IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

Terry Zink <tzink@exchange.microsoft.com> Tue, 02 April 2013 00:59 UTC

Return-Path: <tzink@exchange.microsoft.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1712911E811F for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.974
X-Spam-Level:
X-Spam-Status: No, score=-101.974 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, J_CHICKENPOX_16=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2f6TwnvnA5k1 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:59:22 -0700 (PDT)
Received: from na01-sn2-obe.outbound.o365filtering.com (na01-sn2-obe.ptr.o365filtering.com [157.55.158.23]) by ietfa.amsl.com (Postfix) with ESMTP id 69E0411E80F8 for <dmarc@ietf.org>; Mon, 1 Apr 2013 17:59:22 -0700 (PDT)
Received: from BL2SR01MB605.namsdf01.sdf.exchangelabs.com (10.255.109.167) by BL2SR01MB606.namsdf01.sdf.exchangelabs.com (10.255.109.168) with Microsoft SMTP Server (TLS) id 15.0.670.5; Tue, 2 Apr 2013 00:59:20 +0000
Received: from BL2SR01MB605.namsdf01.sdf.exchangelabs.com ([169.254.8.123]) by BL2SR01MB605.namsdf01.sdf.exchangelabs.com ([169.254.8.123]) with mapi id 15.00.0670.000; Tue, 2 Apr 2013 00:59:20 +0000
From: Terry Zink <tzink@exchange.microsoft.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Thread-Index: AQHOLzvTHt+cvTe3uUu+i2ndboug7ZjCGeFQ
Date: Tue, 02 Apr 2013 00:59:19 +0000
Message-ID: <abadaedab23c43a793a53eaa235a885d@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
References: <77426B543150464AA3F30DF1A91365DE52EA0E87@ESV4-MBX01.linkedin.biz> <20130402004813.6168.qmail@joyce.lan>
In-Reply-To: <20130402004813.6168.qmail@joyce.lan>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [131.107.192.221]
x-forefront-antispam-report: SFV:SKI; SFS:; DIR:OUT; SFP:; SCL:-1; SRVR:BL2SR01MB606; H:BL2SR01MB605.namsdf01.sdf.exchangelabs.com; LANG:en;
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: DuplicateDomain-6c178e33-aecb-4786-8220-9afceeddbaf3.exchange.microsoft.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 00:59:24 -0000

John,

I'm going to combine your responses. Please bear with me to ensure I understand what you are saying.

> Nope.  As I said, Terry's proposal adds nothing beyond the configuration I described.
> Please reread the message to which you were responding more carefully, paying particular 
> attention to the difference between SPF pass and neutral.  Really, you gain nothing.
> 
> bigbank.com txt "v=spf1 +ip4:22.22.22.22 ?ip4:157.55.158.0/23 
> ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all"

example.com ------------+
                        |
BigBank.com ------------+----> Microsoft Forefront IPs ----> Internet
                        |
Learning.edu            |
 security@bigbank.com --+

Case 1 - Mail comes from 22.22.22.22 -> Forefront scans it and it SPF passes -> Relays to Internet (e.g., Hotmail) who scans it and it is Neutral (since it came from Forefront IP range)
Case 2 - Mail comes from 1.2.3.4 (Learning.edu malicious spoof) -> Forefront scans it and it SPF fails -> Relays to Internet (e.g., Hotmail) who scans it and it is Neutral

But real mail from BigBank.com would have a DKIM header and so therefore it would DMARC pass at the Hotmail side.

Is that right?

But wouldn't it mean that a 3rd party who didn't validate DKIM or DMARC would always get SPF Neutral in the case of a legitimate message?


> Or you can sign all your mail with DKIM, publish no SPF at all, and use DMARC p=reject.

I've thought of that, too. I think that would be a good solution if DMARC compliance was more widespread than it is (it's pretty good now but there's still a very long tail of receivers who just use SPF and don't validate DKIM... I don't want to mention any names but there's at least one large MTA that still doesn't validate DKIM natively). Thus, if you don't publish SPF records, for the long tail of receivers that don't do DKIM or DMARC, they are even more prone to spoofing since they wouldn't pass SPF.

> (If anyone used ADSP, you could use ADSP discardable.  too.)

I've thought of that, too. But I heard ADSP was basically dead and superseded by DMARC.

-- Terry


-----Original Message-----
From: dmarc-bounces@ietf.org [mailto:dmarc-bounces@ietf.org] On Behalf Of John Levine
Sent: Monday, April 01, 2013 5:48 PM
To: dmarc@ietf.org
Cc: fmartin@linkedin.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

>If you want to say, nobody else can spoof me, then you can do SPF -all,

Or you can sign all your mail with DKIM, publish no SPF at all, and use DMARC p=reject.  (If anyone used ADSP, you could use ADSP discardable.  too.)

One of the strengths of DMARC is that SPF and DKIM are each optional, and senders can use them in whatever combination best describes their mail setup.

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email