IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

Terry Zink <tzink@exchange.microsoft.com> Tue, 02 April 2013 00:31 UTC

Return-Path: <tzink@exchange.microsoft.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75C4121E8130 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.999
X-Spam-Level:
X-Spam-Status: No, score=-101.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_74=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gZ7b1F2n46-S for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:31:43 -0700 (PDT)
Received: from na01-by1-obe.outbound.o365filtering.com (na01-by1-obe.ptr.o365filtering.com [64.4.22.91]) by ietfa.amsl.com (Postfix) with ESMTP id BC6E121E812C for <dmarc@ietf.org>; Mon, 1 Apr 2013 17:31:43 -0700 (PDT)
Received: from BL2SR01MB605.namsdf01.sdf.exchangelabs.com (10.255.109.167) by BL2SR01MB604.namsdf01.sdf.exchangelabs.com (10.255.109.166) with Microsoft SMTP Server (TLS) id 15.0.670.5; Tue, 2 Apr 2013 00:31:41 +0000
Received: from BL2SR01MB605.namsdf01.sdf.exchangelabs.com ([169.254.8.123]) by BL2SR01MB605.namsdf01.sdf.exchangelabs.com ([169.254.8.123]) with mapi id 15.00.0670.000; Tue, 2 Apr 2013 00:31:41 +0000
From: Terry Zink <tzink@exchange.microsoft.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Thread-Index: AQHOLy0CZmyrYeBOG0qtiVE1WNJYrZjCEprw
Date: Tue, 02 Apr 2013 00:31:40 +0000
Message-ID: <3ba7c7a04f5f45cb95930ec99926ccc9@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
References: <515A02DB.2010309@gmail.com> <20130401230214.5709.qmail@joyce.lan>
In-Reply-To: <20130401230214.5709.qmail@joyce.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.221]
x-forefront-antispam-report: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BL2SR01MB604; H:BL2SR01MB605.namsdf01.sdf.exchangelabs.com; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-6c178e33-aecb-4786-8220-9afceeddbaf3.exchange.microsoft.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 00:31:44 -0000

Thanks for the responses, everyone. I am going to respond to them one at a time but combine multiple email responses.

John Levine:

> bigbank.com txt "v=spf1 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all"
>
> Those question marks in the record on the Frontbridge ranges make them neutral rather than pass, 
> which is appropriate in this case.  Since all of the real mail the client sends through your 
> system will have a DKIM signature, it will still pass DMARC.
> 
> If the bank has its own private ranges for its non-bulk mail, those could go in as SPF pass, e.g.
> 
> bigbank.comm txt "v=spf1 +ip4:22.22.22.22 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24 
> ?ip4:157.56.112.0/24 ~all"

BigBank.com puts both Frontbridge/Forefront's IPs into its SPF records as well as its own IPs. We validate BigBank.com's IPs when it hits us the first time, and then 3rd parties validate our IPs when it hits them. 

But yes, I think you understand our issue (I think).

> If you insist on both SPF and DKIM, you lose the path independence and break the forwarding 
> while > gaining nothing, since the DKIM signature still tells you what you need to know.  
> If the bank sends its own unsigned mail through its own mail servers, the SPF record reflects 
> that, and it'll pass DMARC, too (give or take the known SPF forwarding issues.)

You are correct that you lose the path independence. But it is incorrect to say you gain nothing - you gain the ability to say "Nobody else can spoof me." Shouldn't it be the choice of the sender whether or not they want to make this assertion and subsequent trade-off?

-- Terry


-----Original Message-----
From: dmarc-bounces@ietf.org [mailto:dmarc-bounces@ietf.org] On Behalf Of John Levine
Sent: Monday, April 01, 2013 4:02 PM
To: dmarc@ietf.org
Cc: dcrocker@gmail.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

>If I understand your note correctly, the problem that you cite with 
>this is that Forefront doesn't know all of the acceptable domains for a 
>given customer.  Wouldn't it make more sense to fix this issue, rather 
>than change the public standard and burden all recipients with the 
>added complexity in software and operations?

That's also a good idea.  

It'd make sense to change the SPF records now, then if they can fix the internal systems so that they have the domains on injected mail under control, they could change the SPF back to make stronger assertions.



_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email