IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Alessandro Vesely <vesely@tana.it> Sat, 24 June 2023 16:17 UTC

Return-Path: <vesely@tana.it>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292BEC15171F for <dmarc@ietfa.amsl.com>; Sat, 24 Jun 2023 09:17:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=tana.it header.b="r8WcnSkD"; dkim=pass (1152-bit key) header.d=tana.it header.b="BJPBUAT5"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S6YxYepMA7A4 for <dmarc@ietfa.amsl.com>; Sat, 24 Jun 2023 09:17:19 -0700 (PDT)
Received: from wmail.tana.it (wmail.tana.it [94.198.96.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2694BC151095 for <dmarc@ietf.org>; Sat, 24 Jun 2023 09:17:16 -0700 (PDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=tana.it; s=epsilon; t=1687623435; bh=1qFKY/JbukOxskNK7pcpVrc6rRV1bnlWtw2a3nTROmI=; h=Author:Date:Subject:To:References:From:In-Reply-To; b=r8WcnSkDGO/RMX5d+TZ5uSjP1stX0CbqQDOY8Oiyr0p01TYJxyHGwfe35OT3lgMsu 9hAGJZ2BGoQFmQHZrBGAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=delta; t=1687623435; bh=1qFKY/JbukOxskNK7pcpVrc6rRV1bnlWtw2a3nTROmI=; h=Date:Subject:To:References:From:In-Reply-To; b=BJPBUAT51cwoD+SgvFzfV+PfgfRn+GeCStOIwKNtvjMnYn9OhQo+HLv7JAe7k3BCW uiOSjPZZq2FySG6DDeXsHTHhm7S93SOrK/TMk5kYetkusjsnq6sfD2WbrCsnHWyLhJ SgbPGc8V0tVm0dsq6a3LCiDaC0Si4bV1/fZ+03NVUpWy+9FAd4J2u9a3Xk1p+
Original-Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
Author: Alessandro Vesely <vesely@tana.it>
Received: from [172.25.197.111] (pcale.tana [172.25.197.111]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLS1.3, 128bits, ECDHE_RSA_AES_128_GCM_SHA256) by wmail.tana.it with ESMTPSA id 00000000005DC083.000000006497170A.00005E6E; Sat, 24 Jun 2023 18:17:14 +0200
Message-ID: <fd57a401-2435-141f-5d28-ae4c8654c4e0@tana.it>
Date: Sat, 24 Jun 2023 18:17:14 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.0
Content-Language: en-US, it-IT
To: dmarc@ietf.org
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com> <bfbe77ad-8aba-d803-de06-d734a177066b@taugh.com> <7A47A241-607B-4E93-B5E3-26E78FE3F166@isdg.net>
Authentication-Results: tana.it; auth=pass (details omitted)
From: Alessandro Vesely <vesely@tana.it>
In-Reply-To: <7A47A241-607B-4E93-B5E3-26E78FE3F166@isdg.net>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Mk-FgBhPO4kdfyVCelbCoPZkIfA>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jun 2023 16:17:27 -0000

On Fri 23/Jun/2023 20:13:27 +0200 Hector Santos wrote:
>> On Jun 23, 2023, at 12:52 PM, John R Levine <johnl@taugh.com> wrote:
>> On Thu, 22 Jun 2023, Emanuel Schorsch wrote:
>>> I agree with John's point that dkim+spf doesn't make sense in the context
>>> of strict DMARC enforcement (I think it provides value for p=none domains
>> 
>> Since the aggregate reports tell you what authentication worked, I don't even see that as a benefit.  There's also the question how many people would even look at a DMARC v2 tag which would be a prerequisite for the auth tag.
> 
> DMARC v1 supports extended tags.  See section 3.1.3 in RFC 7489:
> 
> 3.1.3 <https://datatracker.ietf.org/doc/html/rfc7489#section-3.1.3>.  Alignment and Extension Technologies
> 
>     If in the future DMARC is extended to include the use of other
>     authentication mechanisms, the extensions will need to allow for
>     domain identifier extraction so that alignment with the RFC5322 <https://datatracker.ietf.org/doc/html/rfc5322>.From
>     domain can be verified.


Eh?  Dkim+spf wouldn't be a new mechanism, as the domain identifier would have 
to be the same.  I'd have cited 6.3:

6.3.  General Record Format
https://datatracker.ietf.org/doc/html/rfc7489#section-6.3

    Section 11 creates a registry for known DMARC tags and registers the
    initial set defined in this document.  Only tags defined in this
    document or in later extensions, and thus added to that registry, are
    to be processed; unknown tags MUST be ignored.

Of course, there will be lots of verifiers who ignore auth=, t=, and ed25519. 
Unfortunately, while we have so many blog posts, we're still missing DMARC 
verifier checks.


>> The idea is that auth=dkim means you'd publish SPF records but hope people will ignore them, or vice versa for auth=dkim?  I still don't get it.
> 
> The immediate benefit would be forwarders. I believe Wei labeled this form of forwarding REM in the PDF analysis posted recently.
> 
> With REM forwarders, in SMTP transport terms, it is a passthru message forwarded to a recorded address given by the local domain or locally hosted domain Recipient , untouched data.  MTA inbound to MTA outbound. The MDA, like gmail.com <http://gmail.com/>, would see an SPF failure so the DMARC auth=dkim relaxed option tells GMAIL that the hard fail with SPF is acceptable, ignore it, but expect the DKIM to be valid from the author signer domain.


SPF hard fail is acceptable even with the default auth=.  (SPF hard fail is a 
problem for those who reject before DATA.  Receiving MXes have no DKIM clue at 
that stage.  The only way forwarding might work without replacing the bounce 
address is if either the receiver or the SPF record provide for whitelisting. 
As a side note, let me add that I'm rejecting way more spam thanks to spf-all 
than DMARC and DNSBL together.)

The auth=dkim (excluding SPF) setting is needed by domains who /have/ to 
include a bloated SPF record in order to deliver at sites which only verify 
that.  However, since the bloated record allows impersonation, they don't want 
that DMARC verifiers consider it.  They probably wish that everybody used DMARC 
so that they could avoid publishing an SPF record, but there's not much they 
can do about it.


Best
Ale
--

v2.23.0 | Report a Bug | By Email