IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Alessandro Vesely <vesely@tana.it> Wed, 21 June 2023 08:21 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F402C151711 for <dmarc@ietfa.amsl.com>; Wed, 21 Jun 2023 01:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="0bdZ57+U"; dkim=pass (1152-bit key) header.d=tana.it header.b="BE5+ffWn"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CCOt4l9Qo8mS for <dmarc@ietfa.amsl.com>; Wed, 21 Jun 2023 01:21:23 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34A33C151094 for <dmarc@ietf.org>; Wed, 21 Jun 2023 01:21:20 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1687335678; bh=JRgtUHkth2mzAFwu9tAcP6mwcu5t1BfwSp8AbA0NFgY=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=0bdZ57+UhkzpSWrQmt8exn0PvYrbS0ZvgoNYoCtcLbxsNlTBJiELk6cqUAhrITBve wzKBOgcapqwJuvr7T3LBQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1687335678; bh=JRgtUHkth2mzAFwu9tAcP6mwcu5t1BfwSp8AbA0NFgY=; h=Date:Subject:To:References:From:In-Reply-To; b=BE5+ffWnfZ8HgZPnDe3yw2Uo5pPzjrF6tA3ueWSgMk3ayt57MCG88WoxB8Dv7f58p 5RevY/w6C9/ZsUsNEgSVWlRVMAJudUAgw4OTc5XEaqpEeh+mEgfDe+r5uZ0xwJdXpD S9po9iC0k+xAf2owFsh8ztRzlQTJQSj6sd4TQCMdOtEz1rAHajWNYk/s2jibB
Original-Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC0E7.000000006492B2FE.00006579; Wed, 21 Jun 2023 10:21:18 +0200
Message-ID: <a9505fda-ed21-1fc6-adb6-f231225a1ceb@tana.it>
Date: Wed, 21 Jun 2023 10:21:18 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <xtudkqv5sqxs4c2nnilna5lf4b266br4xwdjwoq4fdyjpgzjln@xdb5rldfeini> <3087d0fa-91b4-62b4-fc64-a705c7f0b672@taugh.com> <CAHej_8=VnOC1Pms2JKJYG=2Dqtp2nc9oe-j=aEmNfvGuNhvzZA@mail.gmail.com>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <CAHej_8=VnOC1Pms2JKJYG=2Dqtp2nc9oe-j=aEmNfvGuNhvzZA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/HrLHh8CeOWRi4uNVmd7JKtW-Rhk>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Jun 2023 08:21:30 -0000

On Tue 20/Jun/2023 15:40:11 +0200 Todd Herr wrote:
> On Mon, Jun 19, 2023 at 8:25 PM John R Levine <johnl@taugh.com> wrote:
>> On Mon, 19 Jun 2023, Patrick Ben Koetter wrote:
>>> I suggest that we do not only drop SPF, but also come up with better ways 
>>> (simplification, tools, exchange formats) to implement DKIM in order to allow 
>>> for a smooth transition.
>>
>> I'm scratching my head here.  On my system I publish and rotate DKIM keys 
>> completely automatically.  The only manual config is to edit the list of 
>> domains when I add or remove one from my mail server.  It's not totally 
>> trivial but it's not that hard.
>>
>> I suppose we could encourage people to implement ed25519 signatures since 
>> the keys are small and more likely to fit in a single TXT record string 
>> for provisioning crudware that doesn't handle multiple strings, but beyond 
>> that, what do you have in mind?
>
> I can't speak for Patrick, but I don't think he's necessarily thinking of 
> different encryption algorithms here.
>
> Not all who wish to have their email DKIM signed have the luxury that you 
> have John of full control of the DKIM signing process. I'm specifically 
> thinking of the entity (call them Marty Marketer) who has the authority to 
> employ a third party to send authenticated mail on behalf of a domain, mail 
> that the third party can and will DKIM sign using the entity's domain. 
> Sadly, Marty does not have the authority to update DNS for that domain in 
> order to publish a DKIM public key. This leads to challenges as the third 
> party presents to Marty a public key to publish, and Marty tries to figure 
> out to whom to pass along this information and in what format. This leads 
> to screen caps, or cutting and pasting errors, misdirected mail chains, 
> etc., etc.
>
> Is this the way it should be? Probably not, but it's a reality for many, 
> and it's a problem we don't as an industry have an answer for yet. If we 
> did, there wouldn't be people in the other thread reporting such a high 
> percentage of DKIM failures due to malformed/missing keys.
>
> Now, of course we could argue that Marty shouldn't be left to their own 
> devices to engage third party senders, and that should solely be the 
> province of the IT staff that manages DNS, but I fear that the energy 
> required to type and distribute such words would be wasted.


Creating more and more publishing mechanisms could reproduce the situation of 
SPF, whereby customers of the same third party can easily impersonate one another.

DKIM signatures have to be created by MSAs upon user authentication.  MSAs 
which use smarthosts, IMHO, had better sign just the header fields they control 
rather than delegate signing.  Doesn't Marty have any option on that?


Best
Ale
--

v2.23.0 | Report a Bug | By Email