Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

[Scott Kitterman <sklist@kitterman.com>]

On June 8, 2023 2:20:44 PM UTC, "Murray S. Kucherawy" <superuser@gmail.com> wrote:
>On Thu, Jun 8, 2023 at 6:00 AM Tobias Herkula <tobias.herkula=
>401und1.de@dmarc.ietf.org> wrote:
>
>> My team recently concluded an extensive study on the current use and
>> performance of DMARC. We analyzed a staggering 3.2 billion emails, and the
>> insights drawn are quite enlightening. Of these, 2.2 billion emails
>> (approximately 69%) passed the DMARC check successfully. It's quite an
>> achievement, reflective of our collective hard work in fostering a safer,
>> more secure email environment.
>>
>>
>>
>> However, upon further analysis, it's evident that a mere 1.6% (or
>> thirty-six million) of these DMARC-passed emails relied exclusively on the
>> Sender Policy Framework (SPF) for validation. This is a remarkably low
>> volume compared to the overall DMARC-passed traffic, raising questions
>> about SPF's relevancy and the load it imposes on the DNS systems.
>>
>>
>>
>> Given the current use case scenarios and the desire to optimize our
>> resources, I propose that we explore the possibility of removing the SPF
>> dependency from DMARC. This step could result in a significant reduction in
>> DNS load, increased efficiency, and an accurate alignment with our
>> predominant use cases.
>>
>> [...]
>>
>
>Does anyone have consonant (or dissonant) data?
>
I don't have data, but I do have a different view on how to frame the data.

We've expended a lot of cycles in this working group on trying to figure out how to make DMARC more reliable because it is not sufficiently so for all domains to publish a restrictive DMARC policy (in fact, progress in the working group is currently blocked on the question of how to describe this).

I don't think DMARC has a surplus of reliability such that we should think about giving some of it away voluntarily.  I submit that this 1.6% is not "mere", it's huge.

What do I mean by that?  That 1.6% will include both domains which use SPF alone and which use both SPF and DKIM.  DKIM is not perfect.  When I did have access to relevant data, I recall seeing typical DKIM verification rates for direct mail typically between 99.2% and 99.8%.  It was never 100%.  For SPF, when the SPF record was correct, it was almost always 100%.  Based on this historical experience, I suspect that a significant fraction of that 1.6% are cases like this where SPF saves the DMARC result when DKIM has failed.  

For the overall protocol, DKIM and SPF are complementary.  While an estimated 0.5% drop in DMARC failures may not seem like much, I think it's a lot and we don't have a surfeit of reliability that we should give some away.

I suspect that the real driver here is senders allowing too much "bad" mail to get an SPF pass (I have also seen, but do not have access to, data that indicates this is the case).  DKIM has similar problems (see the recent DKIM working group discussions on replay attacks).  I think working on that problem (SPF/DKIM pass rates for "bad" mail) is where the focus should be.

Not a DMARC working group issue.

Scott K