:Subject:List-ID; bh=1gU3Prs RkoNVHQcbM2u0mHoHq0yAZx+akUb4NXGmCsg=; b=HEyNWzy1oxD2wISDY1AL8vi t16IWhdwX1wiaer6Z7HuckZVu6RJGdzivFUa5hirM/LV2rZr1WE+/FBuXOZfKpHk dTFfU2G1DJdziJlBxLIuDSlJzgL/0GKpnlUvjo/huA3ub2IhWCXfc42hqbC+fvhh +i57et4dw1iBdnX+3Jww= Received: by beta.winserver.com (Wildcat! SMTP Router v7.0.454.6) for dmarc@ietf.org; Sat, 23 Dec 2017 10:50:19 -0500 Received: from [192.168.1.68] ([99.121.5.8]) by beta.winserver.com (Wildcat! SMTP v7.0.454.6) with ESMTP id 3913060110.9.417328; Sat, 23 Dec 2017 10:50:18 -0500 Message-ID: <5A3E7C0F.7050803@isdg.net> Date: Sat, 23 Dec 2017 10:53:51 -0500 From: Hector Santos Organization: Santronics Software, Inc. User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1 MIME-Version: 1.0 To: dmarc@ietf.org References: <20171219185440.AC8CF182B514@ary.qy> In-Reply-To: <20171219185440.AC8CF182B514@ary.qy> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Archived-At: Subject: Re: [dmarc-ietf] Duplicate DMARC records and tags? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 15:53:59 -0000 We should probably add a "v=counter" to the DMARC syntax. But the odds are good that will screwed up too in duplicate records. I think my software will read the first encounter of a DMARC text record and not seek for an "override" that could follow. Not going to waste time to verify it. We could add language in the future specification which suggest when duplicates exist, the harshest record (p=reject) will be used. -- HLS On 12/19/2017 1:54 PM, John Levine wrote: > In article <20171219183616.GA6778@marwnad.com> you write: >> Section 6.6.3, Policy Discovery. >> >> "If the remaining set contains multiple records or no records, >> policy discovery terminates and DMARC processing is not applied >> to this message." > > Oh, look at that. Thanks. > >>> For that matter, what if anything does this mean? >>> >>> _dmarc.example.com IN TXT "v=DMARC1; p=none; p=reject" >> >>> In 7489 it says "DMARC records follow the extensible "tag-value" >>> syntax for DNS-based key records defined in DKIM [DKIM]." I hope that >>> means they follow the DKIM rule that duplicate tags make the whole >>> record invalid, but that could be clearer. >> >> The definition of tag-value syntax in [DKIM] section 3.2 says "Tags >> with duplicate names MUST NOT occur within a single tag-list; if a tag >> name does occur more than once, the entire tag-list is invalid." This >> language could be repeated in the DMARC specification, but I don't see >> any real reason to do so. >> >> There's also a formal ABNF definition in 7489 section 6.4 which shows >> that duplicate tags aren't allowed. > > I see that, but unfortunately the DMARC ABNF doesn't match the prose. > Section 6.3 says that unknown tags are ignored, but the ABNF syntax > doesn't allow them. > > R's, > John > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > > From nobody Sat Dec 23 08:21:07 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5BF812D7ED for ; Sat, 23 Dec 2017 08:21:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=OZN58UJa; dkim=pass (1536-bit key) header.d=taugh.com header.b=NWJOzrZ7 Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mnozO62pXy3x for ; Sat, 23 Dec 2017 08:21:04 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD546129C6E for ; Sat, 23 Dec 2017 08:21:03 -0800 (PST) Received: (qmail 6610 invoked from network); 23 Dec 2017 16:21:02 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=19d0.5a3e826e.k1712; bh=xBqyBPLuxEoO348MWqLZHV9TcFYEoaEabwwpgbdQVU4=; b=OZN58UJagChsBaEQ6CNWrmWxtTdcbaK0vK9W1AlLVFscNKXtIJukHFPlgJxqoSDPLO/9BjcNrhzdDsdztrw6Y32cOJZfcpibedYtq1/ko8wJ48XlLWiZLKaHnupw9Nt/fCo5YEJOVtn4VO9CVVWdldKFfYK2A2yZVoJDSG01tBqyqU6xbwZfmX/EFw5Px4QbZDipdGt/eFuLk/UygXZ2MvNmx1Cwmu72GXQfTQCgQhwas5ji7s2GZWrb7XRqim5l DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=19d0.5a3e826e.k1712; bh=xBqyBPLuxEoO348MWqLZHV9TcFYEoaEabwwpgbdQVU4=; b=NWJOzrZ7n8rgcDX22cgnFpc8oGEkYJTm63qcPQs4ZKfw760v7rJ7HPDcxXJURfAol+Sok29/RabncntfVAAIEAC3mJvC83mhltCupF2vPGiWYLjU8WpfPoJMlj/TDeRDFcCRfkMyxsxlQvfwwYLI9Y864kmafpY+bv94rCUNzM0YpRfUFdTJYitYwFkpflS8+9TCjwsMhLS2kOlSmy3eWVcWt8dFi0fGEnlsjGa9EhIVlbMwKy4D1d6QMXHJS0bg Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 23 Dec 2017 16:21:02 -0000 Date: 23 Dec 2017 11:21:02 -0500 Message-ID: From: "John R Levine" To: "Murray S. Kucherawy" Cc: dmarc@ietf.org In-Reply-To: References: <20171222173740.A73F3187069D@ary.qy> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 16:21:06 -0000 >> That is true, but it's also true that the standards track version of >> EAI is fairly different from the experimental version, mostly by >> leaving out a feature that didn't work in the field (downgrading.) > > Does that mean going with "experimental" first was a good choice or bad > choice for them? For EAI it was the right choice. They invented a brand new two-part address (Unicode and ASCII) and didn't know whether it would work in practice. The experiment showed that it didn't so we took it out of the standards track EAI. For ARC I see two unknowns, a minor one about how to do algorithm rotation, and a major one whether its audit trail will be adequate to do un-DMARC-ing. For that last question I expect there could be one answer for mail systems large enough to have their own models of where all the mail comes from and a different answer for smaller systems. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Sat Dec 23 09:56:44 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14778127275 for ; Sat, 23 Dec 2017 09:56:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.999 X-Spam-Level: X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aX3YIrtpTwm7 for ; Sat, 23 Dec 2017 09:56:41 -0800 (PST) Received: from mail-pl0-x22d.google.com (mail-pl0-x22d.google.com [IPv6:2607:f8b0:400e:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7AC3C12426E for ; Sat, 23 Dec 2017 09:56:41 -0800 (PST) Received: by mail-pl0-x22d.google.com with SMTP id z5so14642134plo.10 for ; Sat, 23 Dec 2017 09:56:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=pL5ezdSXWe6ASAnhE1vAlhhyfo6si0L/J5fTV8oKUw0=; b=d0IRyRF5j0VcZcOL3ve82rtfXFQT9GuMV+cSaYOEoldUHEdVgQ/qhN9MDEngfs7jGs FWitzZsbU+XAHZMzGunPoxxFM67xp2aZuQKmQ5BzavCFt5oMjHmHDegDDgdlgOFLnTdu XsTKu0lxCKWj4jE3nXrchXKF3FhM+ogB97QGRsC70/COlMEVqAf91WmiqwBgvHA0T54i RYCfzT4+uPKbp5Ep93ZqBKw2xY4zugTrhroJpgr2ukkLe92P9g+SqzK+onCylwmVuJTH 3DikMU9KdZ8Dwy/bkiAIJaRcilos52DcyHCH5cpakLalnZsdmIj8sYOq6AXXCFSG3Rql FpMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=pL5ezdSXWe6ASAnhE1vAlhhyfo6si0L/J5fTV8oKUw0=; b=PFdjhatRrfDMvHghGNXizcFtMClQ0AHaUgcV9sFY+t0a13InjZ65gF37kR0kd3HlT3 EQDHHG07FUhG7Si0/S2HYDNjdJRyicWZKfaH5kAiSVXBFyoyuXTaSnagUP3cN8LNCIOJ +4VeOIrzaJKIUMBokl+RBh/ppaQC768yMdsJjngq6k+eofYmw9h65qzFKC2d0+56UD76 Vs2loeKQ05N8AKwgROMxnR1fuZkCL+7kpUtYqUAzrWYoO9o3tq/U7nat06eHjg6Tu11g T2tLPMNFy/rNv2vjqblwANVG9vWi5zNto6njAOZ/LfNMhnNh+8a8PEK1gKveSHlxc+J0 ybGg== X-Gm-Message-State: AKGB3mKg3qJTxkB3eysacLjBPKl8Tm3V5QXj+d+38MfM08Uy/a1hz//3 N/gQMG9rHu4XTr58QsxSNNVTgSbA X-Google-Smtp-Source: ACJfBouG/Bxd9ajl2ctPEL++DeL1YUWxo7wMPMe060ydUU+irDaWRHUHIzR8HindikLK4hLic2dKEQ== X-Received: by 10.159.231.19 with SMTP id w19mr18068280plq.45.1514051800303; Sat, 23 Dec 2017 09:56:40 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:c4e8:d795:bbab:6d47? ([2600:1700:a3a0:870:c4e8:d795:bbab:6d47]) by smtp.gmail.com with ESMTPSA id q9sm54698079pfl.116.2017.12.23.09.56.37 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 23 Dec 2017 09:56:38 -0800 (PST) To: dmarc@ietf.org References: <20171222173740.A73F3187069D@ary.qy> From: Dave Crocker Message-ID: <2aab7afe-b3f7-2519-7bea-8108b9989d12@gmail.com> Date: Sat, 23 Dec 2017 09:56:14 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] Algorithm rotation, New drafts of ARC protocol (10) & usage (03) posted X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 17:56:43 -0000 > or ARC I see two unknowns, a minor one about how to do algorithm > rotation, and a major one whether its audit trail will be adequate to do > un-DMARC-ing.  For that last question I expect there could be one answer > for mail systems large enough to have their own models of where all the > mail comes from and a different answer for smaller systems. Can't remember whether there was an explicit list of unknowns-of-interest for ARC, developed previously. The above look like very good items for the list. What else should be evaluated, during experimental implementation and deployment? d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net From nobody Thu Dec 28 13:27:13 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4994212762F for ; Thu, 28 Dec 2017 13:27:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.191 X-Spam-Level: * X-Spam-Status: No, score=1.191 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLYTO_END_DIGIT=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C6nh3CSN5hRs for ; Thu, 28 Dec 2017 13:27:11 -0800 (PST) Received: from sonic310-14.consmr.mail.bf2.yahoo.com (sonic310-14.consmr.mail.bf2.yahoo.com [74.6.135.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29E59127444 for ; Thu, 28 Dec 2017 13:27:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1514496430; bh=XIvkaDk2cc8EAke/wv9tzlJ+wQOyozsRJaeiOQ8w/XQ=; h=Date:From:Reply-To:To:Subject:References:From:Subject; b=YokocZC+5XycuKC6wp8bHjCjYNgoGiaF2+95VRO2y/lso+Cz+KFNe/XtKzUhFRMV7ne6h4gsHo/hwE6mnllOp2GHij5FLYCpbCAkPNNBmzDw73+8jnqmsiMEQ7H6fMFXwg3WOdxdpSla/1Gv6zpzKL7eIsfHrLlEpiwASdTf7IOaSnfNSvgtc9w50eZxgpnu+E/VRHE9TA4S9I6yqc14TJstcsOMZwIwzqp/Is7WlYlQPybpUM1MuPmFUjn4dvtek1q8VtAC8yN9+iwNP9wzaOPn9sxCMC32RvOuCFFFb9sPRZauUGk4w4lDHEZEqGDJp9GT3dCgA3HZobGento+7Q== X-YMail-OSG: FULnqWgVM1luz4ZSHKJQFuWpsHaZEp9.t_toVozq6s8y2_MV73kbxwbZqZV2Uzz 493mF7Q4.xbJJp7RgY8DWdOMcTeHmwFT3NHhl_Bbzw67OM544saWSa_Y1n92_QIsd0fdaJtno61P Hxep4wvPBS5fq294hxuqOO16LSxW7ya2tmKHB1GWvfkiUTSutlIGfXFjD4uPwQCaHWPBSI._bg_4 OKWMsG8pAbMcXPrqqcuONwF387jZDYUJzcd7_hOcEqmXiGCfOrdXTH4abevM6dKYzXzxgaYX1Nz1 ZmGdLC6x0hO4Zo12YaD.J3H0YsIK.24hvjciMoo.QH3RjagerwML7T1WoHZ3plX.HC8J4LuVM7NG umPTqa3hi4TmG_m1wPSosh3xEyXZB2_2NG7tjtM3SSP8ht2iSNJVR_ZMajqxKtLOThmwejmDorqV dgFZ_vhyqwQU1QPpjS4XF9GcsABJDENxtkaR6.upZVced4lmndrpM7dg7D8ZLOTH.W2rVk.Xv7si FZagkvdvSlyOjKrITMi0M8hMFi65ExAYIg0b_EIUz3N4- Received: from sonic.gate.mail.ne1.yahoo.com by sonic310.consmr.mail.bf2.yahoo.com with HTTP; Thu, 28 Dec 2017 21:27:10 +0000 Date: Thu, 28 Dec 2017 21:27:08 +0000 (UTC) From: eugene hayhoe Reply-To: eugene hayhoe To: "dmarc@ietf.org" Message-ID: <456922447.6179584.1514496428897@mail.yahoo.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_6179583_173039696.1514496428897" References: <456922447.6179584.1514496428897.ref@mail.yahoo.com> X-Mailer: WebService/1.1.11051 YahooMailNeo Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36 Archived-At: Subject: [dmarc-ietf] Being bounced from the dmarc list X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 Dec 2017 21:27:12 -0000 ------=_Part_6179583_173039696.1514496428897 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Hello -It sure is weird and surreal to be dropped from the d-marc list for bouncing too many emails when the ONLY reason I joined years ago to begin was to keep abreast of the 'reconstruction project' so that I could learn when I could re-join the LOC email lists I was dropped from for too many bounces. I sure wish I could get back on the LOC lists, I miss them, sigh...Eugene ------=_Part_6179583_173039696.1514496428897 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit
Hello -
It sure is weird and surreal to be dropped from the d-marc list for bouncing too many emails when the ONLY reason I joined years ago to begin was to keep abreast of the 'reconstruction project' so that I could learn when I could re-join the LOC email lists I was dropped from for too many bounces. I sure wish I could get back on the LOC lists, I miss them, sigh...
Eugene
------=_Part_6179583_173039696.1514496428897-- From nobody Thu Dec 28 16:15:48 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAED91250B8 for ; Thu, 28 Dec 2017 16:15:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.899 X-Spam-Level: X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ufbw-H94Kdxe for ; Thu, 28 Dec 2017 16:15:44 -0800 (PST) Received: from mail-ua0-x234.google.com (mail-ua0-x234.google.com [IPv6:2607:f8b0:400c:c08::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 988441200C5 for ; Thu, 28 Dec 2017 16:15:44 -0800 (PST) Received: by mail-ua0-x234.google.com with SMTP id l36so29100294uae.4 for ; Thu, 28 Dec 2017 16:15:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=xcTH0mri5F599x4cL4i3wMiSDeTMXFbs2BsaLkkgHyk=; b=BZrlPgTR8J+NKm1dzMxJPnlBcD9wJcL2ZT+hikxrxGQVpXSuHEadjd+F5WRE16qNzL ZXN/QuK6hzP80h6rKczTSFQFJv/puasGgMZ0uQyqZbusFUkuqAYu3XQ0NiXKF3V4lJDg 70yhkdeg6pvGHiB4uIwZQW86gNvrIapIpNVdyLh8V12Ewy9aBAJhijPLE8yRKMKwJGzL PTRD9uMgCshbCWWu3OGno3HoZe4s5+W/qM0mQKqfTMYKWGADmj0+kitgYRjV+52gRcA8 RM9C8AnwSsyVy92BXgzxsEeJrEgBQiiQu5/9hc1NE7yQpYhmb4SbjyD9hUqXW0u/Dusy zoTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=xcTH0mri5F599x4cL4i3wMiSDeTMXFbs2BsaLkkgHyk=; b=hVSNb7rdZFlRfRuSYW3i/rTqvLpznTih09L2pCdV8Kbswt/0qWYaDT3yzVWd/sWwLt F9mf+HpwbmCWaqA8jVN2pyVp/Iap2oZgfip99RnmZMZd0LKFnltFALN3RsCCTtAL0kbz Lvh7ZMwvxTp2L2kbMflxFT3XmzYe8ZEL1UBc3JCVMgY/6r2NASy4IZijQIvN+EuNm4Nd csVCNLlLybcuWuXxgOiWK9LOQ862/kIWyEogRyOkwDCFXhwB+eBM8nXR4ofj45KYa2z6 9Tiq7jWYMk36kCXydNFcK+hS2sP0uv+p3hrMKh9hJaICetnVr4b+nOV5K0X5QUJHMTuF eufw== X-Gm-Message-State: AKGB3mKI/dyvmKMGTBkynmGzA9cdib6y4bWMWBPR5gItrvAWlrk4c0mk seXpvreR1i6qtEiUHhDzwF34vslHND1Ru7A2fnArnLPuNss= X-Google-Smtp-Source: ACJfBovs/RIGQYfCtmXu2oMHzId2YyUDCTo3a69nnCxLBdsnoqHPPbTXvTYaQgxCsHhmLXCoPifor6zNElWk0ufr5K8= X-Received: by 10.159.49.88 with SMTP id n24mr36593985uab.116.1514506543384; Thu, 28 Dec 2017 16:15:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 16:15:22 -0800 (PST) From: Seth Blank Date: Thu, 28 Dec 2017 16:15:22 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="f403045dd5d887608c05616f88e6" Archived-At: Subject: [dmarc-ietf] ARC draft questions (speak up!): Experimental Status and Considerations X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 00:15:47 -0000 --f403045dd5d887608c05616f88e6 Content-Type: text/plain; charset="UTF-8" I'm beginning a new thread to explicitly address some differences of opinion in the working group. Coming out of IETF99 and surrounding working group conversations ( https://mailarchive.ietf.org/arch/msg/dmarc/5_OP8lVi-a3yHMS0hqs1clyLWj4, https://mailarchive.ietf.org/arch/msg/dmarc/4Gu1EErK4iuo9pQnZ-uJ2tKpMDQ, https://mailarchive.ietf.org/arch/msg/dmarc/X-3nVPUQgIy-AGt4tJfkbPZZTjI), I was under the impression that working group consensus was that ARC would be submitted as an Experimental draft. I know Kurt has very strong opinions that we NOT proceed as Experimental, and I wanted to make sure he got to state his case. That said, regardless of outcome, I think the Experimental Considerations belongs in the primary draft and not the usage guide. When reading the draft, it is unclear why certain decisions were made or what their impact will be (and there are several questions that any savvy reader will immediately have), and this section makes these clear to a first time reader. So: 1) Unless a chair speaks up that consensus is already Experimental, we should have the conversation now and nail this down. 2) Unless there is opposition, I'd like to move the Experimental Considerations out of the usage guide into the primary draft. We can easily revisit how the section is titled if the outcome of #1 here changes anything. Seth --f403045dd5d887608c05616f88e6 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I'm beginning a new thread to explicitly address some = differences of opinion in the working group.

Coming out = of IETF99 and surrounding working group conversations (https://mai= larchive.ietf.org/arch/msg/dmarc/5_OP8lVi-a3yHMS0hqs1clyLWj4, https://mailarchive.ietf.org/arch/msg/dmarc/4Gu1EErK4iuo9pQnZ-uJ2tKpMDQ, https://mailarchive.ietf.org/arch/msg/dmarc/X-3nVPUQgIy-AGt4tJ= fkbPZZTjI), I was under the impression that working group consensus was= that ARC would be submitted as an Experimental draft.

=
I know Kurt has very strong opinions that we NOT proceed as Experiment= al, and I wanted to make sure he got to state his case.

That said, regardless of outcome, I think the Experimental Considerat= ions belongs in the primary draft and not the usage guide. When reading the= draft, it is unclear why certain decisions were made or what their impact = will be (and there are several questions that any savvy reader will immedia= tely have), and this section makes these clear to a first time reader.

So:

1) Unless a chair speaks = up that consensus is already Experimental, we should have the conversation = now and nail this down.

2) Unless there is opposit= ion, I'd like to move the Experimental Considerations out of the usage = guide into the primary draft. We can easily revisit how the section is titl= ed if the outcome of #1 here changes anything.

Set= h
--f403045dd5d887608c05616f88e6-- From nobody Thu Dec 28 16:45:16 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27D3C120724 for ; Thu, 28 Dec 2017 16:45:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BINbcmcaJZBs for ; Thu, 28 Dec 2017 16:45:12 -0800 (PST) Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D9A41200C5 for ; Thu, 28 Dec 2017 16:45:12 -0800 (PST) Received: by mail-vk0-x230.google.com with SMTP id x64so8974647vkd.6 for ; Thu, 28 Dec 2017 16:45:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=J/q0Gh8aRh5HNFZfvqRQ1XvJjJNC4uHTMEeWyyaAQIk=; b=BCO2LWEFNGS+v2YpLlL/705ST3g2kIFce1rR52kTUsMCgFg/62sTeZMOov0qlS6na+ RxuDFs1zsaRU+iG1p3IVPWBLISHNV1DtwB97Zmy0RtN7e1fPKoRyvu8Qb5ypKe4xb6sb vZje9nU2i+QHuM123GTF7Jh5Ez8/Q+0wanNa830pXNRQADC5nGvSdxaBzw0c/Z7re5R5 gouajXYjP9zIR9KMyl6ueTCVYuMQTM+Pkbvc0wqk3jBaI+7uk/ypNq/mDx+mrvfzx79y d1Phy39nQeQjgx3wZph88EaLcbksEEtMmt6ybqo5MIyFnv1LHcRO2ws/4KlvaVXrRyhc PP/Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=J/q0Gh8aRh5HNFZfvqRQ1XvJjJNC4uHTMEeWyyaAQIk=; b=fw/wfCKTS9/0Yi0uWvDBx/oQdjbXNNtufcmqziGAZLW7rRi7gBoasKtg9EhLveAZ/6 9OZi9l30EpC0My+bYwm3qmVcKf9WfHrnxjvGZ0fhJVoTEPsAjh/4AxIC/6PRUYP34rCP hLDh6Xwqb+LPB718Ywsh6ASWs09fhbad7f+1x0aybXKjyEekClfl7byu0YyVlvwv6tgz l5+mNb6vKZeHtkCnyPcWGrty1W6YfKVY8uwiwkDJeYwkKNFCj5xsANp8KB7eFTdQL0xk H8FHKTxw4cfmbQzr1hdKZlGybqXgCej3W+Ht5oFZM/iBzNNpyWQVeg4Qiny89PYoxEGr tNXA== X-Gm-Message-State: AKGB3mLvIHrurAmveiyvlY7S8y6bP/vU3j+G8vCIwS7ayaRptr0S6N2w VAjVi2Zis4sAYk+S59qdv0p5CxCuArtVgxYgUZdl2wT6MTQ= X-Google-Smtp-Source: ACJfBou0BLaa25uPpbJiqYdVy58XLStq/rf6FHAajmVLMFI/ousOE5lRrCSPSS3zS6IA3kqqa9zQr48VfyLZzS+KoSY= X-Received: by 10.31.73.135 with SMTP id w129mr33012165vka.129.1514508310826; Thu, 28 Dec 2017 16:45:10 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 16:44:50 -0800 (PST) From: Seth Blank Date: Thu, 28 Dec 2017 16:44:50 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114dddd8e06a6505616ff116" Archived-At: Subject: [dmarc-ietf] ARC draft-10 protocol elements section and question about reducing section 8 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 00:45:14 -0000 --001a114dddd8e06a6505616ff116 Content-Type: text/plain; charset="UTF-8" Sections 4.7 and 4.8 from my proposal ( https://mailarchive.ietf.org/arch/msg/dmarc/yl1HWdNbmQR1wHlCvG3eRl9ph5E) were not moved into the protocol elements section of the latest draft ( https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-4) I spoke with Kurt, and this appears to have been an oversight. To be clear about the protocol elements section, I've cribbed it from DKIM and proposed it to: a) provide context for the entire ARC Chain b) define protocol components that are not specific to only sealing or validating the chain As such, I believe both the concept of chain validation status and the ordering of hops belong in protocol elements. This also opens the question of where Section 8 ( https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-8) belongs. This section now feels more like a kitchen sink and implementation guidance. I would suggest: 8.1 be stricken as it's a normative modification of DKIM, or replaced with language to the effect of "ARC MUST be the last signer of the message; otherwise it cannot be validated on receipt." which can go in signer actions 8.2 should be moved to protocol elements 8.3 to signer actions 8.4 to verifier actions 8.5 should be stricken (this is bad advice that could result in backscatter, and I'm unsure where it came from, I can find no working group conversation around this) --001a114dddd8e06a6505616ff116 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Sections 4.7 and 4.8 from my proposal (https= ://mailarchive.ietf.org/arch/msg/dmarc/yl1HWdNbmQR1wHlCvG3eRl9ph5E) wer= e not moved into the protocol elements section of the latest draft (https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-4= )

I spoke with Kurt, and this appears to have been= an oversight.

