IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Hector Santos <hsantos@isdg.net> Fri, 23 June 2023 17:23 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95525C13AE40 for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 10:23:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mLP1ktuDFdPB for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 10:23:13 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D04EC151999 for <dmarc@ietf.org>; Fri, 23 Jun 2023 10:23:13 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1800; t=1687540990; atps=ietf.org; atpsh=sha1; h=Received:Received:Message-ID:Date:From:Organization:To:Subject: List-ID; bh=VcWfN0295glQWKmP04M18DoD4BlePigPsi2G6/0MKHk=; b=B3Bt +Z3uxPCDdKPfnz3Oct3PQGzIp18UAsl0Im1g4GS5vWICfK1JOohaouiT5R9uo0ZW CG1CrI6g11YleULhZ8dUsN+IkImCKQLbdmPPQkq2kHmqiGHHyJ7ovvJH2EXJV4NO dJYaEheSLQM8Z78d5chPLhte8VtMy6W6R7sF63Y=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Fri, 23 Jun 2023 13:23:10 -0400
Received: from [192.168.1.68] ([75.26.216.248]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3638708442.1.8804; Fri, 23 Jun 2023 13:23:09 -0400
Message-ID: <6495D504.4090809@isdg.net>
Date: Fri, 23 Jun 2023 13:23:16 -0400
From: Hector Santos <hsantos@isdg.net>
Reply-To: hsantos@isdg.net
Organization: Santronics Software, Inc.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.8.1
MIME-Version: 1.0
To: John Levine <johnl@taugh.com>, dmarc@ietf.org
CC: emgu@google.com
References: <20230623021810.E5F8DF9B3B94@ary.qy>
In-Reply-To: <20230623021810.E5F8DF9B3B94@ary.qy>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/YY7EpayRddvZk7Gtot9CPI37Yzk>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 17:23:17 -0000

Levine makes a good point. A less complex option would be:

auth=dkim          # apply dkim only, ignore spf, dkim failure is 
dmarc=fail
auth=spf            # apply spf only, ignore dkim, spf failure is 
dmarc=fail

the default auth=dkim,spf SHOULD NOT be explicitly be required. It 
adds no additional security value.  I would like to note that some DNS 
Zone Managers with DMARC record support will add the complete tags 
available for the protocol with the default conditions making the 
record look more complex than it really it.

Other system integration options would (forgive me for I have sinned):

atps=1     # we support ATPS protocol for 3rd party signer.
rewrite=1  # we are perfectly fine with Author Rewrite

--
HLS





On 6/22/2023 10:18 PM, John Levine wrote:
> It appears that Emil Gustafsson  <emgu@google.com> said:
>> I don't know if there is a better way to encode that, but I'm supportive of
>> making a change that that would allow domains to tell us (gmail) that they
>> prefer us to require both dkim and spf for DMARC evaluation (or whatever
>> combination of DKIM and SPF they desire).
> I really don't understand what problem this solves. More likely people
> will see blog posts telling them auth=dkim+spf is "more secure",
> they'll add that without understanding what it means, and all that
> will happen is that more of their legit mail will disappear.
>
> If you're worried about DKIM replay attacks, let's fix that rather
> than trying to use SPF, which as we know has all sorts of problems of
> its own, as a band-aid.
>
> R's,
> John
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
>


-- 
Hector Santos,
https://santronics.com
https://winserver.com

v2.23.0 | Report a Bug | By Email