IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Todd Herr <todd.herr@valimail.com> Tue, 20 June 2023 13:40 UTC

Return-Path: <todd.herr@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58A91C151554 for <dmarc@ietfa.amsl.com>; Tue, 20 Jun 2023 06:40:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SV3-Ejjc_xuM for <dmarc@ietfa.amsl.com>; Tue, 20 Jun 2023 06:40:28 -0700 (PDT)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FFC9C151980 for <dmarc@ietf.org>; Tue, 20 Jun 2023 06:40:28 -0700 (PDT)
Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1b52e55f45bso20692175ad.2 for <dmarc@ietf.org>; Tue, 20 Jun 2023 06:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1687268427; x=1689860427; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Rd6nrsSOYn2+dnr3GYkDbXM64ja4oV4U2l/loQlppfI=; b=Lan2r+XCGfVvd4CoiWwSsRLy0sE1hCkaSHzh+JI+qkp9bTdcu1Cpb3SEnffmBLAwfB APZddeDSMXNad8ohmPotx6sLDU0JbvPi6KhrzM/rS4yqH8OMl2VRlfr2rsyr513/q4/p jbENMaKqxLlBRo150YF7iWl5yPXwPr6HtR6VqnULZAnHm0I/Uy85wG24105Axy4p/4kg FsrecxYVv/tZ+ZuG6OYmFbxhth+iLOAOwOWJcLOVX0NCw2kXXW9zigLxBxrgg/WB2BAO tt4R8Dh+kdFDBmy3uFw8Nfm6TQj+XMY7OOVJlMuKmXcTY8eK1bWjwWtq5v34Yms3v7qu PZjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687268427; x=1689860427; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Rd6nrsSOYn2+dnr3GYkDbXM64ja4oV4U2l/loQlppfI=; b=Kq0IwiYtwWrob9oJ6Xzm+UGgfde9RH2o55CBg24rSDeD6KKXvdIVfrTM83ecMKxkJF 6tkg+7DMGLv9q97iT2y4jYUA2X7Q83JAO0n7tZ4vcwf9SYiX2mZH46AdEzyx5UWqsb/L 2MOFrZE6/2efoqxbkA+0sZdXAGbOiOTYfcri9vJvNA+DwgRc/+ZhfLhhmQGWf6b+8Kal FqB6SAKdHzU9WYzBVG/NcfTCAeS7iukcJOiVxlOy7rEOOzb02tF5AE2dzTAJBuuifRez gMiom9Xw0FwSWCG4J8T1F19Lsk/FSzFoMIk/zyPN8mMtsY/KFKakT1Zf5GX5ZcdO1haY MXZw==
X-Gm-Message-State: AC+VfDya1Kb3yGeLq31nr3W0ncv8AibEm4FyIstbu3FwNM8FbkQW7z0l wN4yB9l10AKdakif4JjtCnJiVpK6zJ1BBXuid2gRCj2qDgIlsn9q
X-Google-Smtp-Source: ACHHUZ47srti003TudfcoOm85cZWsm4A5/bUFRxTF+1RijwFlqZqqHGkxfs20oUVgptDSE2Z0tkizdv6W5qJggEylV4=
X-Received: by 2002:a17:902:b28c:b0:1b3:ad86:ed17 with SMTP id u12-20020a170902b28c00b001b3ad86ed17mr8034775plr.9.1687268427209; Tue, 20 Jun 2023 06:40:27 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <xtudkqv5sqxs4c2nnilna5lf4b266br4xwdjwoq4fdyjpgzjln@xdb5rldfeini> <3087d0fa-91b4-62b4-fc64-a705c7f0b672@taugh.com>
In-Reply-To: <3087d0fa-91b4-62b4-fc64-a705c7f0b672@taugh.com>
From: Todd Herr <todd.herr@valimail.com>
Date: Tue, 20 Jun 2023 09:40:11 -0400
Message-ID: <CAHej_8=VnOC1Pms2JKJYG=2Dqtp2nc9oe-j=aEmNfvGuNhvzZA@mail.gmail.com>
To: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003eb36005fe8fcbe4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Hpa1drxQcR4C_NLxGf7akgF-qT0>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2023 13:40:32 -0000

On Mon, Jun 19, 2023 at 8:25 PM John R Levine <johnl@taugh.com> wrote:

> On Mon, 19 Jun 2023, Patrick Ben Koetter wrote:
> > I suggest that we do not only drop SPF, but also come up with better ways
> > (simplification, tools, exchange formats) to implement DKIM in order to
> allow
> > for a smooth transition.
>
> I'm scratching my head here.  On my system I publish and rotate DKIM keys
> completely automatically.  The only manual config is to edit the list of
> domains when I add or remove one from my mail server.  It's not totally
> trivial but it's not that hard.
>
> I suppose we could encourage people to implement ed25519 signatures since
> the keys are small and more likely to fit in a single TXT record string
> for provisioning crudware that doesn't handle multiple strings, but beyond
> that, what do you have in mind?
>
>
I can't speak for Patrick, but I don't think he's necessarily thinking of
different encryption algorithms here.

Not all who wish to have their email DKIM signed have the luxury that you
have John of full control of the DKIM signing process. I'm specifically
thinking of the entity (call them Marty Marketer) who has the authority to
employ a third party to send authenticated mail on behalf of a domain, mail
that the third party can and will DKIM sign using the entity's domain.
Sadly, Marty does not have the authority to update DNS for that domain in
order to publish a DKIM public key. This leads to challenges as the third
party presents to Marty a public key to publish, and Marty tries to figure
out to whom to pass along this information and in what format. This leads
to screen caps, or cutting and pasting errors, misdirected mail chains,
etc., etc.

Is this the way it should be? Probably not, but it's a reality for many,
and it's a problem we don't as an industry have an answer for yet. If we
did, there wouldn't be people in the other thread reporting such a high
percentage of DKIM failures due to malformed/missing keys.

Now, of course we could argue that Marty shouldn't be left to their own
devices to engage third party senders, and that should solely be the
province of the IT staff that manages DNS, but I fear that the energy
required to type and distribute such words would be wasted.

-- 

*Todd Herr * | Technical Director, Standards & Ecosystem
*e:* todd.herr@valimail.com
*p:* 703-220-4153
*m:* 703.220.4153

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email