IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Todd Herr <todd.herr@valimail.com> Thu, 22 June 2023 13:32 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F4C5C16951E for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 06:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXRR_TBGbyv5 for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 06:32:11 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C2FC169521 for <dmarc@ietf.org>; Thu, 22 Jun 2023 06:32:11 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-66767d628e2so3060597b3a.2 for <dmarc@ietf.org>; Thu, 22 Jun 2023 06:32:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1687440730; x=1690032730; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=y0rb06j3SOc0bcreHpVdD4ar22zE7XkG30C9lcfMXdU=; b=ZG58LHaJ2jiZzEPbC0/kJPPvoqimuLBtC+qOd4yarZv+W02/2VT6kqzvroFjZNWjjW LPIWILtR8e21V0aIaRb4MfaA8IKcoh1bHYLk4ZJAw4FagZLW6sUawpT3ihM0u3VhM6fF Wf3Vanqq4gw5K3c9vDp6gstGB6lIPXiBZ0o4JiBXiUwkVoopHLxXXvrpl55ffEz8UX2d vU8OHTUHe/5fJjNLskJSQzXIqXYZ+/6WnC3Mf13HMZkeBOGdbKXIKgDMZmFBBJuHGIEk AFghlGPGjYbXrZNbZ6DcNKh4Fwa4nfCaFOLr4mguF41vE776HC0/GMg1aavZ/pGclz5w 5Vaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687440730; x=1690032730; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=y0rb06j3SOc0bcreHpVdD4ar22zE7XkG30C9lcfMXdU=; b=h8vhYefMs9k18AJZSAx4WByZgRPAM/o1bbaGkj+le6JE6d4A/OIUI2Cg7mhG4f7ET2 ggcIH+nO0ags0Nn5s3lGbCiy5PaYZ/hOnFJVFb18GzpIFhEf9QzA98uv1GAhng0PHwMt tqhLhKLAuBxcHgbBa7bPMbsCY51qulrN7kTaWhtcKEuepNQgA3LI4uhkXc4J6q33u49X oN+2VSvcNiOrMNNKAkwFXjAXPX3adpg4kqfOMsgvHDLFU1YuoWt6c4B2+nrR1Ms3iV5D VbViDJtyiLoaEEWaJ/hH8vd+zxAZhTcHO3fUqWmnTz4LOvJCWx9gYRgE5chVqprmUFPn lnGA==
X-Gm-Message-State: AC+VfDxwNXP3gdRv1v/GkPqT5tnTmL7AORVoZovecdTVxobJakA2NrGn jt8QCMH7st5f3MBixuulMZyrAVPHRdMcIrmcKXtE0R/CgOyv5qmH
X-Google-Smtp-Source: ACHHUZ655UiZvX6EYJ0UCMPxou/wkXz5US4SnX7iilv5Eb0sjNYHk+D48lA8grtvHroGEUdXs0B0fyAn12dhKUNTnD0=
X-Received: by 2002:a05:6a00:98d:b0:668:812d:a1e4 with SMTP id u13-20020a056a00098d00b00668812da1e4mr11225323pfg.22.1687440730078; Thu, 22 Jun 2023 06:32:10 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <xtudkqv5sqxs4c2nnilna5lf4b266br4xwdjwoq4fdyjpgzjln@xdb5rldfeini> <3087d0fa-91b4-62b4-fc64-a705c7f0b672@taugh.com> <CAHej_8=VnOC1Pms2JKJYG=2Dqtp2nc9oe-j=aEmNfvGuNhvzZA@mail.gmail.com> <a9505fda-ed21-1fc6-adb6-f231225a1ceb@tana.it> <CAHej_8nNGQR9Bm59dsu=XG7iBGyyW=SCh4=0cBM8NWodHyo6pQ@mail.gmail.com> <2de0ca2a-2c18-91ae-f306-38e70aaebf8e@inboxsys.com> <CAH48ZfwjMEwG=b7EsKkXQLzPgcysMLOj2QhZ7_8fs6uQ7zxXYQ@mail.gmail.com> <2080c6e5-2b57-be82-995b-a0986c3a45c5@inboxsys.com>
In-Reply-To: <2080c6e5-2b57-be82-995b-a0986c3a45c5@inboxsys.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Thu, 22 Jun 2023 09:31:54 -0400
Message-ID: <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004bd34b05feb7e94a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7CT_COvkpMbnI9_0H3U4cLibZaE>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 13:32:15 -0000

On Thu, Jun 22, 2023 at 9:18 AM Sebastiaan de Vos <sebastiaan=
40inboxsys.com@dmarc.ietf.org> wrote:

> In that case, if I understand correctly, Marty is sending his E-mail
> untested and unmonitored. Is that not Marty's problem, really? Where are we
> heading if we try to fix that problem?
>

You seem to be ascribing malice to Marty here where I intended no such
thing.

Marty has the right (as conveyed by their employer) to send mail using his
employer's domain, and Marty wants to do the right thing and have that
email sent with DKIM signatures that use the domain in the d= tag, thereby
allowing the domain to claim responsibility for the message.

Marty also has the right to engage a third party to send the mail (again,
as conveyed by their employer), mail that Marty and others at Marty's
company will create. The third party here is most commonly referred to, in
my experience, as an Email Service Provider (ESP), but this is just one use
case. The ESP knows how to DKIM sign messages, and can even do so using the
domain of Marty's employer, so long as Marty is able to get the public key
published in DNS.

It has been my experience that as the size of an organization grows, the
ability of Marty to get DNS records published and published correctly
becomes more challenging.

This is not a problem for the DMARC Working Group to solve, of course; I do
think it's a problem for the larger community to solve, and as I posted
up-thread, Domain Connect is one attempt to do just that. However, I do
think it's a problem that we must be aware of as we consider whether or not
to make a DKIM-aligned pass a requirement for a DMARC pass, as opposed to
its current state of optional, where it's needed only when an SPF-aligned
pass is not present.

When we look at the numbers others have posted on the topic, and we see a
perhaps higher than expected percentage of DMARC passes that relied on SPF
only (or at least a higher than expected rate of DKIM failures) I'd posit
that many of those DKIM failures are due to the challenges that Marty and
people like them face with getting the key published.

-- 

*Todd Herr * | Technical Director, Standards & Ecosystem
*e:* todd.herr@valimail.com
*p:* 703-220-4153
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email