IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

"Murray S. Kucherawy" <superuser@gmail.com> Thu, 22 June 2023 16:09 UTC

Return-Path: <superuser@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CBDBC1519B0 for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 09:09:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDbvkTZ5H5ia for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 09:09:16 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B978BC1519A0 for <dmarc@ietf.org>; Thu, 22 Jun 2023 09:09:16 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2b57b4e95a8so10032601fa.1 for <dmarc@ietf.org>; Thu, 22 Jun 2023 09:09:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687450155; x=1690042155; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=qI9TNwrsLvXMDu0z+4UIG3q+BKBShPvhpQY/DPgMDAU=; b=YVK2ddX5fFlm66NRyWUVGjpzvNkhLaXLvLiMeUq6ldxqpTvKmYkg2FWj4LIF1/Zspi RAW9gtM2QPzm/bZbTdu/mBMeEdgHgKwubuR/l2NZ4uT/j6290sawzMRdrETFqrT5pIu1 q+JFLYIF1rJ67WygG2RcZKZMUwklm4h+cERsk4I9pYg5/PWntJzrpbo8xvTL0xknrPXM xh7GdodxpHROgAr94HjLb71ZK0maIYq1Lhoi8S3UJwmJ/kdw237MfZjZq7zpV/lofcR+ NzdfInwGZLgt3JBCdBFvnHX2/vGx7ouJXx2eohXkdi/jDTWwgPtlOfUMknZwXRD1RxMP +zlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687450155; x=1690042155; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=qI9TNwrsLvXMDu0z+4UIG3q+BKBShPvhpQY/DPgMDAU=; b=IHdlYbgVYOcEUnDjYsi3gAYO/owoYQ4RoMtw0NIWdDjJdZmgyRPkDm12Hc6IBAEwaO Sj5Ftpw9OiGn1RRBTwY1hwb5qo/88EJ+h+fcgYkJPcEoyU0wjaquQSOJMspvqdMhdxbc fppZTIni0kPTTevAvgw65m0V/xq0NtmhRldpEDXtYPyQGud1V1GIcB9+9AeUsoP3M3eq vL7nvmdTtX8TkjubF1yU8BkgqDuioLxqAfrwaD7/vfxzEg9VN17GvsuyKOn18J6KNbgW EHtwWZpnN+HgIyCoXatMjIu03WtEZ/RBoibrqunWVLMn3bNSzeg/W+pj6qgPwzlY53Kw O2KA==
X-Gm-Message-State: AC+VfDy/swQ5bWX3votCXXZjUTQLkyJWhYPmBjrUNREc7uUq3NihaIhW 85EtshXRS/UShJSV787uBHegSnx/SDGqFLZeMSuqFMqp
X-Google-Smtp-Source: ACHHUZ6XX/rn+Pu+tpOMOX0w52RxpEELHB76e2iLCoZ5aREe4Iz2RjxKAd3ShDHmqbokCIVK7PkA1WeP9aWCxzDcGMA=
X-Received: by 2002:a05:651c:2002:b0:2b5:8ff0:59ad with SMTP id s2-20020a05651c200200b002b58ff059admr1419791ljo.4.1687450154536; Thu, 22 Jun 2023 09:09:14 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <xtudkqv5sqxs4c2nnilna5lf4b266br4xwdjwoq4fdyjpgzjln@xdb5rldfeini> <3087d0fa-91b4-62b4-fc64-a705c7f0b672@taugh.com> <CAHej_8=VnOC1Pms2JKJYG=2Dqtp2nc9oe-j=aEmNfvGuNhvzZA@mail.gmail.com> <a9505fda-ed21-1fc6-adb6-f231225a1ceb@tana.it> <CAHej_8nNGQR9Bm59dsu=XG7iBGyyW=SCh4=0cBM8NWodHyo6pQ@mail.gmail.com> <2de0ca2a-2c18-91ae-f306-38e70aaebf8e@inboxsys.com> <CAH48ZfwjMEwG=b7EsKkXQLzPgcysMLOj2QhZ7_8fs6uQ7zxXYQ@mail.gmail.com> <2080c6e5-2b57-be82-995b-a0986c3a45c5@inboxsys.com> <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com>
In-Reply-To: <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com>
From: "Murray S. Kucherawy" <superuser@gmail.com>
Date: Thu, 22 Jun 2023 09:09:02 -0700
Message-ID: <CAL0qLwauT-Fq-c5ubf43S7O8Likp+Pjj8SoE2uDNisAZMWfLkA@mail.gmail.com>
To: Todd Herr <todd.herr=40valimail.com@dmarc.ietf.org>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000009940705feba1b0e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ADuID91d1BWJ20TCEYRabieeRTY>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 16:09:17 -0000

On Thu, Jun 22, 2023 at 6:32 AM Todd Herr <todd.herr=
40valimail.com@dmarc.ietf.org> wrote:

> Marty also has the right to engage a third party to send the mail (again,
> as conveyed by their employer), mail that Marty and others at Marty's
> company will create. The third party here is most commonly referred to, in
> my experience, as an Email Service Provider (ESP), but this is just one use
> case. The ESP knows how to DKIM sign messages, and can even do so using the
> domain of Marty's employer, so long as Marty is able to get the public key
> published in DNS.
>

We thought about this during the early DKIM days.  It was called out more
than once that at sufficiently large organizations, the email people and
the DNS people are not certain to be part of the same organization.  That's
certainly true where I work.  And at a subset of the largest of those
organizations, the email people and the DNS people don't trust each other
either, so they sometimes make it harder for one to tamper in the space of
the other.  We tried to keep this in mind while designing how DKIM could
function.

I concur that this isn't really a problem for either working group to solve
as part of a standard, but there might be room for some suggestions if
either one ends up producing a best practices document.

The open source DKIM package I developed included a simple tool that would
generate a properly formed TXT record and associated comments suitable for
inclusion into a zone file, but there was feedback that it was still error
prone.  It also included a script that, once you had published a DKIM
record, would confirm that your signing key and the public key now in the
DNS matched, so signatures should work.

I had two thoughts over the years about other things to try:

(1) Instead of generating a DNS TXT record for someone to cut and paste,
output a complete "_domainkey" zone file to simply move into position,
i.e., by copying files rather than strings.  This is less prone to
corruption because copy-paste isn't part of the process.

(2) Make use of protocols like DNS UPDATE (RFC2136) that could allow DKIM
key generation tools to insert new records directly into the primary
authoritative server.  This is even less prone to error or corruption
because the human is almost totally removed from the process.

-MSK

v2.23.0 | Report a Bug | By Email