To be clear about the protocol elem= ents section, I've cribbed it from DKIM and proposed it to:
a= ) provide context for the entire ARC Chain
b) define protocol= components that are not specific to only sealing or validating the chain

As such, I believe both the concept of chain valida= tion status and the ordering of hops belong in protocol elements.

This also opens the question of where Section 8 (ht= tps://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-8) b= elongs. This section now feels more like a kitchen sink and implementation = guidance.

I would suggest:

8.1 be stricken as it's a normative modification of DKIM, or replaced= with language to the effect of "ARC MUST be the last signer of the me= ssage; otherwise it cannot be validated on receipt." which can go in s= igner actions

8.2 should be moved to protocol elem= ents

8.3 to signer actions

8.4 to verifier actions

8.5 should be stricken (= this is bad advice that could result in backscatter, and I'm unsure whe= re it came from, I can find no working group conversation around this)


--001a114dddd8e06a6505616ff116-- From nobody Thu Dec 28 16:59:21 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 327B0120724 for ; Thu, 28 Dec 2017 16:59:20 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W4wsfEDwLLSp for ; Thu, 28 Dec 2017 16:59:18 -0800 (PST) Received: from mail-vk0-x229.google.com (mail-vk0-x229.google.com [IPv6:2607:f8b0:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48DB31200C5 for ; Thu, 28 Dec 2017 16:59:18 -0800 (PST) Received: by mail-vk0-x229.google.com with SMTP id s139so25453776vkb.3 for ; Thu, 28 Dec 2017 16:59:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=IrVU6EctnFeTe8msU8m338xIytjAXRvePUSbLPa2z28=; b=q/2NvRwH6Q27rB5b9MX1syLO0tCZAJ6mjE8TuPWQ+dzon8f78VO4iS0pSUV5dTj0Jp 840vnfz6OVzQ3X59q4PvVk5TlLVhfHYzl27AShCTQXmSMNoOlEOem1c5vZTG1b9+Z3Kl hxRYFmqDHaIizZYTath0znUK1DGWb0nrQ392PWWnSHHZuPy9EDPPaDUkM2VEC2y+8F9F y6X3AphMWP4HiDnB6ZQoqY+f9EIam7NvHUjOR6TQ3om5N0Ey8kysdKYZTXz7Rdn3Q2Xi K79Nzp/DZYuoc7H3bNhkjoCY5r95VjosE32sqI/KHhW7dkzJC8L7zCTQg5+Fr4zyfLMA OEVQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=IrVU6EctnFeTe8msU8m338xIytjAXRvePUSbLPa2z28=; b=RcSFwZKpuWbGfC93OPgMY09ElUoN4HSe+nIb/qZL20tkmhn6AdJ/eIt62g97FRO9Oh YCxvO8iJHQFcmSOboT3I3LPwaTV7K9eynYcl41JN8fzyW9ZDzE9KPJ4lwTDVeZuAPsRW nA+8NjTLZRNg7X18jwXvrQu5a3yPFf8NZmJ4QgcMbYKopx7Tk+Nbi42VEZpr1ySti6bS YaQ1eGu+5EdkR6et1Ipjhdijf/3d1BBJkjNwL/LTHfHeTv2RmCGeHWeDWDPJjlqH5Fib dH7HM9wCpEtWtaqXjtB/Twq5pVSLXVN6nskivPBTp5MKnnCycaSfbo6Hjj7L3ZoyrtKd /oXg== X-Gm-Message-State: AKGB3mLc0EKtWBYZfP3tFtdzThsRTIpiC+ivtq8Terl3twPDWUNqnY+g br+lSMVwtyVgSiQYMIY4y8+GmXR+pOMJelUn+kdGGs0BOZs= X-Google-Smtp-Source: ACJfBot9s6/6149DgjxFjIF1exhVAG3fFkJx5YgLuFhbI/YZVplxCv1v9b/fKxuCyqEfeYEVQNrgyV1d4BT0ZrD5ros= X-Received: by 10.31.73.135 with SMTP id w129mr33036553vka.129.1514509156982; Thu, 28 Dec 2017 16:59:16 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 16:58:56 -0800 (PST) From: Seth Blank Date: Thu, 28 Dec 2017 16:58:56 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114dddd84fabd60561702457" Archived-At: Subject: [dmarc-ietf] ARC spec clean up if 7601bis proceeds X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 00:59:20 -0000 --001a114dddd84fabd60561702457 Content-Type: text/plain; charset="UTF-8" If 7601bis proceeds to allow content for filters in addition to humans, then I believe the actions in the ARC draft ( https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10) are as follows: Section 5.2 is cleaned up to inherit AAR ABNF from 7601bis. Section 5.2.1 is stricken. New IANA registrations (I'm pretty certain this is wrong!): authentication-results methods: dkim header.s authentication-results methods: arc smtp.client-id authentication-results methods: arc chain.closest-fail authentication-results results: arc pass|fail|none|policy After this, I believe most of section 9 (except 9.3) can be stricken or greatly reduced into verifier actions. --001a114dddd84fabd60561702457 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
If 7601bis proceeds to allow content for filters in additi= on to humans, then I believe the actions in the ARC draft (https://tools.ietf= .org/html/draft-ietf-dmarc-arc-protocol-10) are as follows:

Section 5.2 is cleaned up to inherit AAR ABNF from 7601bis.

Section 5.2.1 is stricken.

New I= ANA registrations (I'm pretty certain this is wrong!):
authen= tication-results methods: dkim header.s
authentication-results me= thods: arc smtp.client-id
authentication-results methods: arc cha= in.closest-fail

authentication-results results: ar= c pass|fail|none|policy

After this, I believe most= of section 9 (except 9.3) can be stricken or greatly reduced into verifier= actions.
--001a114dddd84fabd60561702457-- From nobody Thu Dec 28 17:10:43 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954E41270AB for ; Thu, 28 Dec 2017 17:10:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3WPX_QJEqRfO for ; Thu, 28 Dec 2017 17:10:40 -0800 (PST) Received: from mail-ua0-x230.google.com (mail-ua0-x230.google.com [IPv6:2607:f8b0:400c:c08::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7A471200C5 for ; Thu, 28 Dec 2017 17:10:39 -0800 (PST) Received: by mail-ua0-x230.google.com with SMTP id l12so1726738uaa.10 for ; Thu, 28 Dec 2017 17:10:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=iS37kM7XzfFSzT2rO/P2x1BLjZCj1t/qKTK52YpcNlY=; b=TN8yx0cfi8Jc2xtzJjLE6ELf36mwZ3CT6PEI0vXktYwOPVL6qapEO9zdVYl25X0uWP toZ4YjmF5RrfH0DsoodT+Ae+7KLoj4I/eiVpUbflSZiivpN6tg4oXogNJh5B3REz5wwi mPkD59/iA8SemjfROBJJhzIc3LvxhaMfZEEUzBzvq7AXxIUE+H0ynE1wd/E8f3m8qhCj oscvam/MxY0NnbnlRtz3r+jazvaYDjQpwiEkP/Xy3JmMBE5XoI4n3+xhxdTynSxkNVEM zVCS/Onlaf2JNQ4hf4NwE8CFblMmPlfvuwQD3cRCLQKjnrreDjHBJUD3FEBrYhRdcuhm Dljw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=iS37kM7XzfFSzT2rO/P2x1BLjZCj1t/qKTK52YpcNlY=; b=JV24ukxnFeUYaARvtzhkli1kU3O+gqNYTN9hG5O9Sd0/bCYHLXOrJ1vQPSNF5PrEfe qqphxlJCUEPvCQ5W1A/sW5/wlW+nsp99iGq6WtqhJvpzI3EhweOXAYt7kMmKgDfLKZpn DCIhgfP4VXnjvzt6JnHNPTfOBAuRedyNPvxmbOdaYiKOJhnfpV0t10Y8B+HOcSiVCWbs hSVmsfqNcbq5ZXwxMhEu9//O62Sce6MCOn6AzI+akuD5ltoa2mzRV8P13WDsx1qDGX9N AtkJuWDfj7XObVM10/IwoBSBzBqJ0qREheHhnBaB70UYvng7Lfiyu6zcG4dqk2SLngZ2 hGTQ== X-Gm-Message-State: AKGB3mJxBEB8L+pQ0BK4iCpizmU5uwjthmzFliX7lt0lcDhg5eikAm+O ujW9+Hnd6RXW4+V2HBS2g5H9hVg5nQKStEaFUO9Mc/6U65E= X-Google-Smtp-Source: ACJfBouLBSF+3wqXW0Pib9lcY5ff2/0mqOBYEXp0vr9qJbm4ZRmpu/3D+8gQjPwMhqYjhg83oKoKvBpLfXJC9I/YDqc= X-Received: by 10.176.83.140 with SMTP id k12mr6457292uaa.97.1514509838725; Thu, 28 Dec 2017 17:10:38 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 17:10:18 -0800 (PST) From: Seth Blank Date: Thu, 28 Dec 2017 17:10:18 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="f403045e32fef2473f0561704ccd" Archived-At: Subject: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 01:10:41 -0000 --f403045e32fef2473f0561704ccd Content-Type: text/plain; charset="UTF-8" This got buried in two other threads ( https://mailarchive.ietf.org/arch/msg/dmarc/E9fOn8dIEiFqQJBz1GyFUimWVcM, https://mailarchive.ietf.org/arch/msg/dmarc/Bv55cS12p41j3XhWzuu5RybvzTA) so I'm just raising it to the top level. Algorithm rotation is clearly more complex in ARC where you only have a single chain than with DKIM where you can just affix multiple signatures. That said, section 10 of the current draft ( https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-10) feels clunky and itself says it needs more work. Assuming we're proceeding as an Experiment, I propose we address rotation in a separate draft. --f403045e32fef2473f0561704ccd Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
This got buried in two other threads (https://mai= larchive.ietf.org/arch/msg/dmarc/E9fOn8dIEiFqQJBz1GyFUimWVcM,=C2=A0https://mailarchive.ietf.org/arch/msg/dmarc/Bv55cS12p41j3XhWzuu5RybvzT= A) so I'm just raising it to the top level.

Algo= rithm rotation is clearly more complex in ARC where you only have a single = chain than with DKIM where you can just affix multiple signatures.

That said, section 10 of the current draft (https= ://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-10) fee= ls clunky and itself says it needs more work.

Assu= ming we're proceeding as an Experiment, I propose we address rotation i= n a separate draft.
--f403045e32fef2473f0561704ccd-- From nobody Thu Dec 28 17:21:35 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 313101270AB for ; Thu, 28 Dec 2017 17:21:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOmgyiRvIAEb for ; Thu, 28 Dec 2017 17:21:31 -0800 (PST) Received: from mail-ua0-x22d.google.com (mail-ua0-x22d.google.com [IPv6:2607:f8b0:400c:c08::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 866FA127011 for ; Thu, 28 Dec 2017 17:21:31 -0800 (PST) Received: by mail-ua0-x22d.google.com with SMTP id q22so17205335uaa.9 for ; Thu, 28 Dec 2017 17:21:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=WkqN+61Oh7c9+sbkWqJ4a9a41Sw/c3lFwj7LfPHAezA=; b=H8gNlFEmAbpiYhhE+AwADZrPB8ZfcUn3TJq6Yic4edfmzBRjxghGMRA5VBFad9cfnr W/674f5fzDeHlWPNO2J3bxVXz7Y2w5IPA5JR+Y+aDkKzHEhw0nnYQj7K4GOe1XxbxLNu aR2k3Tf5K5rWNldILWQgnxbzsHFQUz4qbc9NB9VQ6PCkCd4hFXgfrmJD2VyK+TaUDtP3 ubBe59MCbRFgbCBgy5HMZA7s+2ODM8iOsLeXT++UafWcfRjjWXkLKThG8CBnG8+QWD3S Pm+5RyZSRjdqSJCrv2+2lXdqxQIiucBokyorCWNj8CwHfEb+KbDTF9Jp4081NP07MR9H V7Og== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=WkqN+61Oh7c9+sbkWqJ4a9a41Sw/c3lFwj7LfPHAezA=; b=HALrUwgWinlRi/dmRTkEbbM76iUb9NCWTupxG1/fvtkz832n1DSVlgkmuyHvG5dEVb HGvWojo3SBfih0W49zoPzwKoKo0pSIBQQj+x343Zf1kHSGxQwgZDx2lDzzrIodRLsQfJ u1y/u/dBBGfkist5RJYv+zmZIEM1Z8DxyvCs0IsupLKk+KQW+kcRqKjgCu2c24Ei/j31 I567kZ9dc6vabjCIG2B2Gzkk2yHxB16Kkku97+h0BXB85hyvq99TR7youDV+3HxBqksC LMWMUM/5WRIf5ijWPcrnHW5p/XLfqzrvp/Ur5e0f9wVRFelYQJcEBipDZ1YQT04Ys3SW rKmw== X-Gm-Message-State: AKGB3mKL+JQSpiXkMhx8q2NJ6vezHoLCyAqcGbulJs9Dt7ZPPs3cnPiA zLFEPJe7jxxCY4CHJfZEqaQGIXM7dhNz+6sfR0eUmuiq8y4= X-Google-Smtp-Source: ACJfBov1Uq84uLa7i0Ij30hStxCgfGL3Nh+mQobPJM2mwhXHMfnqRKuWxgCxjGl9n1l/fRvmRFaO7R7tVq3uiuhzi7Y= X-Received: by 10.159.49.88 with SMTP id n24mr36729218uab.116.1514510490301; Thu, 28 Dec 2017 17:21:30 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 17:21:09 -0800 (PST) From: Seth Blank Date: Thu, 28 Dec 2017 17:21:09 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="f403045dd5d8c8995d0561707326" Archived-At: Subject: [dmarc-ietf] ARC draft-10 Security Considerations - questions and request X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 01:21:34 -0000 --f403045dd5d8c8995d0561707326 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-13 Beyond my notes below, the Security Considerations section feels weak, and like it should at least inherit DKIM's security considerations. Additionally, there have definitely been items called out on this list (like the ability to do an ARC replay attack) that are not yet represented. Are there strong opinions about other items that should be in security considerations? I'll be going through the list archives to see if I can find orphaned items that should be included, but please SPEAK UP if there's something obvious to you. My concerns/questions: 13.1: I don't understand how this is a security consideration. However, it might make a good "open question" in experimental considerations. 13.2: It should be noted that verifier caching of DNS responses renders this type of attack weak, only systems that validate ARC Chains that do not cache DNS responses will be susceptible to an attack here. 13.3: this doesn=E2=80=99t make sense as a security consideration, this is = the same warning as with SPF, DKIM, and DMARC, which are up front in those drafts and not in security considerations (and is also front and center in the initial paragraph of section 4). That said, is it worth adding (or rewording 13.3) to make it clear that one should "not blindly trust a passing ARC chain" because: a) you have to trust all signatories b) It=E2=80=99s possible that trusted systems don't properly authenticate m= essages, so even with a legit ARC chain with sealers you trust, the message might still never have authenticated in the first place (which is why you have the AAR to inspect) --f403045dd5d8c8995d0561707326 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
https://tools.ietf.org/html/draft-ietf-dmarc-arc-= protocol-10#section-13

