IETF Logo Mail Archive

Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and What To Say About SPF -all

Neil Anuskiewicz <neil@marmot-tech.com> Mon, 08 April 2024 01:42 UTC

Return-Path: <neil@marmot-tech.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73B77C14F5F5 for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2024 18:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=marmot-tech.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mA_pzO6Jj1v8 for <dmarc@ietfa.amsl.com>; Sun, 7 Apr 2024 18:42:32 -0700 (PDT)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF68C14F5E3 for <dmarc@ietf.org>; Sun, 7 Apr 2024 18:42:32 -0700 (PDT)
Received: by mail-ot1-x32c.google.com with SMTP id 46e09a7af769-6e6ff4e1e97so2313303a34.3 for <dmarc@ietf.org>; Sun, 07 Apr 2024 18:42:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=marmot-tech.com; s=google1; t=1712540551; x=1713145351; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=no3W3e2SXuz5Crw5sImvOlVSg+ZT7PHNnuGn3n2WQng=; b=YLpF0m0z35NlA6Lw/NN3FaEDxoWf6Quic+RvMfZfbgE7Bpm+0B7cqb4dq75/1jj/Bw aYzY093m8alM9VZ5Q3dOPHW32KQGnossJc34cArJ9sYVp1dxNmEh9/nS6tIfS406GL2n AV4DTLVF6rucsN0jURAIG/kTiD5/oWo5M4CRmf1jE7nkSuby7/DkLJAdXGWMCDoxAMhV vKqIkHxAEA1swex2bGpUfuqAA9m540Fz1SRCumQoco452XXbKicOmN4TzQ0WyuifS9FY CBNaA6bdDzswrnV12fjke4YJ2BXP+mt/33AvkS2cM3gX9Xs+llqxyzeDBnZ8rg7CHyTY W2tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712540551; x=1713145351; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=no3W3e2SXuz5Crw5sImvOlVSg+ZT7PHNnuGn3n2WQng=; b=aOx7+jslBRRsmeDNw+PcmQnJj/v5eu1hdyNIBVTnz3k3ITmzftwZaw1hlN1Fdfito5 TXugO6ipVGMKKkLUTKh0E0thAVQLXsMHm6j9ZX3GJ0/8gUaX/UOtdcBT00T5rOd47TVE VvjItSjAKrH3yfpHSXhiNym4+J9LOkCDDMGrah7VgO5nX8YL5NHvp2gWkh4SqWi+yxI8 qrHHOsQMl3f7Q2VFuZztK74CvutGz7C6bmiCcE9XfUG+1SYY4NrwQB0GWHdbbLHAz2GA GOMGERkMcupbF100o3RW960/uvJXEk0/DAiDjkGyd+MyFB5ojVpr4ZwH5312/3Z/tdHo ksgg==
X-Gm-Message-State: AOJu0YyqN1D2P6/jEsygolotMzx7/pY3pMD6v7ECYcYNyebRdr1hb5o0 Y4b/q+aPzwsZJH+Qx5RIuS+UdKkhUGbIOo6ouYhiiW4MW/1vz6oE14BTonWtGGJUUa1x+gVnsXi B
X-Google-Smtp-Source: AGHT+IErSHQSFowjFCXnvgu03ogDl4NGfENE0ZrJ3HT7x1F2TjCPOo6ZupCReiT8UIo7qhJy2xP7SA==
X-Received: by 2002:a05:6870:4725:b0:229:ec87:cc29 with SMTP id b37-20020a056870472500b00229ec87cc29mr9279870oaq.49.1712540551055; Sun, 07 Apr 2024 18:42:31 -0700 (PDT)
Received: from smtpclient.apple (c-73-96-89-175.hsd1.or.comcast.net. [73.96.89.175]) by smtp.gmail.com with ESMTPSA id fe9-20020a056a002f0900b006e5571be110sm5253960pfb.214.2024.04.07.18.42.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 07 Apr 2024 18:42:30 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Neil Anuskiewicz <neil@marmot-tech.com>
Mime-Version: 1.0 (1.0)
Date: Sun, 07 Apr 2024 18:41:51 -0700
Message-Id: <C3246021-2B48-41B5-877E-9E17F3B0BF4F@marmot-tech.com>
References: <B7EEBAF7-F42E-40B3-B8A6-A815D92732C4@kitterman.com>
Cc: dmarc@ietf.org
In-Reply-To: <B7EEBAF7-F42E-40B3-B8A6-A815D92732C4@kitterman.com>
To: Scott Kitterman <sklist@kitterman.com>
X-Mailer: iPad Mail (21E236)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/RWGc5asWN6o_O2rDM1lkJx96SA0>
Subject: Re: [dmarc-ietf] DMARCbis WGLC - Issue 141 DMARC and What To Say About SPF -all
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 01:42:36 -0000


> On Apr 7, 2024, at 6:20 PM, Scott Kitterman <sklist@kitterman.com> wrote:
> 
> 
> 
>> On April 8, 2024 1:02:53 AM UTC, Neil Anuskiewicz <neil=40marmot-tech.com@dmarc.ietf.org> wrote:
>> 
>> 
>>>> On Apr 7, 2024, at 7:00 AM, Neil Anuskiewicz <neil@marmot-tech.com> wrote:
>>> 
>>> 
>>> 
>>>> On Apr 7, 2024, at 6:54 AM, Tero Kivinen <kivinen@iki.fi> wrote:
>>>> 
>>>> Scott Kitterman writes:
>>>>> I hear you. Your operational issue is my system working as designed.
>>>>> DMARC works on top of SPF, it doesn't change it.
>>>> 
>>>> Yes, DMARC works on top of SPF, and DKIM and provides policy layer. We
>>>> are trying to change the fact that people rely purely on SPF, and try
>>>> to get them moved to use DMARC istead, and we are trying to explain
>>>> that if you do SPF inside the DMARC context, you get exactly same
>>>> policy results you get as when you do SPF before, except you get it
>>>> better, as you have more data available. Using -all would be
>>>> completely ok if everybody would be doing DMARC, but as there are some
>>>> systems which do SPF outside DMARC, and there having -all might
>>>> shortcircuit DMARC out from the equation, we should provide guidance
>>>> to those people how they can get best results in current environment.
>>>> Thus the best current practice should be use to use ~all instead of
>>>> -all if you are trying to use DMARC, and want other systems to
>>>> actually act based on your DMARC policy.
>> 
>> The problem I see is that some receivers never got the memo and still enforce just on an SPF hard fail which only creates fear, uncertainty, doubt, and annoyance.
> 
> 
> If there's FUD, it's due to claiming it is a significant problem for DMARC.  Everyone has a different mail stream, so YMMV, but in my experience this is approximately never an issue.  This is only even potentially an issue when Mail From aligned and SPF is fail.  I don't recall the last time I saw that happen for a message that also passed DKIM (and d= was aligned).
> 
> What is the overwhelming case for me is Mail From is not aligned (like this mailing list) and SPF is pass, none, neutral, etc.  Even if the receiver rejects SPF fail, it almost never comes up.  Then the DMARC result is a function of the DKIM signature verifying and being aligned.  The fact that my domain has a -all SPF record virtually never matters for DMARC.
> 
> So let's move on...

Let’s move on.

v2.23.0 | Report a Bug | By Email