IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Scott Kitterman <sklist@kitterman.com> Tue, 20 June 2023 16:50 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6120C151995 for <dmarc@ietfa.amsl.com>; Tue, 20 Jun 2023 09:50:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="459flWEi"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="JYKmON2U"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oyuBDCkGXoFG for <dmarc@ietfa.amsl.com>; Tue, 20 Jun 2023 09:49:59 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D00C151064 for <dmarc@ietf.org>; Tue, 20 Jun 2023 09:49:59 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 6D75DF80273; Tue, 20 Jun 2023 12:49:49 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1687279774; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=m2CjlKY/WUx/T9+jdgo5PuN631lGpZ+IWYkKPf0kFrw=; b=459flWEixrZhHs7yIMZX+xT48tUovQ0MgOuy9fWLMh54VF8WhXYH1Ar9kvsy3vkYT0bdk dreOEuvhL4siv5cAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1687279774; h=date : from : to : subject : in-reply-to : references : message-id : mime-version : content-type : content-transfer-encoding : from; bh=m2CjlKY/WUx/T9+jdgo5PuN631lGpZ+IWYkKPf0kFrw=; b=JYKmON2UCJ/BKpgHeP53bPWoPxlXNH0ULguceTAtyMpiXrNcxGwJF2SbknYeDKz65NMmD 4ERxQoNb24hJZPqDFD9NtBNPIMBNgGaE+9RxLl4fJ48rso2BzPj8S9zlH1zmBe/77OX0eLt ygdi77gmp7UcMIZT6XLj5+qWJbghPcvhSUmTyRXjFCjm4aoXsd96VoMexuxbUnPHoV2K7YE HH4HiAwZRhOrN5uLmnptOvp/gkKJk4GhJcSwZLbdAQ9EbGiVBIfUsrwvABIDgaL9db5aZ+0 ebjgE/GXBQ5PoXZhU4uA7tHwHruHXvWFxkOHEt0E+aW76fe0F2yYn7jkH93A==
Received: from [127.0.0.1] (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTPSA id B1D01F80256; Tue, 20 Jun 2023 12:49:34 -0400 (EDT)
Date: Tue, 20 Jun 2023 16:49:28 +0000
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
In-Reply-To: <20230620163348.6345DF6FA360@ary.qy>
References: <20230620163348.6345DF6FA360@ary.qy>
Message-ID: <87A48C99-CBCE-4FC5-A4C8-6CD10F7D56AC@kitterman.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PY-zfQNBfQoHKnBW_81_i18q6ps>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2023 16:50:03 -0000


On June 20, 2023 4:33:48 PM UTC, John Levine <johnl@taugh.com> wrote:
>It appears that Tobias Herkula  <tobias.herkula@1und1.de> said:
>>-=-=-=-=-=-
>>Sadly they can’t, there are Mailbox Providers that expect SPF Records, so to maintain deliverability to those, you have to keep SPF
>>records in place and can’t switch to an DKIM only DMARC.
>
>Nobody's saying you can't publish SPF.  We're just saying DMARC should ignore it.

See the message I sent in a new thread for details.

I don't think this makes any sense.  There are problematic messages passing SPF.  Similarly there are problematic messages passing DKIM.  All dumping SPF does is increase the incentive to replay DKIM.

The problem here is domains authorizing their mail to be sent from under controlled third party sources.  Once SPF is gone, they'll use DKIM and still send "bad" messages.  Problem not solved.

If, for example, you deploy BIMI, and messages you didn't send get the BIMI marker, the solution is to hunt through your DMARC feedback reports, figure out which third party authenticated the message, and fire them.

This is an economics/incentives problem, not a technical problem.

Scott K

v2.23.0 | Report a Bug | By Email