Beyond my notes belo= w, the Security Considerations section feels weak, and like it should at le= ast inherit DKIM's security considerations. Additionally, there have de= finitely been items called out on this list (like the ability to do an ARC = replay attack) that are not yet represented.

Are t= here strong opinions about other items that should be in security considera= tions? I'll be going through the list archives to see if I can find orp= haned items that should be included, but please SPEAK UP if there's som= ething obvious to you.

My concerns/questions= :

13.1: I don't understand how this is a secur= ity consideration. However, it might make a good "open question" = in experimental considerations.

13.2: It should be= noted that verifier caching of DNS responses renders this type of attack w= eak, only systems that validate ARC Chains that do not cache DNS responses = will be susceptible to an attack here.

13.3: this = doesn=E2=80=99t make sense as a security consideration, this is the same wa= rning as with SPF, DKIM, and DMARC, which are up front in those drafts and = not in security considerations (and is also front and center in the initial= paragraph of section 4).

That said, is it worth a= dding (or rewording 13.3) to make it clear that one should "not blindl= y trust a passing ARC chain" because:

a) you = have to trust all signatories

b)=C2=A0It=E2=80=99s= possible that trusted systems don't properly authenticate messages, so= even with a legit ARC chain with sealers you trust, the message might stil= l never have authenticated in the first place (which is why you have the AA= R to inspect)
--f403045dd5d8c8995d0561707326-- From nobody Thu Dec 28 17:24:02 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C534129C6C for ; Thu, 28 Dec 2017 17:24:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Luz4kAn9_oNp for ; Thu, 28 Dec 2017 17:24:00 -0800 (PST) Received: from mail-vk0-x22d.google.com (mail-vk0-x22d.google.com [IPv6:2607:f8b0:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3F9812895E for ; Thu, 28 Dec 2017 17:23:59 -0800 (PST) Received: by mail-vk0-x22d.google.com with SMTP id p144so14589297vke.11 for ; Thu, 28 Dec 2017 17:23:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=2zHCuMCvHzA37tTzKCJpuAk9zGHFZrfxFMeq5q/RseU=; b=X9ddke6jbcto0OhKZG2IfT21jpMcvZvrXaSNUjuvwUrOHH2Wm0N9C1o2oRFCzn4IWE Cquh19bjLgSgluqjEX9ZtOBpM70ORaaDDWhwtn8OijItrkD8ap177P7CRoMS7vcRF7NB K+iRaoPh2sW+6nO/Pyj5d6Q/kSp7JBwe20qWPL54LQeow2ne08Qs+l0tjaVx936uOl36 jOjzS5aV32wC7ppHlMgN7C4JjUiHFcyA1R3pUbGyqT5YCLlLz1m/wLoD9UC7onJpcW0v xEXZf0fFiGW0K4JKcTq6zKrkSGTzlcZC6979bw1d/BNWItKea2Ogl9TQo6eRxYVeoHqN yGFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=2zHCuMCvHzA37tTzKCJpuAk9zGHFZrfxFMeq5q/RseU=; b=jGga9d9Cox4HP2YhqAfPqRnDe8i5aPsVTjU9xOUKT0msXr4z4Vd+upm4CkPdQNYYjq j/RgO2RtEd+aIOE7y3Y9bNZ6dA4OOjsvMzRFgE5aQZ7Om+E3smBtGiv0IixW/Zc/o49y Jtbo9h1GBDDmdmWw21mXHNwZX9fnxnXhFHNLPaVoQnRqC3Cls6wnIqoXZVe5IDa55Qn+ f00ba1Lm0GuEwPvWJp2xPl3B1+EvyPd8ZQViDyHjf3aJ1DCUM5g9sClIDEuZjFn/UQpT dUKEeAiJ6VHKDRpf4DHRc18fhkIf+wOFV+WiJznno0v5J2CnHkstGZwZf9AIAeVZdDP9 lbJw== X-Gm-Message-State: AKGB3mKIM37sPTP0ygfvKIqKKgwmsglVRS9JFLQYtJnYx6a8OCySOA9F +Qpn/CqM+01IGhrntA4950ea00XXrxuq1W7qkDNeXdJdyLM= X-Google-Smtp-Source: ACJfBoue/i+W7L1g4A2WpGu+tG2KIdiNQnFhXlGAnJASDimOExK7mwG73LORRXtpXezaUhiXz4E1OaVaO9SZAX4hLDM= X-Received: by 10.31.73.135 with SMTP id w129mr33088992vka.129.1514510638597; Thu, 28 Dec 2017 17:23:58 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 17:23:38 -0800 (PST) From: Seth Blank Date: Thu, 28 Dec 2017 17:23:38 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114dddd89f68a80561707cdc" Archived-At: Subject: [dmarc-ietf] ARC draft: Call for ARC Implementations to be included X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 01:24:01 -0000 --001a114dddd89f68a80561707cdc Content-Type: text/plain; charset="UTF-8" The Implementation Status section of the draft ( https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-14) feels out of date. If you're working on an implementation, please speak up so that we can include you! --001a114dddd89f68a80561707cdc Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The Implementation Status section of the draft (h= ttps://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-14)= feels out of date.

If you're working on an implemen= tation, please speak up so that we can include you!
--001a114dddd89f68a80561707cdc-- From nobody Thu Dec 28 19:57:48 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D1E912D82E for ; Thu, 28 Dec 2017 19:57:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.761 X-Spam-Level: X-Spam-Status: No, score=-1.761 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=cWdlwcVF; dkim=pass (1536-bit key) header.d=taugh.com header.b=WyCGPfHE Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccBCmKk9Y4rV for ; Thu, 28 Dec 2017 19:57:44 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DD8412D7F3 for ; Thu, 28 Dec 2017 19:57:44 -0800 (PST) Received: (qmail 30625 invoked from network); 29 Dec 2017 03:57:42 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=779d.5a45bd36.k1712; bh=YgX69yJzPQQznYe2eAuKDL1Pv6dnCwMtti5p0KAW42o=; b=cWdlwcVFBQRZ2gmsUO3riEYqYp2Z8Q/Fna2iChHLg7+ZrEq1+A9Zc1zm1GXUDbeQORIgJL9xU2eaO33/UBBrPiy/U88VK6DJI2HqbtdBlISj9TPIhFJhrgQV1e7/6MRJDSih5v3ZsnwZBV0xXDtfKX/kx0z59Ik4dJrKnM4/ShvsfzH76Rv+WZ82N4Jv2b3//RyPtYMgbL5kWHv4riflyqXuo+RnNOC4+dKbFzTevWPx9+g7JVhbhTUfNnX/WALx DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding; s=779d.5a45bd36.k1712; bh=YgX69yJzPQQznYe2eAuKDL1Pv6dnCwMtti5p0KAW42o=; b=WyCGPfHE6KujgVyqvAeLsWTUaFUjqExerLJvKht9IAaHvgdb3P31PYPlOu1ZqPdSNd2Shw7oiE1h96e9sHT1c/zrwop8VnW6yDlDlc0x9v3QLDlvywjplyT8OmKfP++2Caz6WO/gwyaCPVJM66pC8REe5uUPZi5VoIm+w3AjUaqRF31ZbmrxDpwmClZa/mD/J6lJ5uvf6BUbBgjZMDCvDOgxQUTS+SaTyTSfhp0Ljf8FC/0xAwn02Yjh7/wOubAq Received: from ary.local ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTP via TCP6; 29 Dec 2017 03:57:42 -0000 Received: by ary.local (Postfix, from userid 501) id 325D018916FA; Thu, 28 Dec 2017 22:57:41 -0500 (EST) Date: 28 Dec 2017 22:57:41 -0500 Message-Id: <20171229035742.325D018916FA@ary.local> From: "John Levine" To: dmarc@ietf.org Cc: seth@sethblank.com In-Reply-To: Organization: Taughannock Networks X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 03:57:46 -0000 In article you write: >https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-10) >feels clunky and itself says it needs more work. To put it mildly. >Assuming we're proceeding as an Experiment, I propose we address rotation >in a separate draft. I understand the motivation, but I think that if we do that, it makes it a lot less likely that people will actually implement the rotation stuff. R's, John From nobody Thu Dec 28 20:32:40 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 23668127698 for ; Thu, 28 Dec 2017 20:32:39 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.9 X-Spam-Level: X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FM8gvQ5AQC1v for ; Thu, 28 Dec 2017 20:32:37 -0800 (PST) Received: from mail-ua0-x22c.google.com (mail-ua0-x22c.google.com [IPv6:2607:f8b0:400c:c08::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62D8B124207 for ; Thu, 28 Dec 2017 20:32:37 -0800 (PST) Received: by mail-ua0-x22c.google.com with SMTP id e39so5994560uae.12 for ; Thu, 28 Dec 2017 20:32:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=OdE8we2U5JicuuVopP6XCn+meVCjValCp/bTnos2Ob4=; b=QYEomDeVL2setbTSa5i+rMeKF57aPmm7et79pp21cHKc+oZhzVCBu0VF79lzTngc3+ 5pNQOWa7LrkUniyfTr/qrfDKDyAcAMeJBvabo7DavSBFU2a4eQK3WifHQCs8Rw2T5VkY 1sFBFfSv2CZ7L+zCbJj66+O6+Vi3tvQeBwT0pcxa9lDCCouiC5mQqeWzBBuG8H00m9/w Z6W/XEHY0Uz/TWbzYTfjyiKHNYhEe8RLMSpakxqyw91sT2V69c6rBoE4Vlnrq+tDRoSz +PxBucoVsTSp3KEYyQ87/HYZ5MDZqict6E65dr0tEUpGqRM+gVEBT9zkCvtc10nccwrh KyxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=OdE8we2U5JicuuVopP6XCn+meVCjValCp/bTnos2Ob4=; b=OUHrRLEyoAhoqD6ocb8wj6xEGmj0ERBTb1L59Bo4quarP08lJQ/jP9Xnfr6WzYBlOo zDiWZb8yftFAPsT01X4GkcRpKQ4h7NJN9t7vPxqmzuNeOSlZV91M3IeGi40WdtkoNcfQ r+HRkAGHw3GGzsWFjVanb+Ubd4gz06SxrMgFPEqNEHywOKb2U45IdeaY8FA5N6Qi8/j0 hvirxhmUqyeJi7wPLw6BOmbWXGA6jrnYY3MRpoP9ERD7tmsS0ermuIqyy7TXJ9/witct A9XWVaLPx5coRIrhkEbfLm6g6abEIyGToM428GHlaxSN619UJqOSkr38gm8LDGftzKoJ 92Ag== X-Gm-Message-State: AKGB3mKEZpo5ExbcGQs7R4z1b4aSJU+aabO1buhLzj4HCVKW+3+asQkK eIHL8lYKYEwoJoOgCEx2swKb7Bz8RgyDs+27LAaiXvahna4= X-Google-Smtp-Source: ACJfBovyP5EtAOSpwq/VuJwjwQhjDAL+8pGILq4sDZF40d5JcwZxcnt7+rHHvfIkuLVjRk0LK5pgfRzN63fSbaazCW8= X-Received: by 10.176.10.2 with SMTP id q2mr37432309uah.13.1514521956004; Thu, 28 Dec 2017 20:32:36 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 20:32:15 -0800 (PST) In-Reply-To: <20171229035742.325D018916FA@ary.local> References: <20171229035742.325D018916FA@ary.local> From: Seth Blank Date: Thu, 28 Dec 2017 20:32:15 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="94eb2c0ea32c314be30561731fd2" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 04:32:39 -0000 --94eb2c0ea32c314be30561731fd2 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 28, 2017 at 7:57 PM, John Levine wrote: > I understand the motivation, but I think that if we do that, it makes > it a lot less likely that people will actually implement the > rotation stuff. > Since there are only a handful of major implementations right now, all of whom are participating in this group, I don't think there's a big risk of this getting lost - unless we don't figure it out for many many months and major implementors disengage. And as a maintainer and patron of several of these implementations, this will be a priority as soon as it's baked, be that in this doc or a separate one. My strong bias (on my sleeve!) is to get the experiment rolling, and sort other components that don't affect the experiment in separate documents. The two that are top of mind are algorithm rotation and DMARC reporting, but could also include A-R stamping if 7601bis needs more time. Seth --94eb2c0ea32c314be30561731fd2 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On T= hu, Dec 28, 2017 at 7:57 PM, John Levine <johnl@taugh.com> wro= te:
I understand the m= otivation, but I think that if we do that, it makes
it a lot less likely that people will actually implement the
rotation stuff.

