IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Barry Leiba <barryleiba@computer.org> Fri, 23 June 2023 20:57 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB97BC19E106 for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 13:57:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.553
X-Spam-Level:
X-Spam-Status: No, score=-6.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8hcTKAcAVa0 for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 13:57:13 -0700 (PDT)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6270DC110D3C for <dmarc@ietf.org>; Fri, 23 Jun 2023 13:57:13 -0700 (PDT)
Received: by mail-wm1-f45.google.com with SMTP id 5b1f17b1804b1-3fa71e253f2so21600235e9.0 for <dmarc@ietf.org>; Fri, 23 Jun 2023 13:57:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687553832; x=1690145832; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=J/MFBYAYUbQCHGNwqHyzZcIZVU4A8VMIxtODW7z7674=; b=U1YfSGTkOAOYeSsVtifzL5UdrjuB+Rmw/4E/vOwJHl9V5E2jJ4Hl3fu+pEUXv09bjg SoJaZF+YInDQEi5q+oaTbuk68MsGB6TOpoqFR/Rqvy1ymu3zCsXgkAozSoA3hAJ51FjE qdM761bnXYn6+bICZ584PMUVu12q8ttxqFxpaOvz7WAe9DKNbBwvbXcMFjnKv5SinwNu 7+Lt3dNXV5/gj83F1zNUObXjj+BLhQ3cBU8amjPv9WxbzXKDldEet5T/mCsBcK8beNGX 7Av4cpx+c3ITRllLX7yt6Tod1Nz0JWRW/eLPQFng/aaCfkrdn7TJL/Kd+kACstukuZsK je1g==
X-Gm-Message-State: AC+VfDzmkh8RVihY5OxPrruhrZt5M5YemELRYPOvIuf++baqvemY/Uh1 uTUnDKlGArl4nBvov0VSec2C1+W5DoLAUJzAiBXKhMO0
X-Google-Smtp-Source: ACHHUZ7WukEaCeWp4OoLpVwtWX2JV0AHiSJr4KOt2vQclxtYil5G9Mcs3L4ZJ9b0VXSp1VL4q8a8k147FjRFtSV3uJU=
X-Received: by 2002:a1c:4b11:0:b0:3f7:e78e:8a41 with SMTP id y17-20020a1c4b11000000b003f7e78e8a41mr26299878wma.18.1687553831383; Fri, 23 Jun 2023 13:57:11 -0700 (PDT)
MIME-Version: 1.0
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com> <bfbe77ad-8aba-d803-de06-d734a177066b@taugh.com> <CAFcYR_U=qW0k5EC2_y+B1roXK91uzscT+vS5Y7jrNkG1bTxw5Q@mail.gmail.com> <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com> <CALaySJ+tKTCEJcNR0ehCNq6rGz-ARe=P72OTgOuKoAj1G1zjmA@mail.gmail.com> <024535ba-5845-fe35-5cfe-1302bae55659@taugh.com>
In-Reply-To: <024535ba-5845-fe35-5cfe-1302bae55659@taugh.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Fri, 23 Jun 2023 16:56:59 -0400
Message-ID: <CALaySJJZ7rvQ72MRMJLpOF7+LffBYcoTqCaDV3FM+YZdGWMs2Q@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dmarc@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/XhaIUgRUj3M-YQaoV8dDlglKrUo>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 20:57:13 -0000

> > Presumably, a sender who uses DMARC might publish SPF to cover
> > recipients who don't use DMARC, but would prefer that recipients use
> > DMARC (authenticated by DKIM only).
>
> I get that, but that's still simultaneously saying "use SPF to
> authenticate me" and "don't use SPF to authenticate me."  If SPF is so
> unreliable that you don't want people to use it for your DMARC alignment,
> why would you want them to use it otherwise?

Because it's not better than DKIM and adds no value over DKIM... but
it's better than *nothing*, so if you don't check DKIM, I'm providing
SPF for you.

> I worry this is encouraging security theater, look I have super secure
> DMARC p=reject and, we won't get our deliverability numbers without a big
> fuzzy SPF record.

If the alternative to DMARC p=reject, for recipients who don't handle
that, is nothing at all, I don't see that providing SPF is bad.  And
if you don't want that, don't publish an SPF record.  But for now,
DMARC isn't deployed widely enough that we can fully deprecate SPF,
and SPF does still provide value when a receiver isn't implementing
DMARC.

If the DMARC spec makes that clear, I think we win.  And recipients
can still do what they want: if DMARCbis goes out with "use DKIM only"
and a recipient wants to use SPF anyway, they can do that... just as a
recipient that decides to use best-guess-SPF in the absence of actual
SPF records is free to make that choice.

Barry

v2.23.0 | Report a Bug | By Email