IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Tobias Herkula <tobias.herkula@1und1.de> Tue, 27 June 2023 15:06 UTC

Return-Path: <tobias.herkula@1und1.de>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20863C16951E for <dmarc@ietfa.amsl.com>; Tue, 27 Jun 2023 08:06:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1und1.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dPFyeKXi8FJg for <dmarc@ietfa.amsl.com>; Tue, 27 Jun 2023 08:06:14 -0700 (PDT)
Received: from moint.1and1.com (moint.1and1.com [212.227.15.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43E12C15108A for <dmarc@ietf.org>; Tue, 27 Jun 2023 08:06:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=MIME-Version:Message-ID:Date:Subject:CC:To:From:sender:reply-to; bh=SH+07Rv0y2tnut9md3cdfQSz45ND5+AT7yWMwCr+WFY=; b=kkL/Zp1u7NjkE8vs728a6BlUa 2xVZHXN2pDHpbaokrH+UHRL3x9VAQDSczFO05wl6BPc6J2bILYV3K/VfcQifBb5/NkjXnLyQgu8Hv lvl74ky/321gvpIO9DDSfFcCsjZlgp6fDDY2II9ZCkA157e9oZFbbTDqOc953reXvhqRWoQFIXRCR NO3U2GTICFk13VeiTfSBlVYhI2NPMK5dQYzFM1PrYeOWvTSlCfjWAEr+0wEbu5FHccSc3tkdMsXQo nre+MvpWOvUI/e1vWLGL3zdrJ5RAps6l449jtmhHpbJmTxGmkcFgChRdvRAFdfxtoVJB72UPrgfev BzI4BnNpA==;
Received: from [10.98.29.9] (helo=BAPPEX024.united.domain) by mrint.1and1.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <tobias.herkula@1und1.de>) id 1qEAGi-0000Fn-Ca; Tue, 27 Jun 2023 17:06:12 +0200
From: Tobias Herkula <tobias.herkula@1und1.de>
To: Barry Leiba <barryleiba@computer.org>, Alessandro Vesely <vesely@tana.it>
CC: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
Thread-Index: AQHZow3J1njPAYUDlka8QP4L4zZbc6+TkdWAgAE5PACAAFgiAIABc2iAgAAUgoCAAAVBgIAAA9AAgAAr5wCAABCAgIAANo8AgAAUv4CAACegAIAAJsMAgAD84gCAAa2RgIACvYQAgAAzXwCAACaugIABEmOAgAA/0YCAAC0gwA==
Date: Tue, 27 Jun 2023 15:06:11 +0000
Message-ID: <89f982c1d43140ed9a07ce11135562e9@1und1.de>
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CALaySJKZoAPTT-+cZEww+y2eUsDbNXcybb=Z7RxNLyfzPMr7ng@mail.gmail.com>
In-Reply-To: <CALaySJKZoAPTT-+cZEww+y2eUsDbNXcybb=Z7RxNLyfzPMr7ng@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.98.28.55]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Virus-Scanned: ClamAV@mvs-ha-bs
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/WqAh1xIRpLKtg5jX_0DBfFgBlHk>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jun 2023 15:06:18 -0000

Signing That, nothing to add.

-----Original Message-----
From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Barry Leiba
Sent: Tuesday, June 27, 2023 4:24 PM
To: Alessandro Vesely <vesely@tana.it>
Cc: dmarc@ietf.org
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

I don't understand how most of your message fits into this discussion:
you're comparing SPF's policy points with DMARC policy.  we're talking about SPF as an authentication mechanism together with DKIM (not
DMARC) as an authentication mechanism... and then using those authentication results in DMARC policy evaluation.

But here: I've said all this before in separate places, so I'll put it in one place, here, one more time:

Given that SPF and DKIM are both configured properly:
1. If SPF passes, DKIM will always pass.
2. If DKIM fails, SPF will always fail.
3. In some scenarios, DKIM will pass when SPF fails.

Therefore, when everything is configured properly, SPF adds no value beyond what DKIM does, and DKIM does add value beyond what SPF does.
That's why I am (and others are) arguing that we should remove SPF *from DMARC evaluation*.  There's no argument that for now, or some, SPF outside of DMARC still has value.

What others are arguing is that in the real world, things do get mis-configured, and if DKIM is misconfigured and fails when it shouldn't, SPF adds value by providing a working authentication.
(And, of course, similarly the other way around, plus DKIM covers some cases when messages are relayed or forwarded.)  That speaks for "SPF
*or* DKIM".

But "SPF *and* DKIM" -- requiring *both* to pass -- is technically unnecessary at best, because of (1) above: DKIM should always pass when SPF passes.  But where the harm comes is in cases of mis-configuration, because now if *either* of them is misconfigured, the whole thing fails -- neither of them serves as a backup for the other; instead, the misconfiguration of either one causes deliverability problems.  DMARC is damaged by requiring an authentication situation that is unnecessary when things are properly configured, and that is more fragile than what we've been using, more susceptible to configuration errors than we've seen before.

And I'm afraid that people will use it preferentially, *thinking* that it provides better "security" -- surely, double authentication is better than single, no?

No.

Barry

On Tue, Jun 27, 2023 at 6:36 AM Alessandro Vesely <vesely@tana.it> wrote:
>
> On Mon 26/Jun/2023 20:13:53 +0200 Barry Leiba wrote:
> > I'm saying I don't want "and" to be an option, because I think it's 
> > damaging to DMARC.  There is no reason anyone should ever want to 
> > say that, and providing the option asks for misconfigurations 
> > because people think it's somehow "more secure".  It's not more 
> > secure.  It would be very bad for deliverability of legitimate mail 
> > and would provide no additional security.  It would be a terrible mistake.
>
>
> I've been sporting spf-all for years, and seldom experienced bounces, 
> mostly due to misconfigured secondary MXes.  Out of 39 domains whose 
> posts to this list in the past year are still in my inbox, 14 have 
> spf-all.  So, while I'm not the only one, not many published -all even 
> though it may seem to be somehow more secure.
>
> I think it can be worth to compare SPF and DMARC.  Another sender 
> policy a decade and an authentication method after.  What adoption, what hype.
>
> Both policies ask receivers to reject a domain identifier in some 
> cases.  RFC
> 7208 explicitly suggests to consider whitelisting (Appendix D).  DMARC 
> provides for overrides but is less clear about how to handle 
> exceptions.  After SPF broke forwarding, the reaction was split 
> between some changing identifier and turning to ~all; after DMARC 
> broke mailing lists, between changing identifier and not altering 
> messages.  In my limited experience, the ratio seems to be higher for DMARC than SPF, but I may be wrong.
>
> In theory, domains that currently have a strict DMARC policy and 
> spf-all, 6 of the above, should have their messages blocked when 
> either method fails, up to changing identifiers.  Why would it be so 
> bad for deliverability to additionally require DMARC alignment, which 
> is the difference between that and the "and"?
>
> And, it seems to me that an ESP not having a bloated SPF record could 
> stop a good deal of DKIM replay by resorting to auth=dkim+spf.  
> Besides collateral deliverability problems, why wouldn't that work?
>
> Wht would "and" damage DMARC more than -all damaged SPF?
>
> I hope we can discuss detailed criticism rather than vague ostracism.
>
>
> Best
> Ale
> --
>
>
>
>
>

_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email