IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Todd Herr <todd.herr@valimail.com> Wed, 21 June 2023 13:37 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7904C151520 for <dmarc@ietfa.amsl.com>; Wed, 21 Jun 2023 06:37:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.596
X-Spam-Level:
X-Spam-Status: No, score=-1.596 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dVAmUzlxolJy for <dmarc@ietfa.amsl.com>; Wed, 21 Jun 2023 06:37:01 -0700 (PDT)
Received: from mail-pj1-x102e.google.com (mail-pj1-x102e.google.com [IPv6:2607:f8b0:4864:20::102e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1B00C151072 for <dmarc@ietf.org>; Wed, 21 Jun 2023 06:37:01 -0700 (PDT)
Received: by mail-pj1-x102e.google.com with SMTP id 98e67ed59e1d1-25eb3db3004so2737768a91.0 for <dmarc@ietf.org>; Wed, 21 Jun 2023 06:37:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1687354621; x=1689946621; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=rF+4DJWBazYQ+ZicpqPVChTYSg05H3eV7Y7pSDJpRG8=; b=ZcOQzH2O4mOL73tbYfIN1uoo8ZHHPxI5zD7gnVKbOkUIHm0Df3x0HI36VzBfT5U6ur W12rI4v249rfFMNj5SJs+zKEca3k98oQAVonA8IELixRr51p4GxMpRfr+5xkHiCYHDIE X35n6ECM0RbKgVWmIFqW6bo5M8CEaIyTPJscUvlt7mHbIeCpA0lcbCoQMb0AKcIzr7k3 NkN2P8EPYQBZI9A3W8/XPpCGWip33U1KSKRddD1EDhHKuyXHwx1KdcymKfvzvcP6kYCE nKb0U9CE90bMQU1MPfye1yNwFsCSWOWuMESMpZKi+TGTulBVOq+Q0jeduOVCxld29RTl VHmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687354621; x=1689946621; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=rF+4DJWBazYQ+ZicpqPVChTYSg05H3eV7Y7pSDJpRG8=; b=WtqTqu67yxTmFYDqzrbg6fY5AUHLJbK8jevlbN+k1ZpZTsx3bHGURISnOhZp2vtLth KSW97I0SVhROG/YHO+Q5diCzS/xs0qQc0wqh6V4SXIt6K6qidjdNlFVb7BRwSfR0qmJ9 C1C5yo3uH6lJlUfJSfiroOw5h2C6N8H4jd9WuN9TiHGc0owGY++T5jOaWE+uTe4IRmZm P9z40MutO5rI3FJO1rNbhWnAteLaEmmPl1WnlvVbkkvvZLakMgTQw9TRqpbV7k1ed3zj 9qMfnkQ4nIJ7IgCdYT32tWN+vstFNEto6zhu2UJtORFzQ6U0PFD3O4hsq7Awcbck4VnZ 8b3A==
X-Gm-Message-State: AC+VfDwRz+g1tOJtArx/FLs/nugYN29e5j4KPae4QkfMfUoJUlX2IbRl VaDRXdgXsFXaKHfvF/pLFRZqVWw5xFLk1U2HDxPbSRF0GQ/fBuoknDs=
X-Google-Smtp-Source: ACHHUZ60G97aB8BX0LOupwgopPUWp6EpDbPx7bJo/gX8TqCvZetO1LAIUxSHbL2z9UIowbUF9KqUQkPg+QeLv7BRObk=
X-Received: by 2002:a17:90a:ce04:b0:25b:fcbb:62ba with SMTP id f4-20020a17090ace0400b0025bfcbb62bamr9842894pju.45.1687354620447; Wed, 21 Jun 2023 06:37:00 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <xtudkqv5sqxs4c2nnilna5lf4b266br4xwdjwoq4fdyjpgzjln@xdb5rldfeini> <3087d0fa-91b4-62b4-fc64-a705c7f0b672@taugh.com> <CAHej_8=VnOC1Pms2JKJYG=2Dqtp2nc9oe-j=aEmNfvGuNhvzZA@mail.gmail.com> <a9505fda-ed21-1fc6-adb6-f231225a1ceb@tana.it>
In-Reply-To: <a9505fda-ed21-1fc6-adb6-f231225a1ceb@tana.it>
From: Todd Herr <todd.herr@valimail.com>
Date: Wed, 21 Jun 2023 09:36:44 -0400
Message-ID: <CAHej_8nNGQR9Bm59dsu=XG7iBGyyW=SCh4=0cBM8NWodHyo6pQ@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c3293405fea3dc93"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/69Iunuv1aUa45jzLVDC1PJsnpmU>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2023 13:37:06 -0000

