IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and What To Say About SPF -all

Neil Anuskiewicz <neil@marmot-tech.com> Sun, 07 April 2024 12:51 UTC

Return-Path: <neil@marmot-tech.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F14AC14F696 for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2024 05:51:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=marmot-tech.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOrcVPkGFAGc for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2024 05:51:01 -0700 (PDT)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5614FC14F610 for <dmarc@ietf.org>; Sun, 7 Apr 2024 05:51:01 -0700 (PDT)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1e2a7b5ef7bso29571235ad.1 for <dmarc@ietf.org>; Sun, 07 Apr 2024 05:51:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marmot-tech.com; s=google1; t=1712494261; x=1713099061; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=zdRSFGARxNFXpa2j4yadF9dgs0BcrEe2fjH9ZZe6TOw=; b=dMZvQApr3nkuuYbghxe+oJxBGGV8b4iuVzF9BqBIQJRYKzECoJOyhyQ+U/AOK77B1k NSAZk3AIYxxYXSRuKin23/IEEQ4fezDMm9AjYgAfzwNTUtI24UHwpv8I2FAgDD7l9htQ fr9vaGNMfzVafQkD8ivLvhzFm2ta8FvBDT12qzF3dB65IvBrv3bMHPxvrcGhrSj4kTP7 MQM6bmBRq68DIv/HTk6Nrrggsm0BR43id2+LiuL1hnoKkKdjTVN/6EgPdU058jiHx4Vr FFxVzvY7utHDQctYcYHKKNGxBecjfHQqH3jVA4I7scIFGHNLokcTz4uaiwNuISYWdL6I AJ9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712494261; x=1713099061; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zdRSFGARxNFXpa2j4yadF9dgs0BcrEe2fjH9ZZe6TOw=; b=RlIbdzZLrQ8LBJPJjEZz6Vny8v0RyNLEB7tjUgz+feM9cBhLKgALR7wcl3q3hasT0V XbGWVxUURN8+GeRt3QyYtuylp+gs3ATb+NM+5V7q83Zb7m0HTAIwUlfY/KVxb6q3rajK fyJ06EG+kYBXOqGPhGC83qIL2FjU5O7Emvw+Kf+zClIKhCyyqFBY1mrH0B5d/XXg8ax8 1z1nPZ/dffspamk6lUBcFiwGxT5FUV6ezyMhGALNtf2dxR4cp0fkpFb5/aZAk06alxy3 QKDPWlqTaehLhFlKUvh17DcPVGfdRpdF5t+hTr36JRaeo4uL5aj5QmlywADw0y94uJy7 nfIg==
X-Gm-Message-State: AOJu0YwOEqcKEey2Cd29+dZyhybWWl9Mc5ITFqApfQMQpkSzSylphP0p QFzIXCWUbTKXJ8BH2GQaTxCo5RCiWF9NGF8UYFX8tzsQn1uWuM2q3prIs9HlP/TjzMiD5pG5QgO M
X-Google-Smtp-Source: AGHT+IFgfkvzP7B/ehWCp45v+K0AJz5f9mmf1sJcW4rlFtotHoDs351SKow4fvOWoei4vOgt2mw7lA==
X-Received: by 2002:a17:902:ce89:b0:1e4:24bc:426f with SMTP id f9-20020a170902ce8900b001e424bc426fmr161071plg.24.1712494260777; Sun, 07 Apr 2024 05:51:00 -0700 (PDT)
Received: from smtpclient.apple (c-73-96-89-175.hsd1.or.comcast.net. [73.96.89.175]) by smtp.gmail.com with ESMTPSA id s11-20020a170902ea0b00b001e0ea5c910dsm4868389plg.18.2024.04.07.05.51.00 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Apr 2024 05:51:00 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Neil Anuskiewicz <neil@marmot-tech.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 07 Apr 2024 05:50:49 -0700
Message-Id: <400178F2-B40F-4555-BD51-628A11EF1417@marmot-tech.com>
References: <20240406204004.348F78701D5A@ary.qy>
Cc: dmarc@ietf.org, sklist@kitterman.com
In-Reply-To: <20240406204004.348F78701D5A@ary.qy>
To: John Levine <johnl@taugh.com>
X-Mailer: iPad Mail (21E236)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/AM6xYqpWnI4DyaBGNrAijrXqbU8>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and What To Say About SPF -all
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Apr 2024 12:51:05 -0000


> On Apr 6, 2024, at 1:40 PM, John Levine <johnl@taugh.com> wrote:
> 
> It appears that Scott Kitterman  <sklist@kitterman.com> said:
>> I hear you.  Your operational issue is my system working as designed.  DMARC
>> works on top of SPF, it doesn't change it.  
>> 
>> Anything like this belongs in an operational guidance document, not in the
>> protocol description.  I have no problem describing the trade offs in an
>> appropriate document, but I don't think this is it.
> 
> I agree.  "Don't do stupid stuff" goes in an A/S, not in the spec.
> 
> I entirely believe people are confused about SPF, but they're confused
> about everything. A few days ago on the generally clueful NANOG list
> we had to explain to someone that rejecting mail if DKIM signatures
> don't verify is not a good idea.
> 
> R's,
> John
> 

I think clear statement and supporting text explaining clearly that SPF is no longer the policy layer would be a good idea. While it might be slightly out of scope, I have encountered people who think best practice is to enforce with -ALL.

It’s not that it’s stupid to do that, it’s just that email auth is still kind of obscure knowledge for some reason I don’t quite understand since it’s been a while.

v2.23.0 | Report a Bug | By Email