IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Dotzero <dotzero@gmail.com> Thu, 08 June 2023 20:03 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33E72C151542 for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 13:03:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.094
X-Spam-Level:
X-Spam-Status: No, score=-7.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rkRV3x1u_q3O for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 13:02:59 -0700 (PDT)
Received: from mail-ua1-x935.google.com (mail-ua1-x935.google.com [IPv6:2607:f8b0:4864:20::935]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB59C15153D for <dmarc@ietf.org>; Thu, 8 Jun 2023 13:02:59 -0700 (PDT)
Received: by mail-ua1-x935.google.com with SMTP id a1e0cc1a2514c-786e783a748so396395241.2 for <dmarc@ietf.org>; Thu, 08 Jun 2023 13:02:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686254578; x=1688846578; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JfgOecu4mZJu7yS3pTs2teIS/HE/mRbZtlKN+5ErYK0=; b=d0lWIbYKETe4ckUywaXVPPG+CTxuBKGioT9gYJjNA6pZyIxduDsPlegt448yjexCdg to2xI6TNCdcVTEqlxLAzgUWycII1w9EYB5XSiljvU4d8FrftkAiM4iXzxhPdJALwmQRI fKgXgDy4N0B36sexfumdhQXALkrmaANLjOU6ohFm6TKz75TdTwJyrdR+a4yXR3TRudB4 IXv/fNiHS797xFsWwKovNoH6NOAl4/S9WaxMdRechjiPr2e12fNs2WTmYp4T54YqBOdG wWvKtCF+7AVh6eGB/NgP2r2V3yStz6tsb3OKGcn4AFr/Euvc8WuC/wvBQezN7sjZGOly /sNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686254578; x=1688846578; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JfgOecu4mZJu7yS3pTs2teIS/HE/mRbZtlKN+5ErYK0=; b=SELTGX4giPBYWL55KtPADBcOq0EDFG/yuij57omKJtqJosnnbXLfVSKC3x5L57khZ4 65eW38xVtJ38ZvbsPcbLSLf16m0h4g6tdjPykvfRCI3y1zimpRKiABlXwrPwh44rPU69 eHsBudG77yIOUJYXY6kZeQNUBcw5XHyB161KzySXVdutIXwhGTZOUMVJXkIwrEypsOhr A0RoZz7RZ8PEQVp3aMGv50N8dZ2nJ+x1jS2QlynB3s0ulmDKOS8HzzFwF9G4OefzotmF c3vOcxHa0unvYSNnVDE2vYkc2ggNnNiYjynvk6YIKFwXGk76wCfD1jVC4TFfs/9pWzVM UgWA==
X-Gm-Message-State: AC+VfDzD2B/23nATFt7RQMPeew9WVl4HvN4KB8tT0TI/pn6/mIyX5Mi3 lXtXPc7dAqMZUaGeRSufsVebdXQZEevQVx9naDM=
X-Google-Smtp-Source: ACHHUZ47woMnNlw62Hdeb3tWlpCdc3HJq2Pg+xWrd30ourrJQddcqPBreiQBPGsNXZNsc0a0Ywwtkq3WBTQr2Rd5xxs=
X-Received: by 2002:a67:f8d1:0:b0:437:db1d:7edf with SMTP id c17-20020a67f8d1000000b00437db1d7edfmr2717063vsp.26.1686254578614; Thu, 08 Jun 2023 13:02:58 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAL0qLwbx6Y=kmB5pQZx8gNqD=rLBYz1vLOX6ngL=wUHHUm0Hjw@mail.gmail.com> <CAOZAAfMtsjcp+aCrwQ2QRc+SHsw3rhwMuTBugRYe44NeiMeKyg@mail.gmail.com> <CALaySJKrXJJXz3pgp85BPswoirhPJtD=uuefVfc9sX1fGkj-iA@mail.gmail.com>
In-Reply-To: <CALaySJKrXJJXz3pgp85BPswoirhPJtD=uuefVfc9sX1fGkj-iA@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 08 Jun 2023 16:02:48 -0400
Message-ID: <CAJ4XoYc++Ossx-1oAX6fK12a3v=yz8XhoXKHdNF7-e8p=O3OCA@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Seth Blank <seth=40valimail.com@dmarc.ietf.org>, Tobias Herkula <tobias.herkula=401und1.de@dmarc.ietf.org>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000028c5bf05fda3bd57"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/FThlj7dUrsmDRy02DvNLz947Ca8>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 20:03:04 -0000

On Thu, Jun 8, 2023 at 10:44 AM Barry Leiba <barryleiba@computer.org> wrote:

> See, I don't look at it as "harmed".  Rather, I think they're using "we
> use SPF" as a *reason* not to use DKIM, and I think that *causes* harm.
>

That might be true but does not address whether or not SPF is/can be useful
in the context of DMARC validation.