On Wed, Jun 21, 2023 at 4:22 AM Alessandro Vesely <vesely@tana.it> wrote:

> On Tue 20/Jun/2023 15:40:11 +0200 Todd Herr wrote:
> >
> > I can't speak for Patrick, but I don't think he's necessarily thinking
> of
> > different encryption algorithms here.
> >
> > Not all who wish to have their email DKIM signed have the luxury that
> you
> > have John of full control of the DKIM signing process. I'm specifically
> > thinking of the entity (call them Marty Marketer) who has the authority
> to
> > employ a third party to send authenticated mail on behalf of a domain,
> mail
> > that the third party can and will DKIM sign using the entity's domain.
> > Sadly, Marty does not have the authority to update DNS for that domain
> in
> > order to publish a DKIM public key. This leads to challenges as the
> third
> > party presents to Marty a public key to publish, and Marty tries to
> figure
> > out to whom to pass along this information and in what format. This
> leads
> > to screen caps, or cutting and pasting errors, misdirected mail chains,
> > etc., etc.
> >
> > Is this the way it should be? Probably not, but it's a reality for many,
> > and it's a problem we don't as an industry have an answer for yet. If we
> > did, there wouldn't be people in the other thread reporting such a high
> > percentage of DKIM failures due to malformed/missing keys.
> >
> > Now, of course we could argue that Marty shouldn't be left to their own
> > devices to engage third party senders, and that should solely be the
> > province of the IT staff that manages DNS, but I fear that the energy
> > required to type and distribute such words would be wasted.
>
>
> Creating more and more publishing mechanisms could reproduce the situation
> of
> SPF, whereby customers of the same third party can easily impersonate one
> another.
>
> DKIM signatures have to be created by MSAs upon user authentication.  MSAs
> which use smarthosts, IMHO, had better sign just the header fields they
> control
> rather than delegate signing.  Doesn't Marty have any option on that?
>
>
>
I'm afraid I've done a poor job of making my point, as it seems that you
haven't understood what I was trying to say. Let me try again.

The scenario I'm describing here isn't referring to the actual DKIM signing
of any given message. Rather, I'm talking about the publication of the DKIM
public key in DNS to support the validation of signed mail.

In this scenario, Marty has hired a third party email service provider
(e.g., WeSendMail) to handle a class of bulk sending on behalf of Marty's
organization (e.g., WeSellStuff.com).

Marty wants WeSendMail to DKIM sign that mail using d=wesellstuff.com, and
WeSendMail can do that, so Marty clicks a button or whatever in the
WeSendMail UI to make that happen.

The UI pops up a screen that says "Please publish this TXT record in your
DNS", where the name is WSMWSSSelector._domainkey.wesellstuff.com and the
value is the DKIM public key. Marty doesn't control DNS for wesellstuff.com
.

Maybe Marty knows who does control DNS, and Marty is good at cutting and
pasting, and Marty can successfully communicate the request to the DNS
people for wesellstuff.com.

Maybe Marty has no clue who to engage, or maybe Marty misses a character in
the cutting and pasting, or maybe Marty just does a screen capture and the
DNS folks mess up something when transcribing the contents of the picture,
or...

Might something like Domain Connect (https://www.domainconnect.org/) solve
this? Sure, it could, and its website even describes a scenario identical
to what I'm trying to describe here. However, Domain Connect seems to be a
bit hand-wavy on the concept of authorization when it comes to making
changes to DNS zones, and in this scenario, Marty doesn't have those
credentials.

-- 

*Todd Herr * | Technical Director, Standards & Ecosystem
*e:* todd.herr@valimail.com
*p:* 703-220-4153
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email