IETF Logo Mail Archive

Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30

Seth Blank <seth@valimail.com> Sun, 31 March 2024 19:45 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1A5BC14F61E for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 12:45:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9Cl9dXHea55 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 12:45:43 -0700 (PDT)
Received: from mail-pf1-x431.google.com (mail-pf1-x431.google.com [IPv6:2607:f8b0:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EBECC14F60D for <dmarc@ietf.org>; Sun, 31 Mar 2024 12:45:43 -0700 (PDT)
Received: by mail-pf1-x431.google.com with SMTP id d2e1a72fcca58-6eac64f2205so2837681b3a.2 for <dmarc@ietf.org>; Sun, 31 Mar 2024 12:45:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1711914343; x=1712519143; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/h/wVZo+OXcbUzx0nI/uvr61Ew1Ph77PKatdpCqCSf0=; b=baRnZDZ9y4DCxKwzPLIXah8DGjo2ca0tAR5IQVGRwunV8oXntnDPj5xpSta7CyuUfP lVFimaOObMqN7QPJvuNjVOqz59bqrO7XAjxnNmBiDJhY2c/ZMk1kxQ0j4UNcAEZdTaX6 MMikI/TWx6HUakQcf/L/myukwtp/eNVLi5fBc7IhcAm8u81DxHL52Z28m/qzmybctEpK 3TBEfdYPzAZ7B5cVH9AKFVFtuSWauM9y9KLOtH4PLO8IML5r3Z66P/qYG5t66bYodUEV 1dazcSAvkEaxdVhR+dw5QeFfYOTMaaKSnG7Ndg1GX+kqXs9XtcpOarwPyHV2oeO4ZXUp QI1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711914343; x=1712519143; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/h/wVZo+OXcbUzx0nI/uvr61Ew1Ph77PKatdpCqCSf0=; b=iUyfjEAYBYaduDurG8jl6e0YOngq1iZyX3XRHClSDF4hgdooXeEhq030cnEIl1icI7 yULdqpnDP660r+QdFF5OC3D0B9w9coXKXkCFPI16r2COuS4o1OyangsqD9uexLGY6OLJ d4TP5nvkYW1oLJp/1fG7AJCIAXqIY7Jq6NfeEb/e0Ygfzg5CrHEmPOYuJFOg1atHUTZt U9eRGJpZRg8wFBeGJwg3DJAuapz4aQZJOHT7JALyuAfSx2INjZkL1D2t1OHIAtX5UfWq mXr0PVAUbTk441AmWqmvlh05gCk2jiauNEb/3VM29of5Fyzs7cHvCCvCEsKxlo7/M93i Z7ZQ==
X-Gm-Message-State: AOJu0YwCaz0qnPDVukkfd1fZpT0qm1RN+Kh/jWOUWB9DCglKKw9Shw3r 6sv4xHuH7dKPs0HTT/pkvU/1DmF21z3PkWPXgLw+c8xfcHU+VYgY3ki2L2oSUM51Bw8LWAk3VJq bXt3CbIWLqL7L2jQ4T5xCgaTwaVwiGujTAnKODjVTA/t4eaMqxfI=
X-Google-Smtp-Source: AGHT+IG/qdpYvz+tknaK5PokPuUc37RiDWpveqx+mWZAdQw8oYdePSjSwLXjNSglkbvCv5rlqWYlgSEAD5vXkRhiRZU=
X-Received: by 2002:a17:903:2115:b0:1e0:b874:1e5f with SMTP id o21-20020a170903211500b001e0b8741e5fmr5705886ple.65.1711914342914; Sun, 31 Mar 2024 12:45:42 -0700 (PDT)
MIME-Version: 1.0
References: <eda55c54-c149-475c-8117-bfdf3885a883@tekmarc.com> <20240331180009.F36CD8687B50@ary.qy>
In-Reply-To: <20240331180009.F36CD8687B50@ary.qy>
From: Seth Blank <seth@valimail.com>
Date: Sun, 31 Mar 2024 15:45:31 -0400
Message-ID: <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd-7A@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004bcec20614fa1eb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/U03l4zrbUpVg7LD2AgGi469_LO4>
Subject: Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 19:45:47 -0000

On Sun, Mar 31, 2024 at 2:00 PM John Levine <johnl@taugh.com> wrote:

> It appears that Mark Alley  <mark.alley@tekmarc.com> said:
> >>   People who publish -all know what they do.
> >
> >I posit that there is a non-insignificant amount of domain owners that
> >don't know what the consequences of -all are other than that they've
> >been instructed to use "-all" by a guide online, ...
>
> I'm with you.  I have had too many arguments with people whose SPF records
> end with -all and insist it is everyone's fault but theirs that their mail
> doesn't get delivered.
>
> The special case of a record only containing -all, meaning they send no
> mail whatsoever, is different and I don't think it's contentious.
>
> But I still am reluctant to give people a lot of advice about how to
> sent up their SPF records. This is dmarc-bis, not spf-bis.
>

I concur, and do not want to accidentally make normative updates to SPF.

SPF hard fails in a DMARC context is a constant point of confusion and bad
operational practice. I do think the spec should cover it in a concise and
mostly informational way.


My proposed text was:

----
Some Mail Receiver architectures implement SPF in advance of any DMARC
operations. This means that an SPF hard fail ("-") prefix on a sender's SPF
mechanism, such as "-all", could cause that rejection to go into effect
early in handling, causing message rejection before any DMARC processing
takes place, and DKIM has a chance to validate the message instead of SPF.
Operators choosing to use "-all" to terminate SPF records should be aware
of this. Since DMARC only relies on an SPF pass, all failures are treated
equally. Therefore, it is considered best practice when using SPF in a
DMARC context for domains that send email to end records with a soft fail
("~" / "~all").
---

Could this work with simply the removal of the last sentence covering best
practice?


>
> R's,
> John
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>


-- 

Seth Blank | Chief Technology Officer
Email: seth@valimail.com


This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email