Since there are only a = handful of major implementations right now, all of whom are participating i= n this group, I don't think there's a big risk of this getting lost= - unless we don't figure it out for many many months and major impleme= ntors disengage. And as a maintainer and patron of several of these impleme= ntations, this will be a priority as soon as it's baked, be that in thi= s doc or a separate one.

My strong bias (on my= sleeve!) is to get the experiment rolling, and sort other components that = don't affect the experiment in separate documents. The two that are top= of mind are algorithm rotation and DMARC reporting, but could also include= A-R stamping if 7601bis needs more time.

Seth
--94eb2c0ea32c314be30561731fd2-- From nobody Thu Dec 28 20:35:06 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F30A6127698 for ; Thu, 28 Dec 2017 20:35:03 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.6 X-Spam-Level: X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sethblank-com.20150623.gappssmtp.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2trnPTXGq0p for ; Thu, 28 Dec 2017 20:35:02 -0800 (PST) Received: from mail-vk0-x22c.google.com (mail-vk0-x22c.google.com [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 077A51200C5 for ; Thu, 28 Dec 2017 20:35:02 -0800 (PST) Received: by mail-vk0-x22c.google.com with SMTP id n2so20341117vkf.4 for ; Thu, 28 Dec 2017 20:35:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sethblank-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=SyBRgtF3oFUDxqW05qGxfN9l7F1/lohNbocKHiHctUw=; b=tM6/Hz/SWGpXSSie7yOKixM9gjciyemCWCL/EaeOAlmU2nb7FYzfVtlxVYu/n07RY/ 9iFKLryQBK+793TkLMBsbpoJ8OYi4Lw9sQ7le1HFgK1n9UGMpiqmgUVnSiaryqP75Rsb bL2acZso6h/FWwLfkrPlo+08Okhui+CdeZQeldurdOkKJg0V49Osfh2izLqJfSk52C9r ApANkyqOAuaHxjz2UU9zDkqDBELc4RasWHYHpzd7xMxVP/KVO80Yi8h7OO6F/smjbxFg 7aY8nXxYmUI77RAa1mshJk5o0Fk7N2VYEDZfoIWRfMRk1ExqTUGy+1mP7r2ziaQ7vtjx bQLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=SyBRgtF3oFUDxqW05qGxfN9l7F1/lohNbocKHiHctUw=; b=rUAhOsSUBG8WOrbj7VozImxoKHj6skkm/G5LAgZj5wpw2n+8KXtpXqSFoHT8lUqzAs 22PvjkvT8OX+ElhGMdUsZXxhJO+kqZrk2vGk+lrbMM4sAdC/Jmohv2qi3B19SAGnE6Rj gtAaV8y7d1xUWJBL5vZL7gRRVW6L1VFwn7BwZw74IDnhdKXFzGMJdqdv7r9PfyKF7r92 fppoP3tuJrS7VkcM/+K5HFa97GmTQGjiXTjRqW/O/+2kZhgPDumHcl/wStGTDucqnOv0 TRa+/8XqAI1L9YI1X1khYGZSxA49nm2OqK3k0QACCwguHkvuCNyoG/0Z2TmovAXPemq6 vmMg== X-Gm-Message-State: AKGB3mKLuDbj20twU49P5PWkIrL5D2Yu3rwUaVvlvGOb7OrINYA5AQjm S6Wh2ftOMW/4oBBitvUgMtvN+C5rdzIt+cEm9VAtzrau X-Google-Smtp-Source: ACJfBoszNIomlUC7W13TKaWQygQ/WB51mYlzc/AkZlPAzrzkZg6n3Mcx4Cnu3DB2H78ExzZCI8hdNomKQGKr5xShk+I= X-Received: by 10.31.160.145 with SMTP id j139mr31821831vke.155.1514522100706; Thu, 28 Dec 2017 20:35:00 -0800 (PST) MIME-Version: 1.0 Received: by 10.159.33.165 with HTTP; Thu, 28 Dec 2017 20:34:40 -0800 (PST) In-Reply-To: References: <20171229035742.325D018916FA@ary.local> From: Seth Blank Date: Thu, 28 Dec 2017 20:34:40 -0800 Message-ID: To: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a1142df10d14e9b05617327f4" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 04:35:04 -0000 --001a1142df10d14e9b05617327f4 Content-Type: text/plain; charset="UTF-8" And to be clear - I volunteer to write these documents and drive them to completion. On Thu, Dec 28, 2017 at 8:32 PM, Seth Blank wrote: > On Thu, Dec 28, 2017 at 7:57 PM, John Levine wrote: > >> I understand the motivation, but I think that if we do that, it makes >> it a lot less likely that people will actually implement the >> rotation stuff. >> > > Since there are only a handful of major implementations right now, all of > whom are participating in this group, I don't think there's a big risk of > this getting lost - unless we don't figure it out for many many months and > major implementors disengage. And as a maintainer and patron of several of > these implementations, this will be a priority as soon as it's baked, be > that in this doc or a separate one. > > My strong bias (on my sleeve!) is to get the experiment rolling, and sort > other components that don't affect the experiment in separate documents. > The two that are top of mind are algorithm rotation and DMARC reporting, > but could also include A-R stamping if 7601bis needs more time. > > Seth > --001a1142df10d14e9b05617327f4 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
And to be clear - I volunteer to write these documents and= drive them to completion.

On Thu, Dec 28, 2017 at 8:32 PM, Seth Blank <seth@sethbl= ank.com> wrote:
On Thu, Dec 28, 2017 at 7:57 PM, John Levine <johnl@taugh.com> wrote:
I understand= the motivation, but I think that if we do that, it makes
it a lot less likely that people will actually implement the
rotation stuff.

Since there are = only a handful of major implementations right now, all of whom are particip= ating in this group, I don't think there's a big risk of this getti= ng lost - unless we don't figure it out for many many months and major = implementors disengage. And as a maintainer and patron of several of these = implementations, this will be a priority as soon as it's baked, be that= in this doc or a separate one.

My strong bias= (on my sleeve!) is to get the experiment rolling, and sort other component= s that don't affect the experiment in separate documents. The two that = are top of mind are algorithm rotation and DMARC reporting, but could also = include A-R stamping if 7601bis needs more time.

Seth

--001a1142df10d14e9b05617327f4-- From nobody Fri Dec 29 09:26:06 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4312128954 for ; Fri, 29 Dec 2017 09:26:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWwuXcz9tcVH for ; Fri, 29 Dec 2017 09:26:03 -0800 (PST) Received: from mail-qk0-x235.google.com (mail-qk0-x235.google.com [IPv6:2607:f8b0:400d:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D43FD120725 for ; Fri, 29 Dec 2017 09:26:02 -0800 (PST) Received: by mail-qk0-x235.google.com with SMTP id a8so16095448qkb.8 for ; Fri, 29 Dec 2017 09:26:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wZk79mwzSmB2h3G5iuX83IWWbZJjBHNFN7aKK35MMfg=; b=XvXqh6CPiuXuTa5F1ceNccMaffVQXdP2nwf56gsQ2WWmozQL2XAsqvBn8+ihYpNm4c KmFr28aq0OFqA+Kk91mo8MvOXfZdraeCaCw8s0ZhNX5Y9jJWCi0+NN/6vkx0Jn/0ad1g WVyu36wCdniOzkfc81G0s9Rsg8PhsT8V4ywCMszEAw6VaF1WTNXHtx+nijfzEGb8urVT 25y1ScxuBqdw51DzjcDHwjE3s3x9IAPZYCVVe8tA/ofnATEJTlKa9rZ6ZvORCU7ktkkK pUaH8sT8o0Ai2Gsn1CQyFJIPJ9WvJ7lGVNiA/d2UMA69fOt9UTnelEtfBfx8cK1vHb8I vmMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wZk79mwzSmB2h3G5iuX83IWWbZJjBHNFN7aKK35MMfg=; b=ED5DlxnsENpwtGmVGreDlS9xyot2svWVNobKWvcYfVQGE5G6te42vRK3uIUmOpJl2l PyjNyXBbO4gWC0euKhfMaS8mV2zxPkjK2D+OOZQ0HK2iRBOP7GYPzqf1wtzmnnFi7TUg 5foD6XNjzPYtV1p9p9T7opVnc7mlFMpN5bVpjcQeojeLBHtZIj5HTKb131abF26usjYD kTfwJBW4EIL//Qcb9nNXFK1JDIbFgRuE1rdDmhWkDrdjy5Imogaj7876JUBmjfWnvZxA 6llaCh2bpJBUVtuWRm0PkaUdr9luynEhecNA0tqhjSjsSPkbzy9+P1oGrzXh8cmwGuwL Mwzw== X-Gm-Message-State: AKGB3mISMQKQYQl2t7GYdeeEC+/+u0VxPCnCz/dSTKFlTko39pOUum3N Lfr83ixN8ReOKypRpvup1CxOur3nLP8/6RewcG9+4A== X-Google-Smtp-Source: ACJfBovONwCN1xiprEpV7bn1j/tbTNuBOjRUTyNWVMyw1+ZWcjja6hdWQFU2qR6opWwASQQXpd9vlizwtp5YXbRwyhU= X-Received: by 10.55.12.2 with SMTP id 2mr46493427qkm.60.1514568361747; Fri, 29 Dec 2017 09:26:01 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 29 Dec 2017 09:26:01 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Fri, 29 Dec 2017 09:26:01 -0800 Message-ID: To: Seth Blank Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114c5c9e30ac7805617ded43" Archived-At: Subject: Re: [dmarc-ietf] ARC draft questions (speak up!): Experimental Status and Considerations X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 17:26:04 -0000 --001a114c5c9e30ac7805617ded43 Content-Type: text/plain; charset="UTF-8" On Thu, Dec 28, 2017 at 4:15 PM, Seth Blank wrote: > 1) Unless a chair speaks up that consensus is already Experimental, we > should have the conversation now and nail this down. > > 2) Unless there is opposition, I'd like to move the Experimental > Considerations out of the usage guide into the primary draft. We can easily > revisit how the section is titled if the outcome of #1 here changes > anything. > +1 to both points. I also thought this was consensus already. -MSK --001a114c5c9e30ac7805617ded43 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Dec 28, 2017 at 4:15 PM, Seth Blank <seth@sethbl= ank.com> wrote:
1) Unless a cha= ir speaks up that consensus is already Experimental, we should have the con= versation now and nail this down.

2) Unless there is opp= osition, I'd like to move the Experimental Considerations out of the us= age guide into the primary draft. We can easily revisit how the section is = titled if the outcome of #1 here changes anything.
=

+1 to both points.=C2=A0 I also thought this was consen= sus already.

