IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Jan Dušátko <jan@dusatko.org> Sat, 17 June 2023 12:28 UTC

Return-Path: <jan@dusatko.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A006AC151B1F for <dmarc@ietfa.amsl.com>; Sat, 17 Jun 2023 05:28:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dusatko.org header.b="HGJPic7m"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="HNuMQc8m"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="FXu1iQVK"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLFeDODJeKHj for <dmarc@ietfa.amsl.com>; Sat, 17 Jun 2023 05:27:57 -0700 (PDT)
Received: from vhost.cz (hermes.vhost.cz [82.208.29.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0BF9C1519AF for <dmarc@ietf.org>; Sat, 17 Jun 2023 05:27:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687004871; bh=faYwhJVY13eQkOkeb3c9ktZ7QM3rufpCabS7UWSNPs0=; h=Date:Subject:To:References:From:In-Reply-To:From; b=HGJPic7m7V3SSmMS4Hn12J4djPymJEcV+P6+Lh6pCYAuUG8OS/wCob8do+ivqhZth uDLKIRXQtdBAPmkkrIxWHtYSW4lsjsE+i+O47UwJCEnTi6jzHukTt1+PJ8nhTHnpWl lvzVJrO+i1lfRc1H6mSfJnalZuh6NIKtbQCYl7TcQ1I1QfRqTVBy7Z+5E0ouIGbPqA +93mbhs6RcA6y0ZYV5HsKVTV3f+OqCBx3/nuGH1ZNqVK9lK6rc55WWrYPPeVAigrBp PPW/VYsCuddXR2X/EZxrvl8dTSYcS1H9m8DW5L4BlZVaBx9jIUNxRjRx0SIq/n24Fi wOBxE2vosweJA==
Received: from localhost (localhost [127.0.0.1]) by hermes.vhost.cz (Postfix) with ESMTP id B93E08001B for <dmarc@ietf.org>; Sat, 17 Jun 2023 14:27:51 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hermes.vhost.cz
Received: from vhost.cz ([127.0.0.1]) by localhost (hermes.vhost.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhyp7DPhfaFE for <dmarc@ietf.org>; Sat, 17 Jun 2023 14:27:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687004866; bh=faYwhJVY13eQkOkeb3c9ktZ7QM3rufpCabS7UWSNPs0=; h=Date:Subject:To:References:From:In-Reply-To:From; b=HNuMQc8mUrMKKFOFPYJk2+GoBTTEk9WndO6SuclSyc+xZtFhBzZ9yJ4sq21xgd8uG MFfpGYO3CR6Kwzvw+Yg1JfDu5or3AcaRHBZWQO2P0KWtlw4KY/Hu6lKZuoPfg1WP2q tC5I7mOx5tKdf4PtaEciNZ+NGkD5MoprznBk2vnh0kqkR2R7YMBe4p5bcs5mfquiCQ oOkccrCV2b3TfwFxbQj+JA15TJOAQTs7gqmHPF3qO1ioVhXT/VpsfokFqXPbg9OK6h nqINwqM2rGHyCDfLfn+G0z9vwr7fFGQrZyGY/xNUKAQZRIgj3EXJvQRykPXiw4Ys2J QicrysNNy1e6g==
Received: by hermes.vhost.cz (Postfix, from userid 115) id 531AC8004B; Sat, 17 Jun 2023 14:27:46 +0200 (CEST)
X-Spam-Virus: _CLAMAVRESULT_
X-Spam-Pyzor: Reported 0 times.
X-Spam-DCC: :
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687004864; bh=faYwhJVY13eQkOkeb3c9ktZ7QM3rufpCabS7UWSNPs0=; h=Date:Subject:To:References:From:In-Reply-To:From; b=FXu1iQVKmuK5YwBd2GyeJv6tujclk3LGpcCCp2FFE2gASa+UPPA5CkT4DPf5bAhgK I0yY7g4r6J8JSp0D4bwIa0+lg9Hs8RnfEXWxVqbpOWsMO66IWfi0SQjCd8DM4ztqhm qGntQFjfVbFoyGba8bDIFd5iGtu57UeJdRnnhANRIzZhLr99rvMrMytk5M9YOsuemR b5Ma8vRNorXOrT1Ag7m13CEqypj4SrGdiy+7U58y/7aYCWYTGsW4XqcNd3hSiXtV5R 4aluTpVjqFZo36TaaEoOQnH3Ejrot8fr/dKj5HLmr5O+4ZXBuHgX/LQFXRkSg67XRI FgJ7maQrV/OtA==
Received: from [192.168.1.50] (static-84-242-66-51.bb.vodafone.cz [84.242.66.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by hermes.vhost.cz (Postfix) with ESMTPSA id 0CCC18001B for <dmarc@ietf.org>; Sat, 17 Jun 2023 14:27:43 +0200 (CEST)
Message-ID: <285f2d2e-13fd-7cdc-c816-fba759f0745b@dusatko.org>
Date: Sat, 17 Jun 2023 14:27:36 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.11.2
Content-Language: en-GB
To: dmarc@ietf.org
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <7d39aa8e-dacc-05fa-eff1-2cc350d521db@inboxsys.com> <CAH48ZfwyBwfKzG_3R5uyV6tmY0yUtWy=5yAoAOEhUGn_Rz6HNw@mail.gmail.com> <47b8a0c7-6a52-a4ad-e98e-8cb2f881713e@inboxsys.com>
From: Jan Dušátko <jan@dusatko.org>
In-Reply-To: <47b8a0c7-6a52-a4ad-e98e-8cb2f881713e@inboxsys.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/UL58t9awU30Tnk2BCMQ05d6Pr2k>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Jun 2023 12:28:02 -0000

