IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Scott Kitterman <sklist@kitterman.com> Mon, 26 June 2023 13:17 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D6EC151087 for <dmarc@ietfa.amsl.com>; Mon, 26 Jun 2023 06:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="NFCqusUA"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="SR4w+wJz"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xUQqiW0qUBxV for <dmarc@ietfa.amsl.com>; Mon, 26 Jun 2023 06:17:30 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20DF0C15107D for <dmarc@ietf.org>; Mon, 26 Jun 2023 06:17:29 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 531CAF802E5; Mon, 26 Jun 2023 09:17:17 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1687785422; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=Ncsiik1vI2CPdpaFNdrxX4uqRX5gYaU4k1Id0TIaIjc=; b=NFCqusUAGXLoN/Luiq4XcrMYr/P9lFjbfqCPdH/zIJq8ZjffSZEnAYlwT68MHL71gy1+v MT41AqPoYl8uL7sCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1687785422; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=Ncsiik1vI2CPdpaFNdrxX4uqRX5gYaU4k1Id0TIaIjc=; b=SR4w+wJzGBVuiT9bLk2XzYhnvSjAyBTp5XC5+iiUfdxQ05JnOCLp2JP9jqOboY7k5QR7x C/w2wSCQiLT55EC4qoh7gO2zqMhCHhY8a3pVgKGvD8HFb8YH+fofEL1sX7CjIpk6bDToNyy UDbFooJ3/5H3aCgpds/B4NN6leKjcJbENMwnbv+Sh5EABrq1MJbTepr4s/2wGwLeev9elzB zzlUAJv09fvXOiJ4E9YafcmxJQJpcokP0jXvGXEXkvSw0nVvX30WX7mvi2/ovwPgBBzBr6/ 4wOv3F1IYtQzl+7zTM+/lnNlaewhjB5H8e5VhLy2E8DNjA+PSb+evs0bTTTA==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id 40D46F80238; Mon, 26 Jun 2023 09:17:02 -0400 (EDT)
Date: Mon, 26 Jun 2023 13:16:57 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <FR0P281MB1564D3225C34252E16872FF5E926A@FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com> <d30d574d-0cb8-bfc4-0d9f-7176882fc81e@inboxsys.com> <3315842.y3rMdDZ7an@localhost> <FR0P281MB1564D3225C34252E16872FF5E926A@FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM>
Message-ID: <B1596064-150A-4B3C-A78B-7359966CAA62@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/830db5tiqsoXqwtCeVhzgA9L3Lg>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2023 13:17:35 -0000


On June 26, 2023 12:51:06 PM UTC, Florian.Kunkel@telekom.de wrote:
>
>> In theory, DKIM is enough for DMARC (this was always true), but in practice it
>> is not.
>
>May be you can afford to use SPF, DKIM, DMARC in pure theory for your day job,
>but people here expect to apply it to solve real problems with real email in real life.
>*SCNR* ... do not take that personally.
>
>
>> I don't think there's evidence of a systemic weakness in the protocol.  We've
>> seen evidence of poor deployment of the protocol for SPF, but I think the
>> solution is to fix that (see the separate thread on data hygiene).
>
>
>The problem with DMARC is, there's no easy way to decide you can rely on SPF as long as it references shared IP infrastructure (because you can't decide whether an IP is shared or dedicated).
>In my view this is a tremendous weakness of the SPF protocol.
>(maybe only 'cause I do not trust shared infrastructure providers to get their customers right all the time, 'cause I know how hard that is from being an ISP mailer)
>
>So to remove or at least ignore SPF from DMARC is minimal requirement for DMARC being worth mentioning supportive of sender authentication at all.
>Meanwhile it's a pretty viable attack vector against DMARC, foiling the idea of sender authentication.

That's true if you change the semantics of what a DMARC pass means.  It means it came via an authorized source.  It does not mean anything about if the message is "good" or "bad".  It doesn't and can't solve the problem of inappropriately injected mail in the authorized stream.

When a domain publishes a public key in its DNS that's been given to it by a third party provider, DKIM is also exposed to third party provider data hygiene risks.

Even if DKIM were perfect and we ditch SPF, users get compromised and bad stuff still gets into the authenticated stream.

I think people are attributing a lot of badness to SPF when it's a more general problem.  It's just easier to identify with SPF.  Currently, bad ingress controls for third party providers mostly imposes external costs (from their point of view).  Until that changes, it will be a mess no matter what the underlying authentication technology is.

Scott K

v2.23.0 | Report a Bug | By Email