-MSK
--001a114c5c9e30ac7805617ded43-- From nobody Fri Dec 29 09:29:11 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12F2F12D855 for ; Fri, 29 Dec 2017 09:29:10 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ewzr1dqIdC7 for ; Fri, 29 Dec 2017 09:29:08 -0800 (PST) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22597120725 for ; Fri, 29 Dec 2017 09:29:08 -0800 (PST) Received: by mail-qk0-x232.google.com with SMTP id a8so16103731qkb.8 for ; Fri, 29 Dec 2017 09:29:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=kM8Xnefh/9Yu/YV/UwELcsS+3j45bbPf7RgZc78wHbo=; b=OT3GfJ4fheA+h1365Ofn1twsZkXkAkzNjWLDs4f0mfpsvBPvemO7+qSENZCUvixYFd 9s5h4Xpo1Vcjd1QZWtC5UPq41bwmfKuRyH+jNOZNmYP89dqUYf0odAI1D+XdATipipMn 2uW7OOcmxydWmpmHdk+STvXSe94x3sp4Td5yzYAmGZmLd5d3sIde9dO4aPnPx/moFoWc Gc2E0K4IKmUl4UyJw0EliH+5QDb/6ZfwTl4ZWE/FMfhD9hg833ZUgC2CI5n9dVH/FHIw tD8ve2VCh+05ZPNR/AC+uD54MexVTTnareilzJ9PGMPrbW4GVskmicZ4Cb0mQIBr+HzK oWfw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=kM8Xnefh/9Yu/YV/UwELcsS+3j45bbPf7RgZc78wHbo=; b=ZFLZM1yYM7NiWH25viILqHfKFdqMOkcRhkei1kkKFfPb7/H+D83qiPd3mJpAXtcTEZ JNKEXvLtXFfBiHY+p4EiC4HbnPoGLvC0qXWp47/afIxEFk/ds+B/Ipg9nGglBUCY9Mfr JMVPwaqUGfcOx2qJoKyXZbutUhN306MINW/VFaCnpEbMb2CmurVEyAif/TVa3VSHYpXz ZPqWl7Sa6ZSE4CX8nV3rasdohLYv7SoETbZMBpnHkS+ORpyWGtqDEn8P7nFF/Cjh7xfJ 5jEALFS5ZH/BlK3bpuBiAT+doyjKrEDXvjDtnDx2BkvfKQs+44qBNy0w8lue2hytHbuE +5Yg== X-Gm-Message-State: AKGB3mL+zdb1reeDm3xNHh+ZiE2LKiWuR20zSlZl1NYYtBE6DCRNjr9L /vtDbhcXbEvCP+1tJKNz4koEFHy03y5HM0oS+b0= X-Google-Smtp-Source: ACJfBouzs6aLhRa3X7PrB6MDCMb+WPpXEpZFxCuMQSoAf3bJSzdsRDpXJBS+pH8LVG4LLKTQglUy7rEu1HAEJipg7lA= X-Received: by 10.55.75.19 with SMTP id y19mr32968673qka.45.1514568547111; Fri, 29 Dec 2017 09:29:07 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 29 Dec 2017 09:29:06 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Fri, 29 Dec 2017 09:29:06 -0800 Message-ID: To: Seth Blank Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114a732e3d177405617df874" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 protocol elements section and question about reducing section 8 X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 17:29:10 -0000 --001a114a732e3d177405617df874 Content-Type: text/plain; charset="UTF-8" Chairs, should we start using the WG's issue tracker for this stuff? On Thu, Dec 28, 2017 at 4:44 PM, Seth Blank wrote: > Sections 4.7 and 4.8 from my proposal (https://mailarchive.ietf.org/ > arch/msg/dmarc/yl1HWdNbmQR1wHlCvG3eRl9ph5E) were not moved into the > protocol elements section of the latest draft ( > https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-4) > > I spoke with Kurt, and this appears to have been an oversight. > > To be clear about the protocol elements section, I've cribbed it from DKIM > and proposed it to: > a) provide context for the entire ARC Chain > b) define protocol components that are not specific to only sealing or > validating the chain > > As such, I believe both the concept of chain validation status and the > ordering of hops belong in protocol elements. > +1. This also opens the question of where Section 8 ( > https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-8) > belongs. This section now feels more like a kitchen sink and implementation > guidance. > > I would suggest: > > 8.1 be stricken as it's a normative modification of DKIM, or replaced with > language to the effect of "ARC MUST be the last signer of the message; > otherwise it cannot be validated on receipt." which can go in signer actions > > 8.2 should be moved to protocol elements > > 8.3 to signer actions > > 8.4 to verifier actions > +1 to all of those. 8.5 should be stricken (this is bad advice that could result in > backscatter, and I'm unsure where it came from, I can find no working group > conversation around this) > It is a reasonable choice, however. That is: If you're going to give an SMTP reply, this is the right one to use, but maybe warn that backscatter (and provide or reference a definition of that term) can result. -MSK --001a114a732e3d177405617df874 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Chairs, should we start using the WG's issue tracker f= or this stuff?

On Thu, Dec 28, 2017 at 4:44 PM, Seth Blank <seth@sethblank.com>= wrote:
Sect= ions 4.7 and 4.8 from my proposal (https://maila= rchive.ietf.org/arch/msg/dmarc/yl1HWdNbmQR1wHlCvG3eRl9ph5E) w= ere not moved into the protocol elements section of the latest draft (https://tools.ietf.org/html/draft-ietf-dmarc-arc-= protocol-10#section-4)

I spoke with Kurt,= and this appears to have been an oversight.

To be= clear about the protocol elements section, I've cribbed it from DKIM a= nd proposed it to:
a) provide context for the entire ARC Chain
b) define protocol components that are not specific to only sea= ling or validating the chain

As such, I believe bo= th the concept of chain validation status and the ordering of hops belong i= n protocol elements.

+1.
<= div>

--001a114a732e3d177405617df874-- From nobody Fri Dec 29 09:35:24 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 547F31270B4 for ; Fri, 29 Dec 2017 09:35:23 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KggYs9MyBOZ for ; Fri, 29 Dec 2017 09:35:21 -0800 (PST) Received: from mail-qk0-x22b.google.com (mail-qk0-x22b.google.com [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079F2120725 for ; Fri, 29 Dec 2017 09:35:21 -0800 (PST) Received: by mail-qk0-x22b.google.com with SMTP id v188so26097565qkh.11 for ; Fri, 29 Dec 2017 09:35:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FIFkpj/FWEqYM1x1RLP6W/G+r5PsW7NZw7uR4nSaGQs=; b=sVVEJYYbjs7oCF/7/Wj5H8MXbR7BrLljuFawa1vCZ7IscFEIk7Q0nC4jQXxV9k5Yr6 cHOod0u9nz+PFS7XR4q2IVZy5mzDQBqN2v3bLU+v50BB8YmKmNpyp2rw8DccZ2iq1YN2 BtL19yK1yW6W0NMWCGA0hDlHXd0W4C1ipyHBU6Y9n6mVbITMELcWZt3xF9JRm4w1BiyD 6aXdQL7HhR4ExquXtiU9GvpME9sTP8FRDxOYDBJ2QH/LRjFdwpnT1YG9h5Ci6I8kis7P /ueMyGbjlQflTHo/oTQkgSPOAJkH1X05hLwGawmd3gpDbKW2YetRX9ZevnpNTbmxXAnw Sxww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FIFkpj/FWEqYM1x1RLP6W/G+r5PsW7NZw7uR4nSaGQs=; b=WPQCsuS45axkKuYRP7kUSBEZ3ZQeLr2/cFHHM3eSIUik3PlohN4vyBycPDWMjyK2y1 ZJ85b10sOURdMiR/F0P/9aiz1OopeVtYg/AHd6SYPT7dwdi42j7Qlund0BufoTue+FRe whKZpwNyOHd4Uk6yZju+MUI/t155/JEfm90e3yymSa/iDJXyx3qqnYZOf8+bDz51aN8o ZJwi1Du+MHWV8qZo++va/tPmE4QXtyKR4EEFPyzepkoB68hRfxqMpsEWDWmKQ6uoaQyB ZcZ6wyt2mSCvxwSKlbS2BfiCHSCjkPDdQJEqxhl9oPWWaCiLUwZC5BEqGEHhymHNEniL 1+aA== X-Gm-Message-State: AKGB3mIEpWUemjtLA+I/f6fA71tuDkMV2KLmYWVDhcBMnZKOyDJPC/yr 7Lo3cWqvCEzQdMAmj5/a9SyrF8mmg8kokg213VU= X-Google-Smtp-Source: ACJfBourGzgtDqvDwtnV6IreLFbL1lbSpcH/3Wfd7pwjtXeOBWOZHOTddSK3qFhzfMFgcSNzhGeKbBc/5WirP+n2Bb0= X-Received: by 10.55.5.21 with SMTP id 21mr43372261qkf.106.1514568919970; Fri, 29 Dec 2017 09:35:19 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 29 Dec 2017 09:35:19 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Fri, 29 Dec 2017 09:35:19 -0800 Message-ID: To: Seth Blank Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a11488c0876780005617e0e88" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Security Considerations - questions and request X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 17:35:23 -0000 --001a11488c0876780005617e0e88 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Dec 28, 2017 at 5:21 PM, Seth Blank wrote: > https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-13 > > Beyond my notes below, the Security Considerations section feels weak, an= d > like it should at least inherit DKIM's security considerations. > Additionally, there have definitely been items called out on this list > (like the ability to do an ARC replay attack) that are not yet represente= d. > ARC does inherit DKIM. The single sentence of Section 13 itself does so. 13.1: I don't understand how this is a security consideration. However, it > might make a good "open question" in experimental considerations. > It depends on the failure mode of modules that don't handle oversized header properly. If, say, a spam filter blows up on an oversized header and the system fails open, the message will be delivered. 13.2: It should be noted that verifier caching of DNS responses renders > this type of attack weak, only systems that validate ARC Chains that do n= ot > cache DNS responses will be susceptible to an attack here. > If I want to attack sethblank.com, all I have to do is generate N messages with "d=3Dsethblank.com" and rotate the selector to be a random set of strings. That'll avoid caching. 13.3: this doesn=E2=80=99t make sense as a security consideration, this is = the same > warning as with SPF, DKIM, and DMARC, which are up front in those drafts > and not in security considerations (and is also front and center in the > initial paragraph of section 4). > > That said, is it worth adding (or rewording 13.3) to make it clear that > one should "not blindly trust a passing ARC chain" because: > > a) you have to trust all signatories > > b) It=E2=80=99s possible that trusted systems don't properly authenticate > messages, so even with a legit ARC chain with sealers you trust, the > message might still never have authenticated in the first place (which is > why you have the AAR to inspect) > Sure. -MSK --001a11488c0876780005617e0e88 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Dec 28, 2017 at 5:21 PM, Seth Blank <seth@sethbl= ank.com> wrote:
https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-= 10#section-13

Beyond my notes below, t= he Security Considerations section feels weak, and like it should at least = inherit DKIM's security considerations. Additionally, there have defini= tely been items called out on this list (like the ability to do an ARC repl= ay attack) that are not yet represented.

ARC does inherit DKIM.=C2=A0 The single sentence of Section= 13 itself does so.

13.1: I don't understand how this is a security considerat= ion. However, it might make a good "open question" in experimenta= l considerations.

It depends on the f= ailure mode of modules that don't handle oversized header properly.=C2= =A0 If, say, a spam filter blows up on an oversized header and the system f= ails open, the message will be delivered.

13.2: It should be noted that verif= ier caching of DNS responses renders this type of attack weak, only systems= that validate ARC Chains that do not cache DNS responses will be susceptib= le to an attack here.

If I want= to attack sethblank.com, all I have t= o do is generate N messages with "d=3Dsethblank.com" and rotate the selector to be a random set of stri= ngs.=C2=A0 That'll avoid caching.

13.3: this doesn=E2=80=99t make se= nse as a security consideration, this is the same warning as with SPF, DKIM= , and DMARC, which are up front in those drafts and not in security conside= rations (and is also front and center in the initial paragraph of section 4= ).

That said, is it worth adding (or rewording 13.= 3) to make it clear that one should "not blindly trust a passing ARC c= hain" because:

a) you have to trust all signa= tories

b)=C2=A0It=E2=80=99s possible that trusted = systems don't properly authenticate messages, so even with a legit ARC = chain with sealers you trust, the message might still never have authentica= ted in the first place (which is why you have the AAR to inspect)
=

Sure.

