IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 22 June 2023 14:45 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA4FFC15171F for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 07:45:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMOImxnCcmjy for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 07:45:45 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49874C15154D for <dmarc@ietf.org>; Thu, 22 Jun 2023 07:45:45 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-4f6283d0d84so10095469e87.1 for <dmarc@ietf.org>; Thu, 22 Jun 2023 07:45:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687445143; x=1690037143; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JOAI6P0TOLDNUlUx1tBvQgUsElvhNzx64iCEC0XZHAU=; b=SAtDw3FgmqS/ZA4bjJJhFolKNDvxpGiSs0sUQ2YMOu37fuRoMqQrEUh0e5U+oH+aEo 2Lp5IxUf7tYVyb2b60E7Pn1r9GeRrjhNewUc5SC0/WMeGWjSos5CkpTnVYDiLldVJ1DW HGlXBBfG2zf60uersypOzvLAp2qGnTh3zbpc3DaoVHdW/50zh6jRiNVAaD8XcONmtTPK it8AzQu0o3NU6fwmiL1w2BD6ePHUotlp2fYi0aFiJg7m0tFa11hf161nbaFyOhz9i43o mtvGVMdnU/u0ChraPL1Y5xm6ElBka1BcTDLXgalat/XOl1MeF9tpv8/riYQhihZrR1Di VdsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687445143; x=1690037143; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JOAI6P0TOLDNUlUx1tBvQgUsElvhNzx64iCEC0XZHAU=; b=YV40iK8BQx+8bh3EaTVUG9iDvsqyazIKtL7uLpgrAv9XubsBTR/bPNbpPNVzWuEwwG w5SpGKm5WDHgYZf+ELi4Dqec96hix23jBxbv3rOiXJjl5a511xTrn3X5VsYFZ9BXzenA k+d8bzDyk5N+43zU1BCqhmYSlg+Fb3AIUp0G1CPC5SLUPqRqc5k8Qplfp4Y/4GV8+ks9 Ir3JKaWl3XnOTdCdHWgrS95TFoSOISglK6yAuzmWEco2YoRiOPX6kHdqHDz/KltKCeqr gN/HB/fCtK4it6uo4tns6uhWZPyStqo9nJ7irj1Rv9qn4MVt76dBHelc2OleEvSdkAtC z6Hg==
X-Gm-Message-State: AC+VfDwcHpZrZVi3xjdYXltHcK6al2ZK6gO6yzB2Lpv4QkHheKCa9P+7 8fyc2RaZ/I413VbiPHRlKl/bqrzc8WzJfMvaxHq/bI9G
X-Google-Smtp-Source: ACHHUZ7ljs+7XfUxgVkOQz+Tl/KFweNTvO0G1X/Vqpg0SOoTcLPCf7OeVu2ue+dRD3txsWvvlE9BEqeNssKhlewFZw8=
X-Received: by 2002:a05:6512:3ba7:b0:4f9:6221:8fb7 with SMTP id g39-20020a0565123ba700b004f962218fb7mr2416289lfv.11.1687445142693; Thu, 22 Jun 2023 07:45:42 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com> <d30d574d-0cb8-bfc4-0d9f-7176882fc81e@inboxsys.com> <3315842.y3rMdDZ7an@localhost>
In-Reply-To: <3315842.y3rMdDZ7an@localhost>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 22 Jun 2023 10:45:31 -0400
Message-ID: <CAH48ZfyW=xVKg+oL1En=yAXjLm2HJ9Q=duR8=etjqeYNd9iUdw@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004eebd405feb8f074"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/4UupQnBUYsbMEX6A-Xx8oKZk6FA>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 14:45:46 -0000

How about this!

p=none or quarantine trusts SPF and DKIM, but p=reject trusts DKIM only.

This option addresses Google's desire for a strict rule to protect the most
aggressively attacked domains, while leaving flexibility for those who want
it.

DF

On Thu, Jun 22, 2023, 9:55 AM Scott Kitterman <sklist@kitterman.com> wrote:

> My conclusion (it won't surprise you to learn) from this thread is
> precisely
> the opposite.
>
> In theory, DKIM is enough for DMARC (this was always true), but in
> practice it
> is not.
>
> I don't think there's evidence of a systemic weakness in the protocol.
> We've
> seen evidence of poor deployment of the protocol for SPF, but I think the
> solution is to fix that (see the separate thread on data hygiene).
>
> Scott K
>
> On Thursday, June 22, 2023 9:46:07 AM EDT Sebastiaan de Vos wrote:
> > It's not easy to set a DKIM key, I can agree with that. I do think,
> > Marty should have tested before sending, though.
> >
> > None of this, however, solves the issue of SPF weakening the DMARC
> > standard. The weakness in SPF is not incidental, but systematic. That is
> > - independent of the numbers - the reason why I vote to have SPF removed
> > from the DMARC standard.
> >
> > On 22.06.23 15:31, Todd Herr wrote:
> > > When we look at the numbers others have posted on the topic, and we
> > > see a perhaps higher than expected percentage of DMARC passes that
> > > relied on SPF only (or at least a higher than expected rate of DKIM
> > > failures) I'd posit that many of those DKIM failures are due to the
> > > challenges that Marty and people like them face with getting the key
> > > published.
>
>
>
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email