[dmarc-ietf] SPF / Re: Email security beyond DMARC?

Дилян Палаузов <dilyan.palauzov@aegee.org> Fri, 29 March 2019 21:32 UTC

Return-Path: <dilyan.palauzov@aegee.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E7912030B for <dmarc@ietfa.amsl.com>; Fri, 29 Mar 2019 14:32:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (4096-bit key) reason="fail (message has been altered)" header.d=aegee.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VYG4OxanGpg0 for <dmarc@ietfa.amsl.com>; Fri, 29 Mar 2019 14:32:45 -0700 (PDT)
Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D8801202F5 for <dmarc@ietf.org>; Fri, 29 Mar 2019 14:32:43 -0700 (PDT)
Authentication-Results: mail.aegee.org/x2TLWXw9006956; auth=pass (PLAIN) smtp.auth=didopalauzov
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1553895155; i=dkim+MSA-tls@aegee.org; r=y; bh=fK4mrtaZT56WrW59gCLY4YwHChv8QWo0rYBCZ2FZgQo=; h=Subject:From:To:Cc:In-Reply-To:References:Date; b=Srohqv8LWxUH0ydbY3JRdWs835FfLrUaze8m5iwCwa3fOy5pftG8MHYNnrTQNrShv PEyizwMwlZi012DUo4hRsPEGEiMDZTmx1ZkIiGwne4i9XSncpzrU1c6AgsZlZVlKCn gXl4i5cYN+DRQXkDsYgnol8j/DroTz8NTozLL4kqQ6M7cY1ibVLnRyCt+xJRwqoDtf 60dOa0gK+l7M5uakYN794xg90qlf3Yy/jZe6BZvZTXTAzkwVBrxT3o3/aEckKxD67I dzKgkGPmyKKa7/UPMNYoFFIWObuH+7jKrTMTJvo+851ta07h2YzvK2Z/HDd4yGePiI 6p95Jufhs5LMlBrgtHHKjqcuh9rBeR0AYhAyH/Tz/r86eni0Lk2PwoxPNkJMbpspfK exQNNFQ5C3Ri7lqI9TrfxrMk53N25k5D5Pw5mEIL319D1u4KoHVrsxqF+0lsWM5UKF IF8Du6Bk2fRSgujl7xlmOkUDl7CNhPBz49CK4+UCx40BEsM7FworOcXQAzK8+T0Sam 7mdN+HDii3kG1GVzpUs0xo1nNdf3uYCAU2lWWF0l5AgYtAMR18x4Fm5UJay2regXxi SrZY5Qh0fHf2F8CG6pg8+bPkO+Zea1oJwYWQs8/HLwqrP1nAbM1cG/SNsFM3l8spsc eS/dp80n88ReJ5FLqIa0pnLY=
Authentication-Results: mail.aegee.org/x2TLWXw9006956; dkim=none
Received: from Tylan ([185.109.153.2]) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id x2TLWXw9006956 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Fri, 29 Mar 2019 21:32:34 GMT
Message-ID: <52e91dfdce6ac4bca896924455455a874773a108.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?= =?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?= <dilyan.palauzov@aegee.org>
To: Doug Foster <fosterd@bayviewphysicians.com>, "'Ken Simpson'" <ksimpson+ietfdmarc@mailchannels.com>, "'John R Levine'" <johnl@taugh.com>
Cc: "'IETF DMARC WG'" <dmarc@ietf.org>, "'Dotzero'" <dotzero@gmail.com>
In-Reply-To: <002901d4e014$f0b50570$d21f1050$@bayviewphysicians.com>
References: <20190319184209.804E42010381DB@ary.qy> <alpine.DEB.2.20.1903201442260.7108@softronics.hoeneisen.ch> <alpine.OSX.2.21.1903201042010.79863@ary.qy> <CAJ4XoYcyaEBHYGPDY4ah_O+Obk-tijnL9SnxvzKyywu4BEmkrw@mail.gmail.com> <alpine.OSX.2.21.1903211031070.83149@ary.qy> <CAEYhs4GJeRhCQUxWxCDm8K46v_rTjER3ueoMRhMdUdZzK1ZSaQ@mail.gmail.com> <002901d4e014$f0b50570$d21f1050$@bayviewphysicians.com>
Content-Type: text/plain; charset="UTF-8"
Date: Fri, 29 Mar 2019 21:12:31 +0000
MIME-Version: 1.0
User-Agent: Evolution 3.33.1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.101.2 at mail.aegee.org
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Ch4dsSb0vL-tS31YsDYpCRJxNhE>
Subject: [dmarc-ietf] SPF / Re: Email security beyond DMARC?
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2019 21:32:47 -0000

Hello Doug,

my understanding is, that SPF complements DKIM only in the cases, where the MTA is not capable to sign an email, e.g. a
bounce.

So, if your MTA can DKIM-sign everything, you do not need SPF.

> Do you handle SPF any differently between senders with DMARC enforcement and those without?

No, SPF does not work with aliases (where no SRS is applied).

My experience sending email over a mailing list to some domains directly and to the same domains indirectly (over other
hosts, which in fact do aliasing) for a DKIM signature that failed is, that due SPF the direct emails were delivered,
whereas the indirect emails were not.  This also created indirect feedback, that is not in my logs very precise.  So I
concluded to remove SPF TXT records and next time such things happen, I can check in the logs which message in
particular was rejected and maybe avoid such situations in the future.

Regards
  Дилян


On Thu, 2019-03-21 at 14:36 -0400, Doug Foster wrote:
> I am all for anything that cuts unwanted email.   Not sure of the need to distinguish between spam and phishing.
>  
> I am assuming that I am the only one in this group not using DMARC.   You heard my problems with SPF. 
>  
> What do you do for SPF Exceptions?
> ·         We have never seen a legitimate sender who needed an exception?
> ·         We whitelist the source IP address and trust that it will only be used for appropriate domains?
> ·         We whitelist the sender domain and hope it will never be spoofed?
> ·         Something else?
>  
> Also, how do you handle SPF non-pass:   Neutral, Softfail, Syntax errors,  or  Excessive nesting
>  
> Do you handle SPF any differently between senders with DMARC enforcement and those without?
>  
> Doug Foster
>  
>  
> From: dmarc [mailto:dmarc-bounces@ietf.org] On Behalf Of Ken Simpson
> Sent: Thursday, March 21, 2019 1:01 PM
> To: John R Levine
> Cc: IETF DMARC WG; Dotzero
> Subject: Re: [dmarc-ietf] Email security beyond DMARC?
>  
> > > I'm going to have to disagree with you John. DMARC is about preventing
> > > direct domain abuse. It does not specifically address phishing as the bad
> > > guys can simply use cousin domains, homoglyphs, etc.
> > 
> > Well, it's abount a subset of phishing.  It's surely more about phishing 
> > than about spam.
> 
>  
> IMHO, by cutting out direct domain spoofing, DMARC makes it easier for receivers to craft algorithms that spot impersonation attacks. Once you have configured DMARC, receivers can build - for example - a machine learning system that learns what your legitimate email looks like. They can use that same system to identify messages that look like your legitimate email but which do not actually originate from your domain.
>  
> If you want to detect domain impersonation or "brand" impersonation, you first have to have a verifiable ground truth corpus. That is what DMARC offers.
>  
> Regards,
> Ken 
>  
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc