Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Scott Kitterman <sklist@kitterman.com> Tue, 02 April 2013 01:08 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1243C11E811B for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 18:08:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8KeDoj8Mq53z for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 18:08:45 -0700 (PDT)
Received: from mailout02.controlledmail.com (mailout02.controlledmail.com [72.81.252.18]) by ietfa.amsl.com (Postfix) with ESMTP id 6DEF511E811A for <dmarc@ietf.org>; Mon, 1 Apr 2013 18:08:44 -0700 (PDT)
Received: from mailout02.controlledmail.com (localhost [127.0.0.1]) by mailout02.controlledmail.com (Postfix) with ESMTP id 8092220E40D5; Mon, 1 Apr 2013 21:08:43 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=2007-00; t=1364864923; bh=FCn4DWvxv2VVOXyd7rLIkz/wJLOIzNuEhYJUUNaFqcA=; h=From:To:Subject:Date:In-Reply-To:References:From; b=c1K1HKypmTn6F0PG6JU2cmoTA73mamyo9fQFo5HHUjwIRsbTKuoL48IdX4Jl7B2eP v8Eg7ta/utNxClSYBu9rmpM/M9n3UrQaR4QyhwCaMWtEd23x2ritCxfSZxQZpRrliu MJlZjUiLLHaucKDUcrqLm9FahLIYEjjCuSzfRF38=
Received: from scott-latitude-e6320.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout02.controlledmail.com (Postfix) with ESMTPSA id 51DD820E4090; Mon, 1 Apr 2013 21:08:42 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Mon, 01 Apr 2013 21:08:42 -0400
Message-ID: <3458691.6JUdcXG44l@scott-latitude-e6320>
User-Agent: KMail/4.9.5 (Linux/3.5.0-26-generic; KDE/4.9.5; i686; ; )
In-Reply-To: <A633CECE8D6642D7A5C2B99C5AF5BC92@fgsr.local>
References: <77426B543150464AA3F30DF1A91365DE52EA0C4E@ESV4-MBX01.linkedin.biz> <A633CECE8D6642D7A5C2B99C5AF5BC92@fgsr.local>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-AV-Checked: ClamAV using ClamSMTP
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 01:08:49 -0000
On Tuesday, April 02, 2013 02:26:01 AM J. Gomez wrote: > On Tuesday, April 02, 2013 1:28 AM [GMT+1=CET], Franck Martin wrote: > > On 4/1/13 4:15 PM, "J. Gomez" <jgomez@seryrich.com> wrote: > >> On Monday, April 01, 2013 11:15 PM [GMT+1=CET], Terry Zink wrote: > >>> I am proposing an extension to DMARC. Whereas today DMARC requires > >>> one of a DKIM pass or SPF pass, I propose we extend DMARC so that is > >>> has the *option* to require both. > >>> > >>> (...) > >>> > >>> Let's assume that BigBank.com has been dutiful and has published a > >>> DMARC record. The problem occurs when Learning.edu gets compromised > >>> and starts sending out spam. If a user starts sending out spam from > >>> joe@learning.edu, we can detect this and shut it down. But what > >>> happens if they start sending out mail as security@bigbank.com? > >>> > >>> example.com ------------+ > >>> > >>> BigBank.com ------------+----> Microsoft Forefront IPs ----> > >>> > >>> Internet | > >>> > >>> Learning.edu | > >>> > >>> security@bigbank.com --+ > >>> > >>> (...) > >>> > >>> Extending DMARC this way lets brands/domains protect their outbound > >>> reputation behind a shared service without worrying whether or not > >>> some other customer will spoof them. > >>> > >>> Make sense? > >> > >> I does make sense. I also like the explanation in your blog: > >> > >> http://blogs.msdn.com/b/tzink/archive/2012/10/18/how-should-large-financi > >> a > >> l-institutions-use-hosted-filtering.aspx > >> > >> In a multitenant cloud environment, and/or when you are giving > >> customers a MTA-smarthost service to gateway their mail to the > >> Internet, you cannot be sure that they will always be signing their > >> email with DKIM, and you usually will not have their private DKIM > >> keys to sign their email yourself as it flows through the smarthost > >> towards the Internet, so taking the DMARC oportunity to close this > >> hole in SPF is golden. > > > > Google apps, send grid, messagebus, (and many other ESPs) do not have > > problem to create a DKIM key for each customer, to sign the emails > > that pass through them. We used to have open-relays because they were > > easy to setup/manage, but we moved away from them because they were > > insecure. > > If your worry is moving away from insecure, then Terry Zink's proposal is > just making DMARC more secure, as it is raising the bar on the mechanisms > that have (optionally) to concur to obtain a DMARC-pass. > > Apart from that, you would need to control your client's DNS to sign their > DKIM in their behalf, and that only works with very small clients which > lack in-house technical people and outsource the whole thing to you. But if > you want to have clients of medium size which gateway their mail to the > Internet through your cloud service, good luck getting their technical > people to surrender their administrative control of their DNS to you. Not true at all. I've done this many times where the domain owner publishes a CNAME to the relevant DNS entry in the provider's DNS. That way the provider can manage the specifics/use their own private key (for DKIM) without any zone delegation being required. Scott K
- [dmarc-ietf] Proposing an extension to DMARC to o… Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Dave Crocker
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Murray S. Kucherawy
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Tim Draegen