IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Hector Santos <hsantos@isdg.net> Thu, 22 June 2023 20:51 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2F7C14CF12 for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 13:51:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="SNxKFu4K"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="k9UD33t4"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPnViONy_20w for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 13:51:39 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BB7EC14CEFE for <dmarc@ietf.org>; Thu, 22 Jun 2023 13:51:39 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4246; t=1687467095; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:From:Subject:Message-Id: Date:To:Organization:List-ID; bh=LHlTmqrf9qTM+AgbKqcQr1Tx4WnSlRw NnLtcMprh6z4=; b=SNxKFu4KW8Buy0bH4VIvdu7JiKJnJQrMssGQVtiSPh8bP/o 6bMsqhg5stecvYY5Sq6iefgHQ8ysP0T8GqvTLD7KkjD/+tHh//SJhC4Th63SFJA7 HkMk4g8EMM2dzQVa5Fc//Tddbob3hl3F/T0kdwYxJTmnzd65vaVTD09dHbBQ=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Thu, 22 Jun 2023 16:51:35 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3564814333.1.7564; Thu, 22 Jun 2023 16:51:34 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=4246; t=1687467092; h=Received:Received:From: Subject:Message-Id:Date:To:Organization:List-ID; bh=LHlTmqrf9qTM +AgbKqcQr1Tx4WnSlRwNnLtcMprh6z4=; b=k9UD33t4SWeIuG5nLmQjQijjYCVo 653hcIBE+xO48bTsaGVqHXcH/EF9mfMRN4PSFxvFc9u4JNsASQAi5WKoahKG+2Hi Vkg9mWFlnemSKMEa6PWUFmyp6PyIB+6LBL2pXySbx29zXpq/3S1PKJzAWqLAoFvT 8JNCsjvtZ0JCJIY=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Thu, 22 Jun 2023 16:51:32 -0400
Received: from smtpclient.apple ([70.230.12.88]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 4010868224.1.6984; Thu, 22 Jun 2023 16:51:31 -0400
From: Hector Santos <hsantos@isdg.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2C0C2D63-8AA8-4B25-92B2-16C63ED95213"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Message-Id: <D790ED73-B59C-4E30-8B59-2C1FDD42AB94@isdg.net>
Date: Thu, 22 Jun 2023 16:51:20 -0400
To: IETF DMARC WG <dmarc@ietf.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/FiV25aQ9PceDQaA4jXJMmCFmnRw>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 20:51:43 -0000

> On Jun 22, 2023, at 9:54 AM, Scott Kitterman <sklist@kitterman.com> wrote:
> 
> My conclusion (it won't surprise you to learn) from this thread is precisely 
> the opposite.  
> 
> In theory, DKIM is enough for DMARC (this was always true), but in practice it 
> is not.
> 
> I don't think there's evidence of a systemic weakness in the protocol.  We've 
> seen evidence of poor deployment of the protocol for SPF, but I think the 
> solution is to fix that (see the separate thread on data hygiene).
> 
> Scott K
> 

Scott, this all started as a way to add weight to a SPF=SOFTFAIL using ADSP.  Microsoft started it and DMARC came out with a surprising even tighter rule for DKIM+SPF alignment.

SPF rejects immediately issued an 55z the transaction, confused DMARCers.  Let’s keep in mind SPF pre-dated DMARC.

SPF softfail results were interesting to see how a DKIM signature may help.  Microsoft’s idea before DMARC.

Overall, DMARC created a Link with SPF that wasn’t thoroughly reviewed with the IETF.  It skipped the process as an Informational proposal.  Now as a standard track DMARCbis, we see all the problems. 

How is this problem fixed with client/server protocol negotiating software?

—
HLS

v2.23.0 | Report a Bug | By Email