-MSK
--001a11488c0876780005617e0e88-- From nobody Fri Dec 29 09:36:58 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89583127419 for ; Fri, 29 Dec 2017 09:36:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLY6wCd9TVP7 for ; Fri, 29 Dec 2017 09:36:55 -0800 (PST) Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABDE2120725 for ; Fri, 29 Dec 2017 09:36:55 -0800 (PST) Received: by mail-qk0-x229.google.com with SMTP id l19so19337324qke.5 for ; Fri, 29 Dec 2017 09:36:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=acjO/XASocd81n/2PED82DLUK/UpgPL1RuROMF+KRmg=; b=BvBuT37MwsLk5HlcXCsCaaHaT0FsiHNGehyehqeqUaqOtTzGDoQsPLnHGfn7FdkoEs SvLvY5cp8yVK9GhOSMySVbf4qjih3iwDeMtyDSqLIuOzI8VVWSwKUDMte600OAR9KRTX uh4UGfkPlE2DBNolcYevo7LSkKpwzn1IJQs7SkEsCBmFBjQp3MBtaoVUXmmXWo2x+UEz HSOoixPqy9mUuR+GzbSVO1LIRBM4EYmy23V6hl5pYzGp8v3/62ECbxVBSGVFM6JSPIEx r7KP6MuvyXuhLEswB1xBB/4am+iYTsb3jEla1D/t+y8XYmtYaWsPMt42kdKp3Jt4Ntwa cIyw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=acjO/XASocd81n/2PED82DLUK/UpgPL1RuROMF+KRmg=; b=C/z8SzUy3DKqvMvIYordLccIsHmYLqN2Ij3D5E7mPjJ2Xw+dC2DTY2flgTZM0N2ls4 MD0VL2hsLvh6oRcKVaHHEcwudMyyL8lMbPPxbLetURJ6CXkAqbnu7f3oy+K3By2itCFG Epy7JX8di/Vm3OFwXYSXd/X1xsf76FQc/BMfITU8EIMT0m98KrEDxksn7pUpWV506pBe iKbEqpeetxSM1oki+ebz7LVbrPo0TGaK2kUE7ysOxK9HQITXTJSkbKD4H2LKCK2PeIpp piDc1zUMQbGI+FPhVdFaEPtq5/0iAvs1RGEPrnUZ7s3nfDPPYb7Lv5RJsuDV9dnCRXB8 v1fw== X-Gm-Message-State: AKGB3mKXw53RJJfvntIn11BophBeMi/j2hFge85sBsAx7bNkSxPblxQS FpDRLIoLZa/3uF/lgtW75q1fAHW3dxv3e7ITh/Y= X-Google-Smtp-Source: ACJfBouZs05EiRhz74T4FxXLw3wucEyzxC40mA8MJI3o9EmvISip2aNwFTVpFO6Y/TzP1LGkf1e8vw1lrpNRSMAOyaE= X-Received: by 10.55.12.2 with SMTP id 2mr46532342qkm.60.1514569014705; Fri, 29 Dec 2017 09:36:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 29 Dec 2017 09:36:54 -0800 (PST) In-Reply-To: References: From: "Murray S. Kucherawy" Date: Fri, 29 Dec 2017 09:36:54 -0800 Message-ID: To: Seth Blank Cc: dmarc@ietf.org Content-Type: multipart/alternative; boundary="001a114c5c9e1c020805617e142a" Archived-At: Subject: Re: [dmarc-ietf] ARC draft: Call for ARC Implementations to be included X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 17:36:57 -0000 --001a114c5c9e1c020805617e142a Content-Type: text/plain; charset="UTF-8" The second bullet on 14.4 can go. The third one can go once a new version of OpenDMARC is out, which can happen in early January. On Thu, Dec 28, 2017 at 5:23 PM, Seth Blank wrote: > The Implementation Status section of the draft ( > https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-14) > feels out of date. > > If you're working on an implementation, please speak up so that we can > include you! > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > > --001a114c5c9e1c020805617e142a Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
The second bullet on 14.4 can go.=C2=A0 The third one can = go once a new version of OpenDMARC is out, which can happen in early Januar= y.

On Th= u, Dec 28, 2017 at 5:23 PM, Seth Blank <seth@sethblank.com>= wrote:
The Implementati= on Status section of the draft (https://tools.ie= tf.org/html/draft-ietf-dmarc-arc-protocol-10#section-14) feel= s out of date.

If you're working on an implementatio= n, please speak up so that we can include you!

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc


--001a114c5c9e1c020805617e142a-- From nobody Fri Dec 29 09:38:01 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBE07127419 for ; Fri, 29 Dec 2017 09:37:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.699 X-Spam-Level: X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZF5aRL0OopPP for ; Fri, 29 Dec 2017 09:37:58 -0800 (PST) Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2683120725 for ; Fri, 29 Dec 2017 09:37:57 -0800 (PST) Received: by mail-qk0-x232.google.com with SMTP id u184so53537966qkd.6 for ; Fri, 29 Dec 2017 09:37:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Nl3InNJVxNbXAqX+1FDlfiM97TgLZXEPA/XLPk8qd7c=; b=F/OngB5FUs6ZHQMt7riJM9UF8WCO+vEqcJy04cLnQ8km4zuIwnxpRfro1VzbVfd4qg GNEsjCVp2rduN2aRPSDhl94PeXnQhCmlDFkbFRGT7lRWqK1lvtFSIpYJIrPi5wpi7RmK G01ZUBi6+cCI3TN8sr2JWRSY/tXYlnEkymFwTtSAo5V3HbIOygGVhJRiw/hW/fDW/LnK tooavCdFpwLYbt8pQe+qfi5B6sXxVoUOxWzkK1F3b9O7Gy+VaRezSJU7Sa6VaigBFUxq p0DTRKwd0LvTgrSVYSMTzVCdRP3rgF/Cv3IIpYU+tWLnlDpuO3GUyVz4EfcqYdO0OPRd WnUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Nl3InNJVxNbXAqX+1FDlfiM97TgLZXEPA/XLPk8qd7c=; b=jCbUaKIiuQHN6U+xf3YY5oge9MVwYlEfJ16tgKcNMlUvNi0G4uEHohELrxpF7yYmkf GNLLFYev4k8PdAPJddrtgZ+vU3F09Q4yyuXYDmc10SoNeiL5jVfELVGwl9pV3Y2OXNjN huLFd2xBybXzGEBPjcZ/PFdv7SBtDSr80vsjCLZ8BcavROhDSEFzE1ANtAihSsX9CaJL PyBEa8QkpcAR5es33WSqFBU0XWE1oIfBrinAxc1DG6mjBx5lkGcWV4b/deSKIKFGIIP6 BnEV3bbl9Pn0I/EN6j7JYoJpmA80pZ5h7wOWwa2iss6KX7snYcQi/HHKpQjP5hxWFP4J 6b7w== X-Gm-Message-State: AKGB3mL0VoSfhZJYO8MNHY0OFBsJfoY68qsqYhS8tuKZOMeEL02YEq1h 92h663LvKg9qWHmbbzGwAbLMmejftpDszcKtz5U= X-Google-Smtp-Source: ACJfBoumWQPw952+KZ9x2QVJaKZBEROpRQEf/JG/gXTQu2hFQrPRK4BF4mB5oCVY1oi0ADDAU0X7KNmntOdCbuZPyoE= X-Received: by 10.55.143.131 with SMTP id r125mr18470796qkd.215.1514569076950; Fri, 29 Dec 2017 09:37:56 -0800 (PST) MIME-Version: 1.0 Received: by 10.237.33.1 with HTTP; Fri, 29 Dec 2017 09:37:56 -0800 (PST) In-Reply-To: <20171229035742.325D018916FA@ary.local> References: <20171229035742.325D018916FA@ary.local> From: "Murray S. Kucherawy" Date: Fri, 29 Dec 2017 09:37:56 -0800 Message-ID: To: John Levine Cc: dmarc@ietf.org, Seth Blank Content-Type: multipart/alternative; boundary="94eb2c0855f2d1ca7505617e173d" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 17:38:00 -0000 --94eb2c0855f2d1ca7505617e173d Content-Type: text/plain; charset="UTF-8" On Thu, Dec 28, 2017 at 7:57 PM, John Levine wrote: > In article gmail.com> you write: > >https://tools.ietf.org/html/draft-ietf-dmarc-arc-protocol-10#section-10) > >feels clunky and itself says it needs more work. > > To put it mildly. > > >Assuming we're proceeding as an Experiment, I propose we address rotation > >in a separate draft. > > I understand the motivation, but I think that if we do that, it makes > it a lot less likely that people will actually implement the > rotation stuff. > I still don't understand why we need to say more than DKIM did on this topic. -MSK --94eb2c0855f2d1ca7505617e173d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Thu, Dec 28, 2017 at 7:57 PM, John Levine <johnl@taugh.c= om> wrote:
In article <CAD2i= 3WNh4nWehG=3DMJe8injQyCpxf5jrrg8CFO5AYo87fGh7Ktw@mail.gmail.com>= ; you write:
>https://tools.ietf.org/ht= ml/draft-ietf-dmarc-arc-protocol-10#section-10)
>feels clunky and itself says it needs more work.

To put it mildly.

>Assuming we're proceeding as an Experiment, I propose we address ro= tation
>in a separate draft.

I understand the motivation, but I think that if we do that, it make= s
it a lot less likely that people will actually implement the
rotation stuff.

