IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 23 June 2023 23:06 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E02FC151532 for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 16:06:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7f9tbOKRetKp for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 16:05:57 -0700 (PDT)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE519C15152E for <dmarc@ietf.org>; Fri, 23 Jun 2023 16:05:57 -0700 (PDT)
Received: by mail-lf1-x12f.google.com with SMTP id 2adb3069b0e04-4f640e48bc3so1570178e87.2 for <dmarc@ietf.org>; Fri, 23 Jun 2023 16:05:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687561555; x=1690153555; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=Rx1kjLQtiXYXENwuuyN/plCIBKNKJ7OF45quWZLY4sk=; b=iL3hHGjbQ9AIdfK7gfUX64eKZEZNCBz3iEIJctyUuwyhlYtMG8JXjRmnLOzZydnyXs +Y6f6/uEKjpBlaPmrmgbrSAn/VwYeEB/Fr6XlLzhBvr2xeoOwnH4iTc+AiO0aRVUBcEH HW90V8f7IJpqMfmPSCO7VK/9yYZL04s9MqPFnW+xM8oQoT2bVsCapVy0KhUblgdYF//9 GyO8htI6e8cSNAWhTMFc5HfNrIq2WO3BIhHMCHMu8Irkmnom6fiekfyH7X3KSsf24uz6 tzQf1Kh7LITYMtalH1EgioxYUDUgrGv1dSXhKeIonIOu1e1p2tY7rTQ2FC7x4iNgtJDb xVww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687561555; x=1690153555; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Rx1kjLQtiXYXENwuuyN/plCIBKNKJ7OF45quWZLY4sk=; b=LmkthQ5WDVypWh5vZGk52ZZksHVkNhlEhnSjPTubwegEZCt1qdymj+m0kA1VjxJVEQ eme3DVK87Q5NkLoMIG1+IyA6NcHNZJDi7wJe7d/j8KZ0xK/BLPqpvQb6IFD2BFIS9eRa Q4GY2piU9kmFPwmejj8ZCROsZLILEhT1ngEPjhWsKeysrB/0kFvQvuSunYgvXe+kopmL Tuddeti+2BHb51Q3tOK2772xG/Uk0yT6Dby1GggLw64rACiShAyXqYmZx4U7FrGMYVs2 DJ/talOIeN11NpFdGZZwnkMjMInFM6OMSzbY2KH727z84+Oe1k5JKkTXhK58ltLSSljr /bHw==
X-Gm-Message-State: AC+VfDw2iNtoRD1Vnz1kNOOrvJbhl6mUjRgLiWYVR7dHIXVOIh3XAQU6 +jME08Lf7Tka9DGFpEhB2/fr5x2+XwVmfpIAbaEnU1+r
X-Google-Smtp-Source: ACHHUZ7/mGJjIEMiti/gHt3aYHE9RO9owpyrtyHrSAQ0RPR5v9bDRAd69fE4cMCRnWHtpfxs3Kc5wCLFUiEDB0GHix0=
X-Received: by 2002:a19:4f5a:0:b0:4f8:65ef:afcd with SMTP id a26-20020a194f5a000000b004f865efafcdmr11018922lfk.17.1687561554802; Fri, 23 Jun 2023 16:05:54 -0700 (PDT)
MIME-Version: 1.0
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com> <bfbe77ad-8aba-d803-de06-d734a177066b@taugh.com> <CAFcYR_U=qW0k5EC2_y+B1roXK91uzscT+vS5Y7jrNkG1bTxw5Q@mail.gmail.com> <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com> <CALaySJ+tKTCEJcNR0ehCNq6rGz-ARe=P72OTgOuKoAj1G1zjmA@mail.gmail.com> <024535ba-5845-fe35-5cfe-1302bae55659@taugh.com>
In-Reply-To: <024535ba-5845-fe35-5cfe-1302bae55659@taugh.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 23 Jun 2023 19:05:44 -0400
Message-ID: <CAH48ZfyRgjV5aN9bU0cWz5sDmKcMJdsr-CFR+YGFxbTjAJsn+A@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000002bc7105fed40bd7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/T7rTXt6TrjOxNJAPpIwUl9yYdOI>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 23:06:01 -0000

 John, you have a solid theoretical argument, but mail senders are
pragmatists, not theorists.

There are still filtering products in use that evaluate SPF but not DMARC.
  In the products that I have seen up close, they only act on SPF FAIL, and
ignore SPF NONE.   But without certainty about how all evaluators operate,
there is a strong incentive to keep SPF PASS in place.   I note that
Gmail.com still has an SPF Policy.

Adding a flag to evaluate DMARC without SPF allows a sender to navigate the
market differences between DMARC-aware and DMARC-ignorant evaluators.

Doug



On Fri, Jun 23, 2023 at 3:30 PM John R Levine <johnl@taugh.com> wrote:

> > Presumably, a sender who uses DMARC might publish SPF to cover
> > recipients who don't use DMARC, but would prefer that recipients use
> > DMARC (authenticated by DKIM only).
>
> I get that, but that's still simultaneously saying "use SPF to
> authenticate me" and "don't use SPF to authenticate me."  If SPF is so
> unreliable that you don't want people to use it for your DMARC alignment,
> why would you want them to use it otherwise?
>
> I worry this is encouraging security theater, look I have super secure
> DMARC p=reject and, we won't get our deliverability numbers without a big
> fuzzy SPF record.
>
> R's,
> John
> >
> > Barry
> >
> > On Fri, Jun 23, 2023 at 1:54 PM John R Levine <johnl@taugh.com> wrote:
> >>
> >>> My understanding is that if `auth=dkim` then SPF would be ignored from
> the
> >>> perspective of DMARC. So  if a receiver sees DKIM is not DMARC aligned
> and
> >>> only SPF is DMARC aligned then it would still be treated as a DMARC
> fail.
> >>
> >> That's my understanding.
> >>
> >>> It would be a way for senders to say "yes I checked that all my DKIM
> >>> signatures are working and aligned, I don't need you to look at SPF and
> >>> don't want to have the risk of SPF Upgrades.
> >>
> >> So why do you publish an SPF record?  Presumably so someone will accept
> >> your mail who wouldn't otherwise, except you just said they shouldn't.
> >> Still not making sense to me.
> >>
> >> Regards,
> >> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> >> Please consider the environment before reading this e-mail.
> https://jl.ly
> >>
> >> _______________________________________________
> >> dmarc mailing list
> >> dmarc@ietf.org
> >> https://www.ietf.org/mailman/listinfo/dmarc
> >
> >
>
> Regards,
> John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
> Please consider the environment before reading this e-mail. https://jl.ly
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email