IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Jan Dušátko <jan@dusatko.org> Sat, 24 June 2023 19:01 UTC

Return-Path: <jan@dusatko.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 106F2C13AE25 for <dmarc@ietfa.amsl.com>; Sat, 24 Jun 2023 12:01:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dusatko.org header.b="YvjxrAaH"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="F7L4wFsr"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="TOqGNVfZ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xz_Y4wlUhCBx for <dmarc@ietfa.amsl.com>; Sat, 24 Jun 2023 12:01:19 -0700 (PDT)
Received: from vhost.cz (hermes.vhost.cz [82.208.29.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3410CC13AE2B for <dmarc@ietf.org>; Sat, 24 Jun 2023 12:00:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687633248; bh=asl2rjafnE6h2hyGxYkLSvRlWHSUAV+1zwcUS+iEHzI=; h=Date:Subject:To:References:From:In-Reply-To:From; b=YvjxrAaHt4QzpfXPZGiRoJhO6hmKwTKFgaTIIjvCNrWH/kHTAZc38WB/0k6Y26KwW OoRaESJyzGRWHqZfxIcFtyJAE7jncW8fLioEg/eYrmopIS3SVKDqG8ICyi/plmFBtc 0ZzaOqxyAILGjHmB0bumvfKA2klB0uk2vYdqtfRQZFgpfANnHP5cr0JImT9HyIuRhB G3sLXib4UjY6/df0XoHU/Zrjckr3Qjj4DBkpRuGKz2VHOlDi1aBI01hqhpUlmmm8if P1A5cJCfCV/Dsj/Z7o0G1rjPXiZCGxUkEVsc7ZgNpDwp1bkIrYLobGOiTUtXcL3Ygn SH0ajTN+ZlpUw==
Received: from localhost (localhost [127.0.0.1]) by hermes.vhost.cz (Postfix) with ESMTP id 140ED80023 for <dmarc@ietf.org>; Sat, 24 Jun 2023 21:00:48 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hermes.vhost.cz
Received: from vhost.cz ([127.0.0.1]) by localhost (hermes.vhost.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mBlvIMA0ok0B for <dmarc@ietf.org>; Sat, 24 Jun 2023 21:00:47 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687633247; bh=asl2rjafnE6h2hyGxYkLSvRlWHSUAV+1zwcUS+iEHzI=; h=Date:Subject:To:References:From:In-Reply-To:From; b=F7L4wFsr5Oq7G1GNvzRKleCvLzmVOWSLwsB3RPnQOObKnpNmc/UFlteYrGudmaIji Ih196+gQZ6Dh3BniWrKF/84gtpvfIAPiv/8cilpoDuuZtjIlW4S5NcXKc7y2IyMx2q Mc1sjWDbFeH67VbAddEhcQjlbOwTv2zV96TjQal/zYyzEw3wf4bghCA95A9B+zENzR exakih4lmIItdqdecZnXpIv3h6EnqaCUTflYtkwM6j9dTbUrGSVJf1puC4aampAak+ X9eBeL7swXOHNoUma40XRm6zZEtUmznWxC10QnBn5dYbPMiYL1F/Rmb6yJeyLvimBz LDSky6PlgQUYw==
Received: by hermes.vhost.cz (Postfix, from userid 115) id 0322880051; Sat, 24 Jun 2023 21:00:47 +0200 (CEST)
X-Spam-Virus: _CLAMAVRESULT_
X-Spam-Pyzor: Reported 0 times.
X-Spam-DCC: :
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687633244; bh=asl2rjafnE6h2hyGxYkLSvRlWHSUAV+1zwcUS+iEHzI=; h=Date:Subject:To:References:From:In-Reply-To:From; b=TOqGNVfZBRbTBbI1tdIw5YwalbkUZDkvO4bQihec+SA/RLE78R8CFHHqUi4F+T1C3 sgVqtLEaQti+P5Vz1gFGf318eeqfhChylzABXmlqLAN6in5KVQ/RojfVeu1F1jXdFg TmtCLIRUvY3iWEkZP2Rzi3T3ppYEVGQzXzzE4JixmiirycEv6pkpKl8tqlKxJHVE8j AE+08XdGtxXETnxmlH/y6uHs732FjLsKMqJ0wolnA9IWqbLjhDcbthuxeAfohvapz5 j3vbVdAhG/1jMO/ATxc3EGi/sGsVo3JB5xioZIHvzTpiK99A+jy0sHvMv6LpHjP9CP NNMN07RjDEU6Q==
Received: from [192.168.1.160] (static-84-242-66-51.bb.vodafone.cz [84.242.66.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by hermes.vhost.cz (Postfix) with ESMTPSA id BE54280023 for <dmarc@ietf.org>; Sat, 24 Jun 2023 21:00:44 +0200 (CEST)
Message-ID: <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org>
Date: Sat, 24 Jun 2023 21:00:45 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
Content-Language: en-GB
To: dmarc@ietf.org
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net>
From: Jan Dušátko <jan@dusatko.org>
In-Reply-To: <6495D504.4090809@isdg.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/1b24TYZWCjHe-YmGfd53OQx8974>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jun 2023 19:01:24 -0000

Hector,
I think Levin's original suggestion to use the setting option like SPF 
AND DKIM, SPF OR DKIM, SPF only, DKIM only is excellent. It could solve 
a lot of problems. System administrators know best how to set up their 
system and for what purposes they need that setting. I can imagine a 
great many reasons for and against those combinations. What seems to me 
to be important here is that DMARC is able to use policies to solve not 
only common but also error states. In that case, it is able to 
successfully solve the problems caused by the attackers.

Jan

Dne 23. 6. 2023 v 19:23 Hector Santos napsal(a):
> Levine makes a good point. A less complex option would be:
>
> auth=dkim          # apply dkim only, ignore spf, dkim failure is 
> dmarc=fail
> auth=spf            # apply spf only, ignore dkim, spf failure is 
> dmarc=fail
>
> the default auth=dkim,spf SHOULD NOT be explicitly be required. It 
> adds no additional security value.  I would like to note that some DNS 
> Zone Managers with DMARC record support will add the complete tags 
> available for the protocol with the default conditions making the 
> record look more complex than it really it.
>
> Other system integration options would (forgive me for I have sinned):
>
> atps=1     # we support ATPS protocol for 3rd party signer.
> rewrite=1  # we are perfectly fine with Author Rewrite
>

> -- 
> HLS
>
>
>
>
>
> On 6/22/2023 10:18 PM, John Levine wrote:
>> It appears that Emil Gustafsson <emgu@google.com> said:
>>> I don't know if there is a better way to encode that, but I'm 
>>> supportive of
>>> making a change that that would allow domains to tell us (gmail) 
>>> that they
>>> prefer us to require both dkim and spf for DMARC evaluation (or 
>>> whatever
>>> combination of DKIM and SPF they desire).
>> I really don't understand what problem this solves. More likely people
>> will see blog posts telling them auth=dkim+spf is "more secure",
>> they'll add that without understanding what it means, and all that
>> will happen is that more of their legit mail will disappear.
>>
>> If you're worried about DKIM replay attacks, let's fix that rather
>> than trying to use SPF, which as we know has all sorts of problems of
>> its own, as a band-aid.
>>
>> R's,
>> John
>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>>
>
>

v2.23.0 | Report a Bug | By Email