Hi

I would like to know your opinion on the options currently available to 
the system administrator. If it is trying to define a policy that allows 
recipients to authenticate emails, its options are, in my opinion, limited.
- The issue of SPF and cloud systems mentioned, or including over 
networks with mask /8 or /16 is extremely inappropriate
- It is not possible to set up the enforcement of DKIM signatures 
because DomainKey and its policies are not related to DKIM and there is 
no similar technology for DKIM (ADSP is not used)
- If I am the administrator of hundreds or thousands of domains, it is 
in my interest to provide the recipient with information about the 
sender's authentication options. For example, all emails use DKIM, all 
emails use ARC, all emails use SPF ... and if not, you can discard them. 
But I do not have this option with DMARC.
I understand that this is in the middle of what DMARC2 is supposed to 
address. But could there be a possibility for the DMARC2 record 
administrator to define a policy for domains and provide relevant 
information for recipients? It is the recipient's decision whether to do 
this verification, but it is also the sender's decision to offer this 
information. Unfortunately, at this point, either the signature is 
valid, or wrong, or it is not. If it is not possible to accept the 
e-mail, but the recipient does not have the option of verifying whether 
the sender's domain enforces this signature. It is similar with SPF. And 
DMARC2 seems to me to be a good place for these definitions. But I would 
like to avoid of forced removal of SPF, please let it for administrator 
decision.

Regards

Jan

Dne 16. 6. 2023 v 13:28 Sebastiaan de Vos napsal(a):
> The need for separate DKIM failure codes to be able to separate 
> between in-transit changes and public key errors is more than just 
> valid and I don't consider SPF worthless in general, but I just find 
> it disturbing how the obviously misplaced confidence in SPF currently 
> weakens the whole DMARC standard.
>
> Is it not in our best interest to encourage and motivate in particular 
> the less sophisticated senders to use the higher confidence mechanisms?
>
>
> On 16.06.23 13:02, Douglas Foster wrote:
>> RFC 7489 takes 8 different authentication mechanisms and lumps them 
>> into a single PASS result:
>> DKIM or SPF, each with up to four types of alignment:  same domain, 
>> parent->child, child->parent, and sibling->sibling
>>
>> These eight mechanisms all provide some level of confidence that the 
>> message is not impersonated, but they do not provide an equal level 
>> of confidence.
>>
>> Unsophisticated senders have little incentive to use the higher 
>> confidence mechanisms because any PASS result is still PASS.  The 
>> solution is not to pretend that SPF is worthless, because that is an 
>> overstatement.   The solution is to talk about the differences in 
>> confidence provided by the different authentication methods, and note 
>> that evaluators have reason to distrust some of them.   That distrust 
>> could cause a weakly authenticated message to be distrusted by some 
>> evaluators.
>>
>> Similarly, needs multiple types of FAIL.   Since the data indicates 
>> that missing (or invalid) public keys are a significant portion of 
>> all failures, it needs a separate failure code from "normal" failures 
>> which suggest in-transit changes.  The DKIM group needs to define the 
>> result code but this group would need to integrate it into our 
>> aggregate reports.
>
>

-- 
-- --- ----- -
Jan Dušátko

Tracker number:	+420 602 427 840
e-mail:		jan@dusatko.org
GPG Signature:	https://keys.dusatko.org/E535B585.asc
GPG Encrypt:	https://keys.dusatko.org/B76A1587.asc

v2.23.0 | Report a Bug | By Email