IETF Logo Mail Archive

Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30

Scott Kitterman <sklist@kitterman.com> Sat, 06 April 2024 16:56 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E033C14F698 for <dmarc@ietfa.amsl.com>; Sat, 6 Apr 2024 09:56:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="ramzrT0o"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="mZ9HWgLO"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lmMrc8EQMLQI for <dmarc@ietfa.amsl.com>; Sat, 6 Apr 2024 09:56:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB5A4C14F696 for <dmarc@ietf.org>; Sat, 6 Apr 2024 09:56:22 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 90117F8020E for <dmarc@ietf.org>; Sat, 6 Apr 2024 12:56:04 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1712422549; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=7QZ/mvD4urogrkoBdaODwhXoJznL/IzO3wnLaqJnDZE=; b=ramzrT0otCf8pm8CpQvzkljD4Djd4aVwEGBeFpIYq2f6JJhM9fZ7bfXpfEhkPo0Y7IRjb IPfiGcMSVOclOW0CQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1712422549; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=7QZ/mvD4urogrkoBdaODwhXoJznL/IzO3wnLaqJnDZE=; b=mZ9HWgLOg0YUm/o8Ohbjo9A/PzJDcnjehKE5NwB2e4MD4f7nkCwp2mQoq69MXSYxL3bRK ITu8ngfQubORVjuLKykjXLx26eqYUzodru6MwwI6A3yTTe3nC3tWDPykphyOdwXz9MWbJN6 BdBYfOPPfzBXYf6Et6JXgiMwqRMq4PCjWz/N7I+U378GVfomRyfaci1yozmd8ptCZJxACsv ZrK4xLXOmv2c/4cBu2Mv8WmtrOLq/y0BFiPeczJBAuYSgrYS5WCMpfSIu9ftJkfht0wWUJj Dcs5R40XtnZ1003pj4a2gSYmJ9ZFOIEqxCx/+XbTsu9ZpJJiS/yTTX7M1VIw==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 61ECBF80126 for <dmarc@ietf.org>; Sat, 6 Apr 2024 12:55:49 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Sat, 06 Apr 2024 12:55:44 -0400
Message-ID: <2604655.DFmN5XB9IS@zini-1880>
In-Reply-To: <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd-7A@mail.gmail.com>
References: <eda55c54-c149-475c-8117-bfdf3885a883@tekmarc.com> <20240331180009.F36CD8687B50@ary.qy> <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd-7A@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/O17x351jUJs9dGsUwvYGIdhmZPs>
Subject: Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2024 16:56:27 -0000

On Sunday, March 31, 2024 3:45:31 PM EDT Seth Blank wrote:
> On Sun, Mar 31, 2024 at 2:00 PM John Levine <johnl@taugh.com> wrote:
> > It appears that Mark Alley  <mark.alley@tekmarc.com> said:
> > >>   People who publish -all know what they do.
> > >
> > >I posit that there is a non-insignificant amount of domain owners that
> > >don't know what the consequences of -all are other than that they've
> > >been instructed to use "-all" by a guide online, ...
> > 
> > I'm with you.  I have had too many arguments with people whose SPF records
> > end with -all and insist it is everyone's fault but theirs that their mail
> > doesn't get delivered.
> > 
> > The special case of a record only containing -all, meaning they send no
> > mail whatsoever, is different and I don't think it's contentious.
> > 
> > But I still am reluctant to give people a lot of advice about how to
> > sent up their SPF records. This is dmarc-bis, not spf-bis.
> 
> I concur, and do not want to accidentally make normative updates to SPF.
> 
> SPF hard fails in a DMARC context is a constant point of confusion and bad
> operational practice. I do think the spec should cover it in a concise and
> mostly informational way.
> 
> 
> My proposed text was:
> 
> ----
> Some Mail Receiver architectures implement SPF in advance of any DMARC
> operations. This means that an SPF hard fail ("-") prefix on a sender's SPF
> mechanism, such as "-all", could cause that rejection to go into effect
> early in handling, causing message rejection before any DMARC processing
> takes place, and DKIM has a chance to validate the message instead of SPF.
> Operators choosing to use "-all" to terminate SPF records should be aware
> of this. Since DMARC only relies on an SPF pass, all failures are treated
> equally. Therefore, it is considered best practice when using SPF in a
> DMARC context for domains that send email to end records with a soft fail
> ("~" / "~all").
> ---
> 
> Could this work with simply the removal of the last sentence covering best
> practice?

Sorry I'm late.  I got pulled into some other things and am catching up now.

I think removing the last sentence is appropriate.  Once SPF doesn't pass, 
DMARC doesn't care what happens after that.  We should not make any 
recommendations in this document about stuff that doesn't affect DMARC.

Overall, I think the proposed text is fine, less that last sentence.

Scott K

v2.23.0 | Report a Bug | By Email