IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 29 June 2023 11:18 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65AA1C151535 for <dmarc@ietfa.amsl.com>; Thu, 29 Jun 2023 04:18:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uph0KjkKed_G for <dmarc@ietfa.amsl.com>; Thu, 29 Jun 2023 04:18:55 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5F34C14CE53 for <dmarc@ietf.org>; Thu, 29 Jun 2023 04:18:55 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-4f954d7309fso665813e87.1 for <dmarc@ietf.org>; Thu, 29 Jun 2023 04:18:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1688037534; x=1690629534; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=AqKegx01F/SQ+88U1zpCbV4K43U0OSK9TafL8aKy0i0=; b=NKNMeFaiJ9jdMzVnh8jOt2fCbb8OMnYp3knkc36MrBisWiJ4agpUwFV0xSIFnzeZ12 pEzgAz73RA7ZCiXxHAwsU+Rk6/yOOmqzu8Pz3f6Y2tymkmv23A5TvRIarCHFeU2w9RJt U8qaCsCb1bewyqGEP7uUzP+b2hkLHpcdlLvr2W0UykCAepVzNEWRGXAQrvYEkDWgPwM5 xMp7oVkE6O67QtpTkqFMptxDoNcZvH4bj2SIB9IZyx4kVSICpdBCB9AmGnCwIrruRubw gOQwXf1IOTCl52LLAArWFvOdLV2L953Cvl45eYu8UG+A6hPXoLdiBQ+MmR/MGAyskkSl P3QA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688037534; x=1690629534; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AqKegx01F/SQ+88U1zpCbV4K43U0OSK9TafL8aKy0i0=; b=Ho5X/J0LoeEkcu2wMHmFE1ZLkjmgPzVsF2P1wFDKiPtlcUQ8Z+tm2wp7LIcMXLX+xg zne6GG1uBK9wV/6c0sORBJdH/fbzXzKmEizWzbNBht5lV1YKMQlpcixggkuvHGnT3CEB GfkhKSpzIadaUCpmD7za07PcpTXBtevzz18GVuWdlc4MWVWW+ElRqdHS5Bgf7zU67cyf UnSyBxfbauyswwnZURPn1SHv0W7Z3v8+GyBZ092N8i5SzCXpaPFudf9NH72Lj2DkRAkI LyPZnkTFnymIZ+6KSfEwRN6a/gcn/5EoN6nV2kEzF3/i8K0Y0OmgrJautIErtyOdEa6d KSNg==
X-Gm-Message-State: AC+VfDwN0e2DVDzDKGYdtlOjP36PVbwOCnFEEusEOqaEZZem5YNhFPei A8lp6eK8Ogy87j4Hn9UiHElX7mDy0JDdg2BsknzewYQ4
X-Google-Smtp-Source: ACHHUZ6zsarUSu1wgdoggyxDW4Y668Mjx/S/pg0X7rlSqjw3lc/d35vDWCLheFMxbdnJA/COWC/QTBWeKCe0sZBvQ6E=
X-Received: by 2002:a05:6512:12d1:b0:4fb:7758:4ec0 with SMTP id p17-20020a05651212d100b004fb77584ec0mr1457280lfg.24.1688037533645; Thu, 29 Jun 2023 04:18:53 -0700 (PDT)
MIME-Version: 1.0
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CALaySJKZoAPTT-+cZEww+y2eUsDbNXcybb=Z7RxNLyfzPMr7ng@mail.gmail.com> <d3986316-02f9-9d73-be81-37af7cfd40a7@tana.it> <CALaySJLtUtKNtP4__pOryFLaAODjiEx-nbdvF9tL6wYhcRCe_g@mail.gmail.com> <877A1137-3A55-424A-A9C5-FCCA4F2D5436@kitterman.com> <CAH48Zfyp1CvKLaGvYp0eC=E3hG7GU-T2YGR+H64GMzSNjM3AAA@mail.gmail.com> <CAL0qLwbRe8LRx7PupT9=FYBbGd1s4y8BnU3iD2eLR8rB7Gdbig@mail.gmail.com>
In-Reply-To: <CAL0qLwbRe8LRx7PupT9=FYBbGd1s4y8BnU3iD2eLR8rB7Gdbig@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Thu, 29 Jun 2023 07:18:42 -0400
Message-ID: <CAH48Zfz8MV2HTFLxaSsBKR=cgLzhhjR-von=2p9LGMj_+6Xj7Q@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008f813005ff42dd3d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/PeQykO7hnIzTqSHBeGEb1YDQbnc>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 11:18:56 -0000

But I don't have a solution for ESP messages that use DKIM to authorize the
From, but use their own domain for SPF Pas on Mail From.   That requires
tying the signature to the server and/or Mail From domain using a signature
token

On Thu, Jun 29, 2023, 1:25 AM Murray S. Kucherawy <superuser@gmail.com>
wrote:

> On Wed, Jun 28, 2023 at 5:50 PM Douglas Foster <
> dougfoster.emailstandards@gmail.com> wrote:
>
>> We are talking about SPF AND DKIM because of the problems with DKIM
>> replay.   Can someone summarize the state of the DKIM update options that
>> have been ruled in or ruled out?
>>
>
> There's a document over in that working group that takes a run at doing so.
>
> I'm worried about the complexity and assumptions in the proposal that
> follows:
>
> Given a received sequence of
>>
>>    - Msg Date
>>    - Rcv Date 1
>>    - Rcv Date 2
>>    - ....
>>    - Rcv Date N
>>
>> A signature should have a start time between one of these date boundaries.
>>
>
> There's no reason to trust the dates, IP addresses, or any other detail in
> these header fields beyond infrequent manual diagnostic efforts.  They are
> trivially forged and rarely signed.   You definitely should not attempt to
> couple anything you infer from them with the semantics of a passing
> cryptographic signature.
>
> The first global IP after the signature server becomes the perimeter
>> server which must demonstrate that it's domain has the right to act on
>> behalf of the signing domain.
>>
>
> That sounds like the very definition of SPF.
>
> By "global" I presume you mean "publicly routed".  Do we really want to
> start teaching mail software how to determine which IP addresses are
> publicly routed?  It's not as simple as the RFC 1918 question.
>
> Improvements within control of the signing server:
>>
>> If the message is not created by the originating server, the message
>> should contain one or more Received headers.   The header list on the
>> signature should contain "Received" entries to match the number of Received
>> headers at the time of signing.   This further identifies the signature's
>> position in the Received chain.
>>
>
> The original DKIM RFC (RFC 4871) specified a list of header fields that
> SHOULD and SHOULD NOT be signed, and Received was in the latter group.
> It's common for Received fields to be stripped when they depart a domain in
> order to conceal the topology within that domain.  Less commonly, they can
> get reordered, edited, or re-wrapped.  Any of those would break the
> signature if it covered them.
>
> RFC 6376, the standard, dropped the SHOULD and SHOULD NOT, but still
> discourages paying any attention to Received when signing.
>
>
>> Improvements requiring changes to the DKIM specification
>>
>> They could identify a way to document the signing server's domain in the
>> signature.
>>
>
> Isn't that the "d=" tag?
>
> -MSK, participating
>

v2.23.0 | Report a Bug | By Email