IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Jesse Thompson <zjt@fastmail.com> Sat, 10 June 2023 20:51 UTC

Return-Path: <zjt@fastmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84AA4C151072 for <dmarc@ietfa.amsl.com>; Sat, 10 Jun 2023 13:51:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.085
X-Spam-Level:
X-Spam-Status: No, score=-2.085 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fastmail.com header.b="KkbVypbe"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="ddl/CmhX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLEFp8mUpmK7 for <dmarc@ietfa.amsl.com>; Sat, 10 Jun 2023 13:51:32 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90251C14F6EC for <dmarc@ietf.org>; Sat, 10 Jun 2023 13:51:22 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 158795C003F for <dmarc@ietf.org>; Sat, 10 Jun 2023 16:51:13 -0400 (EDT)
Received: from imap42 ([10.202.2.92]) by compute1.internal (MEProxy); Sat, 10 Jun 2023 16:51:13 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h= cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:sender :subject:subject:to:to; s=fm1; t=1686430273; x=1686516673; bh=Rl 2P/chE5r2t2G/LQxJiFJRKDZnvCov5UvAVw8/m2is=; b=KkbVypbedEoHGi7fqf dgYxbvzH6pMRYFfprOwRP4behzlOs09OSUtqKXD7/1Hj5LuHBgPu42BRUHBNSxpV WeKynWbUBy0lL1C3MrX7X1h5aXezDtIaEe/m1IQ4CKxdTVeckXQND0PLDIRQW4Uw 12TA0bJdeoqvaDb1c6h22AvexsUG7nqVL7L6PrA6Nd4Mu54Qf6RufmaNWvVyppB+ Kf+/awQttrbRr/GSk4RPQfOkrWzDcxlKE1G0z78ZR4J929UOd3AeYq9P80Zd97tl aXrj23Q/URri5ZLexWXRlsr2hZmGcv3rRFI+hXbRDm7sPXbx55Ltg+G3DwcsgDm+ wmOw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; t=1686430273; x=1686516673; bh=Rl2P/chE5r2t2 G/LQxJiFJRKDZnvCov5UvAVw8/m2is=; b=ddl/CmhXDstKZI0bhtta5DMWJRdOZ n9hAWOVU7cwpoehzwSQ+4qMaQd8TPe5rYoZMZxFTDbPLaR/SHdc+QuUB1KWUWgIf 3XqDc4ro4FNmU9lwQblVkQk6TCXKOfeZ3xhh5LOA9lSFk7G7DfSqWVxc6ubG1lUy WQtOSkZ2voiOdEwIy8o2aZYGemCD4wJPZU/kAvUY5f4N+089e/S6h4AWoim4dtb7 2jL6weH1/nilkbGgW5n0kgTsSqsz5PpShcqWKOCFB07F6NlHQyueCq56tZUvT5uE rFFqPxDAzZiTrs1sThPF3hFfZFpiVPv27K9kX5/xkMCTP4HsBDK9C67MQ==
X-ME-Sender: <xms:QOKEZFP15mIhlBS2jYI7HshSOhLVeRRgRo2J_LtF3QLLWdTvdBp5CA> <xme:QOKEZH8iOQdb5L3aE354X5-fpRLsqYYVQESVcaBHae_nf2wZbXthRw-di6NZp8UnA AZTNdbSzCAvKT29O5Q>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvhedrgedutddgudehjecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesrg dtreerreertdenucfhrhhomhepfdflvghsshgvucfvhhhomhhpshhonhdfuceoiihjthes fhgrshhtmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpeegueelhfeftdehgeeuvd duveekudevleffveeuheduuddtudfhjeefgeelffeigeenucevlhhushhtvghrufhiiigv pedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpeiijhhtsehfrghsthhmrghilhdrtghomh
X-ME-Proxy: <xmx:QOKEZEQixk48SJ04t-cft3qITPg1BjasS47o1WIWyET-0v02LQvOgw> <xmx:QOKEZBsbuWDWGjn65UFxNBNlZ4NkkRXijnvduwJegDsYKNmExvJu3A> <xmx:QOKEZNeQUiCXMcSY3AfGLaeXzkH7N7rQuw1MYG6JrXKBpwmtX6PUPQ> <xmx:QeKEZHqXc8AyqiKsyyhqZpoYDz5830FvSLkQ0poECm6BBSQl2WmoOw>
Feedback-ID: i1a614672:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id D57EDBC0078; Sat, 10 Jun 2023 16:51:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-447-ge2460e13b3-fm-20230525.001-ge2460e13
Mime-Version: 1.0
Message-Id: <f5615677-599e-4841-a7c8-b56c0badee22@app.fastmail.com>
In-Reply-To: <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com>
Date: Sat, 10 Jun 2023 21:50:54 +0100
From: Jesse Thompson <zjt@fastmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="c5f01345f1834c54af81e16ff27be083"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/3Hyo9REHnCEbJBfG_u-H_VmOYuk>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Jun 2023 20:51:36 -0000

On Sat, Jun 10, 2023, at 12:50 AM, Barry Leiba wrote:
> Are there working group participants who can do this sort of
> evaluation, not just giving numbers but also analyzing why DKIM
> failures happened when they should not have?

As primarily an outbound ESP, we don't have access to relevant inbound logs, nor DMARC reports for customer domains, so our awareness of this issue is dependent on being told.

That said, at MAAWG we were made aware of an edge case which is resulting in DKIM failures. Presumably, unknown bugs like this are inflating the numbers to support the "pro keeping SPF in DMARC" argument.

I typically advise customers that DKIM (CNAMEs with managed rotation) is enough. But that's speaking as a sender that supports DKIM. I suppose that some senders still aren't willing to implement DKIM today.

Jesse

v2.23.0 | Report a Bug | By Email