I still don't under= stand why we need to say more than DKIM did on this topic.
-MSK
--94eb2c0855f2d1ca7505617e173d-- From nobody Fri Dec 29 10:36:31 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B7331270B4 for ; Fri, 29 Dec 2017 10:36:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.001 X-Spam-Level: X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=0HiKJNgH; dkim=pass (1536-bit key) header.d=taugh.com header.b=UlvdMomN Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kpWKmvGAl6eG for ; Fri, 29 Dec 2017 10:36:27 -0800 (PST) Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F7DF126DFB for ; Fri, 29 Dec 2017 10:36:27 -0800 (PST) Received: (qmail 74950 invoked from network); 29 Dec 2017 18:36:26 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=124c4.5a468b2a.k1712; bh=axN2DdBgVh08YBey7pyeNpw1/Ilv8hqPqdVYghQgVrE=; b=0HiKJNgHctLjuD8p53KMqvF700fteXH4XN458+n0oVsaK3oVxgV1bH4+pQog89KBy+7FSYeNZ1TYEZ5p5V1xCmcd4IczouE0bb/3aG6hF2JHeqqT3HBkiVnXwwPDOl97x7JZC1wVtDonTgNyM32taxzIf0RgBmRyHfBQSZ7U3vtUU1hAHdyD0o/DpZ+VzXemwfoNBJZ/dmRF9c/486b5Te8w8/We5DSYDi+VSjRrDg/mIq+wBZrNsiSQRsq2VPPR DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=124c4.5a468b2a.k1712; bh=axN2DdBgVh08YBey7pyeNpw1/Ilv8hqPqdVYghQgVrE=; b=UlvdMomNTJ0ssGmouNg+r/JlbLqXoHvy0xjPLSRjdypYMzt4YgTov5RPBzjQWpEMjkY8GR3DiZArSHxKoiHvy0IiqxW02/s+pAUFDjMvqAPZGJNTb1lHTDhMLKZ8tPGfxM8myhXqT+sCv1jzMl/Sy4oFLHvCy4eCyPW1TnXbydfUt0G59t8wR97RcU0cH02mjWXPqv8SicKVEFUDG6RYMyeuaRrbE2xcNnnmPkRzeqdf6uA0OLAS+Zk2bYmsha// Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2/X.509/AEAD) via TCP6; 29 Dec 2017 18:36:25 -0000 Date: 29 Dec 2017 13:36:23 -0500 Message-ID: From: "John R Levine" To: "Murray S. Kucherawy" Cc: dmarc@ietf.org, "Seth Blank" In-Reply-To: References: <20171229035742.325D018916FA@ary.local> User-Agent: Alpine 2.21 (OSX 202 2017-01-01) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 18:36:30 -0000 > I still don't understand why we need to say more than DKIM did on this > topic. DKIM doesn't have a chain of signatures. With DKIM, a signature is either valid or not, and you can ignore the ones you don't understand. ARC has a chain of ARC seals, and the current document says there's only one ARC-Seal header for each instance value so there can only be one chain using one algorithm per link. One possibility would be what I suggested before, paired ARC-Seal headers that sign each other. Another one that's simpler and probably workable is that all of the signatures in an AS chain have the same a= algorithm, and they ignore any AS or AMS with different signatures. So if you understand one algorithm, you ignore any AS or AMS with other algorithms and hope you can find a chain with the one you understand If you understand both and there's a message with no prior AS, you add an i=1 set with each algorithm. If you understand both and there are existing chain(s), you add a new set for any chain that validates. The intention is that there will always be a chain with rsa-sha256, and there might be a chain with ed25519-rsa256. With multiple steps you might have, say, a three link rsa chain and a two link ed25519 chain if the third signer didn't do ed25519 so the software has to understand what that means. I don't think this will be super complicated, but I do think it would be a mistake to try and publish now and then retrofit rather than adding it before we publish. Regards, John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly From nobody Fri Dec 29 11:21:07 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41B3A12702E for ; Fri, 29 Dec 2017 11:21:06 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.7 X-Spam-Level: X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LUvthDIgmJ2Z for ; Fri, 29 Dec 2017 11:21:03 -0800 (PST) Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A140126E3A for ; Fri, 29 Dec 2017 11:21:03 -0800 (PST) Received: by mail-qk0-x233.google.com with SMTP id q14so41041654qke.7 for ; Fri, 29 Dec 2017 11:21:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=2pJ92Fdy9b+amLBnUOiNJXRybctSutq29A96npJEJk4=; b=UBGGT815rt+W1r5B3QdWpy4VJ0r5duv16i3wIok1+rI42Zz8qou99TwOUchVzqcvQu MO9xXnIuQqch/QqS9+GwHtJr43hZ+wSkPGs0n+OknedfAKZ6SwfMckH4mk/PlMYnoeQ5 5bQMiv3MDS47kl8WI0tiozfY7GQR9FDsfnSWc1qXC4MRRFsfQzmulJc4YctI97hiCV8q 4lSXvQ3DK/VseOBkHUYeRsdguu/3N+EeZV67I6UHoIPJsNodvO1IjkMA9HZKD/BowbCd wvr0vcNq9S/blH1PWiwZfT7V+BHIq69rZTcBH4pyjmQdCtNS3WAddKHGme/yfbVb73sV 9aMw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=2pJ92Fdy9b+amLBnUOiNJXRybctSutq29A96npJEJk4=; b=m5/is6C/XEMH0Z6W5a6t8yd8VTfz3eaECRYcCdUlKgx4Ml+PzI0I7KNq5c4Iuc6TTJ RdoJG1I88Dns6gR//cAVgJh/NM0RClAMu+9FmLlwXwI1UveL2wHmTrH4BT3Aa4tA6xf5 rcbGYTG/rACceNVzQpongVzSx+OLkdOiGP9HHcl8XYAjR0eRoU4dA8HOyoZqasHLraEo dIOy259tgO25MP60vNjoTiZixSB2TTSpfCdlSFrxLun1ynpdblIBbzfzt6wvplDbS6vh NfkM+HPAHQGlRMaDxd1tX5Uo+9dMGHkwUFdD2fHGFUgdlTwUcYYWW2TwMWxc/H6S3wpu 69jg== X-Gm-Message-State: AKGB3mL/Rj5ZRHz22Necq8ehysZ/WodA5mVtX6uS2ECy7QsTJQnXQYid A4mrEALA0TYEcFO5VHsUUyYCtwk4oZB7ESqvy94pEA0C X-Google-Smtp-Source: ACJfBotQ1PmYbuxq5r3MWl66dQ/JY71xRHHshRv3MNdscrNH99WWAs9nZB3g8HUV/Evp+vX7FBrCXW7lntgpQSMn7vc= X-Received: by 10.55.19.73 with SMTP id d70mr49734921qkh.180.1514575262028; Fri, 29 Dec 2017 11:21:02 -0800 (PST) MIME-Version: 1.0 References: <20171229035742.325D018916FA@ary.local> In-Reply-To: From: Seth Blank Date: Fri, 29 Dec 2017 19:20:51 +0000 Message-ID: To: "dmarc@ietf.org" Content-Type: multipart/alternative; boundary="001a11400e767aab8005617f88de" Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 19:21:06 -0000 --001a11400e767aab8005617f88de Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I=E2=80=99ll take a stab at proposing some language in a separate document. On Fri, Dec 29, 2017 at 10:36 John R Levine wrote: > > I still don't understand why we need to say more than DKIM did on this > > topic. > > DKIM doesn't have a chain of signatures. With DKIM, a signature is eithe= r > valid or not, and you can ignore the ones you don't understand. ARC has = a > chain of ARC seals, and the current document says there's only one > ARC-Seal header for each instance value so there can only be one chain > using one algorithm per link. > > One possibility would be what I suggested before, paired ARC-Seal headers > that sign each other. Another one that's simpler and probably workable i= s > that all of the signatures in an AS chain have the same a=3D algorithm, a= nd > they ignore any AS or AMS with different signatures. > > So if you understand one algorithm, you ignore any AS or AMS with other > algorithms and hope you can find a chain with the one you understand If > you understand both and there's a message with no prior AS, you add an i= =3D1 > set with each algorithm. If you understand both and there are existing > chain(s), you add a new set for any chain that validates. > > The intention is that there will always be a chain with rsa-sha256, and > there might be a chain with ed25519-rsa256. With multiple steps you migh= t > have, say, a three link rsa chain and a two link ed25519 chain if the > third signer didn't do ed25519 so the software has to understand what tha= t > means. > > I don't think this will be super complicated, but I do think it would be = a > mistake to try and publish now and then retrofit rather than adding it > before we publish. > > Regards, > John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY > Please consider the environment before reading this e-mail. https://jl.ly > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > --=20 [image: logo for sig file.png] Bringing Trust to Email Seth Blank | Director of Industry Initiatives seth@valimail.com +1-415-894-2724 --001a11400e767aab8005617f88de Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I=E2=80=99ll take a stab at proposing some language = in a separate document.

On Fri, De= c 29, 2017 at 10:36 John R Levine <jo= hnl@taugh.com> wrote:
> I= still don't understand why we need to say more than DKIM did on this > topic.

DKIM doesn't have a chain of signatures.=C2=A0 With DKIM, a signature i= s either
valid or not, and you can ignore the ones you don't understand.=C2=A0 A= RC has a
chain of ARC seals, and the current document says there's only one
ARC-Seal header for each instance value so there can only be one chain
using one algorithm per link.

One possibility would be what I suggested before, paired ARC-Seal headers that sign each other.=C2=A0 Another one that's simpler and probably wor= kable is
that all of the signatures in an AS chain have the same a=3D algorithm, and=
they ignore any AS or AMS with different signatures.

So if you understand one algorithm, you ignore any AS or AMS with other
algorithms and hope you can find a chain with the one you understand If
you understand both and there's a message with no prior AS, you add an = i=3D1
set with each algorithm.=C2=A0 If you understand both and there are existin= g
chain(s), you add a new set for any chain that validates.

The intention is that there will always be a chain with rsa-sha256, and
there might be a chain with ed25519-rsa256.=C2=A0 With multiple steps you m= ight
have, say, a three link rsa chain and a two link ed25519 chain if the
third signer didn't do ed25519 so the software has to understand what t= hat
means.

I don't think this will be super complicated, but I do think it would b= e a
mistake to try and publish now and then retrofit rather than adding it
before we publish.

Regards,
John Levine, johnl@tau= gh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc
--

3D"logo

Bringing Trust to Email

Seth Blank | Director of Industry Initiatives<= /p>s= eth@valimail.com
+1-415-894-2724

=
--001a11400e767aab8005617f88de-- From nobody Fri Dec 29 12:09:59 2017 Return-Path: X-Original-To: dmarc@ietfa.amsl.com Delivered-To: dmarc@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EF2D124B17 for ; Fri, 29 Dec 2017 12:09:57 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2 X-Spam-Level: X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uq4q1fA2moUF for ; Fri, 29 Dec 2017 12:09:55 -0800 (PST) Received: from mail-pf0-x22a.google.com (mail-pf0-x22a.google.com [IPv6:2607:f8b0:400e:c00::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4AE21200FC for ; Fri, 29 Dec 2017 12:09:55 -0800 (PST) Received: by mail-pf0-x22a.google.com with SMTP id a90so22459766pfk.1 for ; Fri, 29 Dec 2017 12:09:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=rLej6W6nFebaqss0+IlJqHHlzS0doVoyqha4JgrS+KE=; b=VdUpFgJjfgir969KUtMS5/I/v5+DiGtR8lwRFy2CoMa+gagkTwfPBcFjMKD7VyTyO/ hQuPL92e14rrLVBWJRFJ3ZCMEKyGHRhfqnDXug+z/s4DSw8l8j1z43N13lXoCq0xo01b 5tBlZzz/sbhVlLjTHxnuvg/qWszG7paowvTCeBHqvHL4Lm0JZkwv0UIJiHkYIyDuj8u3 h3fOOMNZopmCCd4jWZyb4gM88uW1DH6do8gEK1l9XCGpDIbnGd/8jHXniafXUol8REyn f8AVW3bMkbpF8FkOkfPbsEVrn/sFOMFA7ahV6C7WboDW7dQo4PviiIgOisU1IZE1CBH7 jKUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=rLej6W6nFebaqss0+IlJqHHlzS0doVoyqha4JgrS+KE=; b=mIwpkFHqcKEya6Dd6J6gRUhK08InMZZuvb6yjPUh0t8XzR+abW21SfK8wCcl0NG8Ce LqCPCs6v/sfc+I2ieizykWbE1z+qgzMhnBDn8mdSI9RBGaQZUuS7vW3jyyKZfVUOwqF4 3Zesue747KsyURXv/bL1EBMEl5DWv4wBCzLLEZ9bvYAPRGpQD2gYKRVaU/d9LovlnSLr BXwc5IC0TAjSVvG+WadM+nJPihPl3dQjMRsMtNN5yRKDuzCH/+fG9MmNRp2Z304w3Dm0 po1Sqqg+jCyCCtQJonh5PiGqEpqeaF6QdAaf7owEF8+LJhm296NxL61YoL36KmwMo2yi DDow== X-Gm-Message-State: AKGB3mLnShD9clFEd3Sv53jdrysi3du4snuT0JDhAH/sSthfA/Zz6tBX e5gtGkFRqTYEfbCAm4Zb/sQOH5M2 X-Google-Smtp-Source: ACJfBosVOdcXZOWDJ7AlWZaiOEv0nk1GqQ5Xu7t9rWcseSkXWUXIiFmLqatk8F9NOLcYZA+7gTkQvw== X-Received: by 10.98.224.200 with SMTP id d69mr36800266pfm.100.1514578194955; Fri, 29 Dec 2017 12:09:54 -0800 (PST) Received: from ?IPv6:2600:1700:a3a0:870:c4e8:d795:bbab:6d47? ([2600:1700:a3a0:870:c4e8:d795:bbab:6d47]) by smtp.gmail.com with ESMTPSA id 75sm79455299pfo.103.2017.12.29.12.09.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Dec 2017 12:09:53 -0800 (PST) To: John R Levine , "Murray S. Kucherawy" Cc: dmarc@ietf.org, Seth Blank References: <20171229035742.325D018916FA@ary.local> From: Dave Crocker Message-ID: <263f1e61-5548-ba08-7fcb-fe21a8f891a9@gmail.com> Date: Fri, 29 Dec 2017 12:09:48 -0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [dmarc-ietf] ARC draft-10 Section 10 - Algorithm Rotation - can we address separately? X-BeenThere: dmarc@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 29 Dec 2017 20:09:57 -0000 On 12/29/2017 10:36 AM, John R Levine wrote: >> I still don't understand why we need to say more than DKIM did on this >> topic. > > DKIM doesn't have a chain of signatures.  With DKIM, a signature is > either valid or not, and you can ignore the ones you don't understand. > ARC has a chain of ARC seals, and the current document says there's only > one ARC-Seal header for each instance value so there can only be one > chain using one algorithm per link. > > One possibility would be what I suggested before, paired ARC-Seal > headers that sign each other.  Another one that's simpler and probably > workable is that all of the signatures in an AS chain have the same a= > algorithm, and they ignore any AS or AMS with different signatures. > > So if you understand one algorithm, you ignore any AS or AMS with other > algorithms and hope you can find a chain with the one you understand If > you understand both and there's a message with no prior AS, you add an > i=1 set with each algorithm.  If you understand both and there are > existing chain(s), you add a new set for any chain that validates. > > The intention is that there will always be a chain with rsa-sha256, and > there might be a chain with ed25519-rsa256.  With multiple steps you > might have, say, a three link rsa chain and a two link ed25519 chain if > the third signer didn't do ed25519 so the software has to understand > what that means. > > I don't think this will be super complicated, but I do think it would be > a mistake to try and publish now and then retrofit rather than adding it > before we publish. +1 to all of the above, I think. (I don't usually leave a quote of an entire message, but the above seems pretty comprehensive to me. Basically, ARC creates an 'infrastructure' by virtue of relying on multiple intermediaries, rather than just requiring participation in ARC by two endpoints. And infrastructure are always much, much harder to convert to new details. To ensure basic interoperability there needs to be the usual, basic, single convention (algorithm) that everyone supports AND USES. To permit upgrades, there needs to be the option of additional ARC chains using better algorithms. My intuition is that requiring a given chain to use a single algorithm for all signers is the more workable approach. I think a 'weakest link' argument is what defeats any claim that it would be better to allow individual signers to use better algorithms. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net