Re: [dmarc-ietf] Signaling MLMs

[Neil Anuskiewicz <neil@marmot-tech.com>]

On Apr 15, 2023, at 7:52 AM, Hector Santos <hsantos=40isdg.net@dmarc.ietf.org> wrote:



On Apr 14, 2023, at 7:31 PM, Dotzero <dotzero@gmail.com> wrote:

On Fri, Apr 14, 2023 at 5:55 PM Hector Santos <hsantos@isdg.net> wrote:

Yes, it is simple DeMorgan’s Theorem where you use short-circuiting logic.

DMARC says that any FAIL calculated via SPF or DKIM is an overall DMARC failure.  In standard boolean logic is it an OR condition:

IF SPF FAILS or DKIM FAILS Then Reject.

You have it absolutely backwards.

DMARC says if either (aligned) SPF validates or (aligned) DKIM validates, it passes.

Hi Mike, 

Appreciate your comment. 

This OR gate logic will short-circuit DKIM with SPF validating.  Optimizing means not processing the payload and just issue a 250 which is ‘absolutely' not what we want. In fact, DMARC logic is an AND gate of two protocols; one standard, one informational with some controversial constraints (alignment).  I think you maybe meant:

SPF predates ADSP/DMARC. It is a 5321 level technology.  It is not a payload 5322 technology.   Interestingly, you might be thinking in terms of SenderID which was a 5322 technology which offers SPF with the PRA (5322.From) as a new identity to evaluate.  

I know it’s hard to believe for many but there is still a good percentage of domains that do not do ADSP or DMARC and maybe not even DKIM.  Just consider platforms using Integrated Mail Bots to automate things and they who don’t need the overhead. SPF is good enough.

Using Pareto, SPF is the only thing needed for hard reject policy (-ALL).  DMARC is useless at this point unless you want it to override SPF hardfail rejects and record and send reports,  That would be a local policy.  An implementation detail.

Over 88% of the time, when SPF fails, DKIM/ADSP/DMARC, if available would also fail.  So the payoff is high to short-circuit and lowered when you needless transfer a potential large and harmful payload.

But for SPF soft failures (~ALL), that is when the interest of coupling SPF soft fail results  with ADSP results got traction.  

SPF verifiers will pass SPF weaker policy results in meta-header data and that meant the payload protocol can help here.  Microsoft explored this method and had a secret source to determine how soft failures can be coupled with ADSP results. 

DMARC never considered partial results. DMARC see SPF as a pass not soft-fail.  So if DKIM passes and all four (4) domain identities are aligned, the transaction passes.  That’s an AND gate and you don’t need to even to process SPF or do DKIM validation if the domains do not align. 

Hector, respecfully, I disagree with several of your points.

* You seemes to be saying that when spf fails then usually dkim fails, too. I’ve seen first hand that’s nit true.

* you seemed to be placing too much weight on the value of spf hardfail. Even 10 years ago, few receivers rejected on an spf hardfail. Some do but it’s not at all reliable. DMARC is accepted by most as the new policy layer. It’s where policy should be handled. The OR logic is in part to get away from the policy layer that breaks fairly easily (e.g., forwarding). SPF is important but given a choice between authenticating with just aligned SPF or just aligned DKIM, I’d choose DKIM.

 

Could you provide a citation for the following claim:

 “Over 88% of the time, when SPF fails, DKIM/ADSP/DMARC, if available would also fail.  So the payoff is high to short-circuit and lowered when you needless transfer a potential large and harmful payload.”

I’m skeptical and I’d imagine some others are too so a cite would go a long way. Thanks.

Neil