Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and What To Say About SPF -all
Scott Kitterman <sklist@kitterman.com> Mon, 08 April 2024 01:20 UTC
Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32719C14F618 for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2024 18:20:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="ElkNgEYD"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="XoyeEywB"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uznTNrH0ICVo for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2024 18:20:24 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 429FEC14F60A for <dmarc@ietf.org>; Sun, 7 Apr 2024 18:20:24 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id E7BBAF8023A; Sun, 7 Apr 2024 21:20:13 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1712539193; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=s8DWurSfY4jdT7lXrmbPBGzu2IosLXsHZVJ/07WCF6A=; b=ElkNgEYDIR2DHN573nN3pE4FqwnQqqvDDpQycmhD5kTPOAVSuQ+ehz+H8Bgwp/jasFGrj bBG6oRJSgWx76LMDg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1712539193; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=s8DWurSfY4jdT7lXrmbPBGzu2IosLXsHZVJ/07WCF6A=; b=XoyeEywBkhzG5kS+BrRnqeih1t+suP4lYm/wvDk4S0Cs3VOdxyuHK7Mlt7D2cXFYHLz4k 9Bp9tpHC0Tk9yh8AOifGmQAkuJa6T8tiQByaL4Sr4GgWDW0Q0Mi2cYADpO2+do8Ahd1CJPQ SEHTsypdTZxABTKlki6NLEpXOuy9S2d1Px6lkuA7gQqIQy2H7rjc4gHve7FTQRtWm/oDR8k WS/kSQ7eraHxH0/qcRlCwlH/sSxAkcLY+bLIvRBSdwhdT0YN3TCiXp7FdLpxE4T9BJ5aKNB 0pCY5qNqaSBSFwgQ1EeFYrxPtrfMGUvLj2LY9JdYnXFDwojVA3AQr+MQnCVg==
Received: from [127.0.0.1] (mobile-166-170-30-13.mycingular.net [166.170.30.13]) by interserver.kitterman.com (Postfix) with ESMTPSA id B0222F801E0; Sun, 7 Apr 2024 21:19:52 -0400 (EDT)
Date: Mon, 08 Apr 2024 01:19:45 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <B20A0399-1AF8-4A5F-8D55-7F156A366637@marmot-tech.com>
References: <57C20A88-5461-4BA4-9597-1D138B71EF24@marmot-tech.com> <B20A0399-1AF8-4A5F-8D55-7F156A366637@marmot-tech.com>
Message-ID: <B7EEBAF7-F42E-40B3-B8A6-A815D92732C4@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/5QDlwJi07HE98VGLWk4ScFveWzw>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and What To Say About SPF -all
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 01:20:29 -0000
On April 8, 2024 1:02:53 AM UTC, Neil Anuskiewicz <neil=40marmot-tech.com@dmarc.ietf.org> wrote: > > >> On Apr 7, 2024, at 7:00 AM, Neil Anuskiewicz <neil@marmot-tech.com> wrote: >> >> >> >>> On Apr 7, 2024, at 6:54 AM, Tero Kivinen <kivinen@iki.fi> wrote: >>> >>> Scott Kitterman writes: >>>> I hear you. Your operational issue is my system working as designed. >>>> DMARC works on top of SPF, it doesn't change it. >>> >>> Yes, DMARC works on top of SPF, and DKIM and provides policy layer. We >>> are trying to change the fact that people rely purely on SPF, and try >>> to get them moved to use DMARC istead, and we are trying to explain >>> that if you do SPF inside the DMARC context, you get exactly same >>> policy results you get as when you do SPF before, except you get it >>> better, as you have more data available. Using -all would be >>> completely ok if everybody would be doing DMARC, but as there are some >>> systems which do SPF outside DMARC, and there having -all might >>> shortcircuit DMARC out from the equation, we should provide guidance >>> to those people how they can get best results in current environment. >>> Thus the best current practice should be use to use ~all instead of >>> -all if you are trying to use DMARC, and want other systems to >>> actually act based on your DMARC policy. > >The problem I see is that some receivers never got the memo and still enforce just on an SPF hard fail which only creates fear, uncertainty, doubt, and annoyance. If there's FUD, it's due to claiming it is a significant problem for DMARC. Everyone has a different mail stream, so YMMV, but in my experience this is approximately never an issue. This is only even potentially an issue when Mail From aligned and SPF is fail. I don't recall the last time I saw that happen for a message that also passed DKIM (and d= was aligned). What is the overwhelming case for me is Mail From is not aligned (like this mailing list) and SPF is pass, none, neutral, etc. Even if the receiver rejects SPF fail, it almost never comes up. Then the DMARC result is a function of the DKIM signature verifying and being aligned. The fact that my domain has a -all SPF record virtually never matters for DMARC. So let's move on... Scott K
- [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and … Todd Herr
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Seth Blank
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Seth Blank
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … John Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Neil Anuskiewicz
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Mark Alley
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Tero Kivinen
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Neil Anuskiewicz
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … John R Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Neil Anuskiewicz
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … John R Levine
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Neil Anuskiewicz
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Douglas Foster
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Neil Anuskiewicz
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Scott Kitterman
- Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC … Neil Anuskiewicz