IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Hector Santos <hsantos@isdg.net> Fri, 23 June 2023 19:59 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B487BC15106D for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 12:59:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="KXlW9akh"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="zGr5Ecog"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sieOxBbjaXjI for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 12:59:28 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E122DC169528 for <dmarc@ietf.org>; Fri, 23 Jun 2023 12:59:27 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1523; t=1687550362; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Subject:From:Date: Message-Id:To:Organization:List-ID; bh=ydLo2RWWXjOq6+Jm6oYTdwQuf jlkkZh8CzGMHQbtBm0=; b=KXlW9akhr5ZFY5vcNU585CEPufMG+ydpiony+3iN1 UuMEgAixKaLwWDG13p0EOhUR65DRbmY/+406pNlFR3+odFD4v/KB0UvUXTKwI/O5 ZeHws/waLLR/YFIp63/1fKOQMiKipTL+JyLVbmXWlSdjCYy8uY7SkIJryqaHB9/e Oo=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Fri, 23 Jun 2023 15:59:22 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3648080239.1.5740; Fri, 23 Jun 2023 15:59:21 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1523; t=1687550360; h=Received:Received: Subject:From:Date:Message-Id:To:Organization:List-ID; bh=ydLo2RW WXjOq6+Jm6oYTdwQufjlkkZh8CzGMHQbtBm0=; b=zGr5Ecog2wxa1etD5tZ4iQK D8pkl8xHM6oAuy0Wke3iVtJo0n87kPpMHYO+TL/DS8c4cL1uAa/EO5VjCohEzyrO rWZtGajuQE5Qv99PsDR5AwpLXPXH8/8pMSFwWGTGse2nbNaVBoE3T4tBDEXP8Q5m /rKLtduEmM12Olphx0Jo=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Fri, 23 Jun 2023 15:59:20 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 4094134395.1.14872; Fri, 23 Jun 2023 15:59:19 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Hector Santos <hsantos@isdg.net>
In-Reply-To: <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com>
Date: Fri, 23 Jun 2023 15:59:08 -0400
Cc: Emanuel Schorsch <emschorsch@google.com>, IETF DMARC WG <dmarc@ietf.org>, emgu@google.com
Content-Transfer-Encoding: quoted-printable
Message-Id: <B54AE6C3-BB99-4458-85B1-95CDA4A5B612@isdg.net>
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com> <bfbe77ad-8aba-d803-de06-d734a177066b@taugh.com> <CAFcYR_U=qW0k5EC2_y+B1roXK91uzscT+vS5Y7jrNkG1bTxw5Q@mail.gmail.com> <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com>
To: John R Levine <johnl@taugh.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/3BtL5A52ROc42Dd7h34ep4vQtgw>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 19:59:32 -0000

On Jun 23, 2023, at 1:54 PM, John R Levine <johnl@taugh.com> wrote:
> 
>> My understanding is that if `auth=dkim` then SPF would be ignored from the
>> perspective of DMARC. So  if a receiver sees DKIM is not DMARC aligned and
>> only SPF is DMARC aligned then it would still be treated as a DMARC fail.
> 
> That's my understanding.
> 
>> It would be a way for senders to say "yes I checked that all my DKIM
>> signatures are working and aligned, I don't need you to look at SPF and
>> don't want to have the risk of SPF Upgrades.
> 
> So why do you publish an SPF record?  Presumably so someone will accept your mail who wouldn't otherwise, except you just said they shouldn't. Still not making sense to me.

I believe because the domain may still want the restrictive SPF -ALL  and DMARC p=reject or p=quarantine for normal direct messages but they recognize users will be contacting people where a SPF will fail due to a forward.

If you remove the SPF record or weaken it with ~ALL or ?ALL, then it weakens the majority of non-forwarded direct transactions. The proposed tag `auth=dkim` will indicate to gmail that SPF failing is ok as long as the first party DKIM signature is still intact.   It’s weaker but would be less problematic than it is today.

Today, we can modify the return path for the forward or don’t allow for forward and make the (gmail) user pick up the mail via POP3/IMAP.  No forwarding.

—
HLS

v2.23.0 | Report a Bug | By Email