Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

[Neil Anuskiewicz <neil@marmot-tech.com>]

> On Jun 8, 2023, at 4:25 PM, Scott Kitterman <sklist@kitterman.com> wrote:
> 
> The data I have seen (and it sounds like Mike is saying the same thing) shows DKIM verification results are less than 100%, consistently, for direct connections.  It was always lower than the SPF pass rate for hosts listed in a domain's SPF record.  I understand that in theory, it shouldn't matter, but in practice it is.
> 
> Software engineering isn't a perfect science.  In general, a more complex protocol will suffer more defects.  If you want to design things that only work when software is perfect, I'm not interested.
> 
> In terms of utility for direct connections, I think having both helps and I don't find claims the SPF can never pass when DKIM fails to be credible.  If someone has data that shows that's true now, I'd be interested to see it (my experience is a few years ago, so things may have changed).
> 
> Ultimately, I think SPF and DKIM both suffer from what I'll genetically call data hygiene problems.  SPF is mostly adding third party providers who are insufficiently careful (might not even care, I don't know) generating SPF pass results for "bad" mail.  DKIM is mostly about replay attacks.  Neither of these are protocol problems and I don't think support dumping one or the other out of DMARC.
> 
> One could make the opposite argument too, and I think it would be equally valid:
> 
> The only value DKIM brings for DMARC is for indirect mail flows.  For any direct connections, SPF is sufficient.  All the proposed DKIM changes to solve the DKIM replay problem are likely to break indirect mail flows anyway, so there's no longer a point to keep DKIM.  It's much more complicated and it looks like the benefit of it is going away, let's just simplify the protocol and get rid of it.
> 
> Now, I think that's a bad argument, but I don't think it's any worse than the argument being presented to get rid of SPF.

I’ve observed the pattern of a high dmarc pass rate on DKiM alone, over 99% in most cases, yet as cogently stated by others, SPF will take a 99.5% pass rate to a rock solid 100%.

These might be an acceptable amount of blocked mail in some situations but there are many other scenarios where these lost emails, which add up fast, cost the company money and potentially strain relationships.  Email is perhaps the most important tool for business communication between businesses. An account manager sends a contract to an important prospect who doesn’t get it. That’s the cost. It might not be your first day at 99.9% but that number is on a rendezvous with its destiny to cost the business and individuals in various ways.

The effects of what seem to be small but aren’t when it comes to communication in business. 

Sure, we narrow the scope of our spf as much as we possibly can but we don’t toss that 0.5% traffic away without a reasonably good reason. 

If someone can cogently explain the assumption that the costs of spf implantation done judiciously (You don’t put an ESPs entire include in your org domain’s spf but you don’t just punt, declining the benefits of well implanted SPF. That’s an unforced error. Sometimes you have to throw SPF overboard but that’s not optimal. I get the feeling some here might make spf walk the plank right away. I ask that you reconsider that notion.