IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 16 June 2023 11:03 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3540EC151984 for <dmarc@ietfa.amsl.com>; Fri, 16 Jun 2023 04:03:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id if_C5K7E1ttx for <dmarc@ietfa.amsl.com>; Fri, 16 Jun 2023 04:03:00 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A5C8C14CE5F for <dmarc@ietf.org>; Fri, 16 Jun 2023 04:03:00 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2b4544200dcso7036231fa.1 for <dmarc@ietf.org>; Fri, 16 Jun 2023 04:03:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686913378; x=1689505378; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=m6YwHsWX/v4yFX6Q+rK+Db/CLaAdAmOlko1+2rs40M4=; b=DADhkElY3kkWwmpKhamuWiLtmNeoxEYjaUtlyPiYVTedSc579/hPcF5ZE2ezebF503 BBh3wFzHloFaZJ0MLOO/SFRixJUwE5X9vKm1Lh8rPljM5sr1+Be/y4YrMc+HZ6Wm1aEE FEH70DItcUCDIpjS0oInpOoAanhOqXNsm9HwPyqg5vseTxeefWfeAs2z/bSTP5msN62w 9dLCYUjhv8CUrtHiQvS1/78HpSdvrz/IIF0jxuw9kPqCFEPBFz5VnOHXBJR1a2fGDfbQ 9GJv2WJaC+b93QhuBDyxd6t0ZoD4ZqKwepSJzKhYWGzDEqPcBQS9rUATuoXO/o2i/FL/ Sndg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686913378; x=1689505378; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=m6YwHsWX/v4yFX6Q+rK+Db/CLaAdAmOlko1+2rs40M4=; b=j3tlbv2d49uWzIC1fHiUw+O2Fq6r1CegxFgrFbiNqLzf+5ds7dJ6sW5qM7gbmkc2Ev OaEWsGYcTtXd/WRIR57iWvJJway/vxjoel7Meo7CmVGbzeEM9BeyYS+hIb9aWWjkHEw4 m7EeR3UhgXLoNVLHqQlF2YTVER+SpC0AxZ0+uzeCVtBD6RiuGfQG5buomH1RiXvbIRNv MX5be+28Bv5s8PZQYaaWPbMIB9Xsmw4ELvDmr5MiGjBMPomAD20NCnaUe7UXd1gSN1r3 hU1K6prgMccuYgcEBqd9w6TkZpolOCh7KQJYF7sBwH4QVSe8gMveye3d8Yhm7dTn/QzU GqKw==
X-Gm-Message-State: AC+VfDze0AYKLpu0MKMK4e66zjy8YBsuegiPQP/44IsmRIx5w/Fuxuig GMCo7ms93QhRE9PhH/L+O9ZmgreWCP5tGp7CIs7kA96V
X-Google-Smtp-Source: ACHHUZ4KddOt5S2lWnqAK77CfkM63X8qVLuZXq4OYXCrRkzltTOCLeNkRcwCejRiv9jC8tbK7OCpbQj4Z89NvpLqu7c=
X-Received: by 2002:a2e:b70a:0:b0:2b3:4eb9:246a with SMTP id j10-20020a2eb70a000000b002b34eb9246amr1518743ljo.25.1686913377663; Fri, 16 Jun 2023 04:02:57 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <7d39aa8e-dacc-05fa-eff1-2cc350d521db@inboxsys.com>
In-Reply-To: <7d39aa8e-dacc-05fa-eff1-2cc350d521db@inboxsys.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 16 Jun 2023 07:02:46 -0400
Message-ID: <CAH48ZfwyBwfKzG_3R5uyV6tmY0yUtWy=5yAoAOEhUGn_Rz6HNw@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a47f1b05fe3d206d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/7qDrZQcTNtbjRqU1jVEGmrhrOtY>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 11:03:01 -0000

RFC 7489 takes 8 different authentication mechanisms and lumps them into a
single PASS result:
DKIM or SPF, each with up to four types of alignment:  same domain,
parent->child, child->parent, and sibling->sibling

These eight mechanisms all provide some level of confidence that the
message is not impersonated, but they do not provide an equal level of
confidence.

Unsophisticated senders have little incentive to use the higher confidence
mechanisms because any PASS result is still PASS.   The solution is not to
pretend that SPF is worthless, because that is an overstatement.   The
solution is to talk about the differences in confidence provided by the
different authentication methods, and note that evaluators have reason to
distrust some of them.   That distrust could cause a weakly authenticated
message to be distrusted by some evaluators.

Similarly, needs multiple types of FAIL.   Since the data indicates that
missing (or invalid) public keys are a significant portion of all failures,
it needs a separate failure code from "normal" failures which suggest
in-transit changes.   The DKIM group needs to define the result code but
this group would need to integrate it into our aggregate reports.








On Fri, Jun 16, 2023 at 5:52 AM Sebastiaan de Vos <sebastiaan=
40inboxsys.com@dmarc.ietf.org> wrote:

>
> > Many thanks.  That figure seems to be more or less in agreement with
> > what others here have obtained on smaller samples.  However small, it
> > may confer to SPF the role of a stabilizer in DMARC mail flows.
>
> How could SPF be a stabilizer when it's proven to be a highly unreliable
> mechanism? I'd rather consider that a de-stabiliser. From what I
> understand, SPF is part of the problem, not part of the solution.
>
> Sebastiaan
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email