Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

[Barry Leiba <barryleiba@computer.org>]

See, I don't look at it as "harmed".  Rather, I think they're using "we use
SPF" as a *reason* not to use DKIM, and I think that *causes* harm.

SPF is, as I see it, worse than useless, as it adds no value to domain that
use DKIM -- any time DKIM fails SPF will also fail -- and actually impedes
the adoption of DKIM.  Reliance on SPF causes DMARC failures that result in
deliverability problems for legitimate mail.  I wholeheartedly support
removal of SPF as an authentication mechanism that DMARC accepts.

Barry, as participant

On Thu, Jun 8, 2023 at 3:30 PM Seth Blank <seth=
40valimail.com@dmarc.ietf.org> wrote:

> Participating, I have data that I believe points to a long tail of
> businesses who predominantly only authenticate on behalf of others using
> SPF, and would be harmed by such a change. It will take me a little while
> to confirm and share.
>
> I also know a predominant ccTLD with millions of registrations, that has
> SPF on roughly 80% of them, but DMARC on barely 5%. I don't have data on
> DKIM for those, but I assume it's closer to the DMARC penetration than the
> SPF one. I'll see if I can get this data to share more publically, and also
> get the DKIM answer.
>
> Of course the goal is aligned dkim with a stated policy, but I don't think
> the data supports us being anywhere close to that realistically.
>
> As Chair, this is a valuable conversation to have with real data on
> problems and opportunities at scale, and am excited to see Tobias share and
> see what others have to say.
>
> Seth
>
> On Thu, Jun 8, 2023 at 3:21 PM Murray S. Kucherawy <superuser@gmail.com>
> wrote:
>
>> On Thu, Jun 8, 2023 at 6:00 AM Tobias Herkula <tobias.herkula=
>> 401und1.de@dmarc.ietf.org> wrote:
>>
>>> My team recently concluded an extensive study on the current use and
>>> performance of DMARC. We analyzed a staggering 3.2 billion emails, and the
>>> insights drawn are quite enlightening. Of these, 2.2 billion emails
>>> (approximately 69%) passed the DMARC check successfully. It's quite an
>>> achievement, reflective of our collective hard work in fostering a safer,
>>> more secure email environment.
>>>
>>>
>>>
>>> However, upon further analysis, it's evident that a mere 1.6% (or
>>> thirty-six million) of these DMARC-passed emails relied exclusively on the
>>> Sender Policy Framework (SPF) for validation. This is a remarkably low
>>> volume compared to the overall DMARC-passed traffic, raising questions
>>> about SPF's relevancy and the load it imposes on the DNS systems.
>>>
>>>
>>>
>>> Given the current use case scenarios and the desire to optimize our
>>> resources, I propose that we explore the possibility of removing the SPF
>>> dependency from DMARC. This step could result in a significant reduction in
>>> DNS load, increased efficiency, and an accurate alignment with our
>>> predominant use cases.
>>>
>>> [...]
>>>
>>
>> Does anyone have consonant (or dissonant) data?
>>
>> -MSK, participating
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc
>>
>
>
> --
>
> *Seth Blank * | Chief Technology Officer
> *e:* seth@valimail.com
> *p:* 415.273.8818
>
> This email and all data transmitted with it contains confidential and/or
> proprietary information intended solely for the use of individual(s)
> authorized to receive it. If you are not an intended and authorized
> recipient you are hereby notified of any use, disclosure, copying or
> distribution of the information included in this transmission is prohibited
> and may be unlawful. Please immediately notify the sender by replying to
> this email and then delete it from your system.
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>