>
> SPF is, as I see it, worse than useless, as it adds no value to domain
> that use DKIM -- any time DKIM fails SPF will also fail -- and actually
> impedes the adoption of DKIM.  Reliance on SPF causes DMARC failures that
> result in deliverability problems for legitimate mail.  I wholeheartedly
> support removal of SPF as an authentication mechanism that DMARC accepts.
>

I'm going to disagree with you on this, having experience with billions of
emails sent with both SPF and DKIM used in the context of DMARC validation.
A sender using both SPF and DMARC will see a slight boost in validation
rates due to increased resiliency when there are transient DNS failures and
other problems. A small percentage of a very large number is still a large
number. Let's not throw the baby out with the bath water.

>
> Barry, as participant
>

Michael Hammer


>
> On Thu, Jun 8, 2023 at 3:30 PM Seth Blank <seth=
> 40valimail.com@dmarc.ietf.org> wrote:
>
>> Participating, I have data that I believe points to a long tail of
>> businesses who predominantly only authenticate on behalf of others using
>> SPF, and would be harmed by such a change. It will take me a little while
>> to confirm and share.
>>
>> I also know a predominant ccTLD with millions of registrations, that has
>> SPF on roughly 80% of them, but DMARC on barely 5%. I don't have data on
>> DKIM for those, but I assume it's closer to the DMARC penetration than the
>> SPF one. I'll see if I can get this data to share more publically, and also
>> get the DKIM answer.
>>
>> Of course the goal is aligned dkim with a stated policy, but I don't
>> think the data supports us being anywhere close to that realistically.
>>
>> As Chair, this is a valuable conversation to have with real data on
>> problems and opportunities at scale, and am excited to see Tobias share and
>> see what others have to say.
>>
>> Seth
>>
>> On Thu, Jun 8, 2023 at 3:21 PM Murray S. Kucherawy <superuser@gmail.com>
>> wrote:
>>
>>> On Thu, Jun 8, 2023 at 6:00 AM Tobias Herkula <tobias.herkula=
>>> 401und1.de@dmarc.ietf.org> wrote:
>>>
>>>> My team recently concluded an extensive study on the current use and
>>>> performance of DMARC. We analyzed a staggering 3.2 billion emails, and the
>>>> insights drawn are quite enlightening. Of these, 2.2 billion emails
>>>> (approximately 69%) passed the DMARC check successfully. It's quite an
>>>> achievement, reflective of our collective hard work in fostering a safer,
>>>> more secure email environment.
>>>>
>>>>
>>>>
>>>> However, upon further analysis, it's evident that a mere 1.6% (or
>>>> thirty-six million) of these DMARC-passed emails relied exclusively on the
>>>> Sender Policy Framework (SPF) for validation. This is a remarkably low
>>>> volume compared to the overall DMARC-passed traffic, raising questions
>>>> about SPF's relevancy and the load it imposes on the DNS systems.
>>>>
>>>>
>>>>
>>>> Given the current use case scenarios and the desire to optimize our
>>>> resources, I propose that we explore the possibility of removing the SPF
>>>> dependency from DMARC. This step could result in a significant reduction in
>>>> DNS load, increased efficiency, and an accurate alignment with our
>>>> predominant use cases.
>>>>
>>>> [...]
>>>>
>>>
>>> Does anyone have consonant (or dissonant) data?
>>>
>>> -MSK, participating
>>> _______________________________________________
>>> dmarc mailing list
>>> dmarc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>
>>
>>
>> --
>>
>> *Seth Blank * | Chief Technology Officer
>> *e:* seth@valimail.com
>> *p:* 415.273.8818
>>
>> This email and all data transmitted with it contains confidential and/or
>> proprietary information intended solely for the use of individual(s)
>> authorized to receive it. If you are not an intended and authorized
>> recipient you are hereby notified of any use, disclosure, copying or
>> distribution of the information included in this transmission is prohibited
>> and may be unlawful. Please immediately notify the sender by replying to
>> this email and then delete it from your system.
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email