IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Douglas Foster <dougfoster.emailstandards@gmail.com> Fri, 23 June 2023 12:13 UTC

Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABE3EC110D2F for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 05:13:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4XeEcS8uM3l0 for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 05:13:25 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8259C1881D8 for <dmarc@ietf.org>; Fri, 23 Jun 2023 05:13:25 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-4f640e48bc3so661617e87.2 for <dmarc@ietf.org>; Fri, 23 Jun 2023 05:13:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687522404; x=1690114404; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RquHeiWoZ3SwGPcMcyWrMG1VGnyh0eeYy1gf+bxrrqk=; b=pAt/gUBLC3wCQxGpqymQVv5/KKS4pDj9LoZZxyqvsLpzlz3ZIH+DEnvi9GN6D3wc10 PIUPRgPlBZ/8QqCfNGRsQVHEuMDdfP4HVxbu2OWqw7YFWF3TetHkOsIxUeR/e/uHEegU YXoxIv84TnjaZ2RzOWs1/54j9kgRBAbVqYV+tChkTrdoLMI0UuAdJF6xqPxr13ofmPWV AGuQ/pXeXOhBVuNaFAI0JC8i8JSbZP8AZU/iYXgrJbQYbnAaesPX0s3mQeSDWbKxy8Jc IlxOJ9ZwMsnm1A1mDlpL2/SLhS/VeMLjnxfKarLPo64qiVvA4ae2z+IfYPfx1yg8wwjs mTkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687522404; x=1690114404; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RquHeiWoZ3SwGPcMcyWrMG1VGnyh0eeYy1gf+bxrrqk=; b=UMnGHBXr3AHUGABjVEzcEv5EZjOcPauD5woJ8TdzCw9nu1xsadGdy+fZyQLPfTnDtq srRDljcjEl/dk2dVvTn9+Dot86l+P5/Fw/D7ig3kdTTyVkeYSU1zuqCrtBEsvcpNZKJY 0ry7U5u94j4l+r9c2uh6YbUOF7RUaWXwyrp5TLK8VkFGs5L5drnXdDnngPOhJCTgYZLP juspSvCFw1LB3aGos7BYGa1LCUa+tLoWEFaHHpK8XCWWdWhmx9cMsAF79G8Eg25VAK0p 0TFGiEt2K6yuGv1yG0yC8oOUFgXeV81otJEKINAgOrz8qErTCW1Zud4NI2hAS8d2eSGq iJJg==
X-Gm-Message-State: AC+VfDxvnBqgrc4T2DYg2PGVQPtQXDmFLSkb1Y5PLEtNZGEqWtcXKXgc laqOoXl8WgW4KqNqQLViFrzyGbm+qZhehr/oXEJSNY58
X-Google-Smtp-Source: ACHHUZ7Xn7IIfJwTcMd4JzGJ2Trw0hnJ+nuwhVuFdkR6oLN/952H/+2mbumllDy8cdHMDxV8tGNJdB+fubOZ4U+S6As=
X-Received: by 2002:a19:ca10:0:b0:4f9:58bd:9e5c with SMTP id a16-20020a19ca10000000b004f958bd9e5cmr4665684lfg.3.1687522403624; Fri, 23 Jun 2023 05:13:23 -0700 (PDT)
MIME-Version: 1.0
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com>
In-Reply-To: <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Fri, 23 Jun 2023 08:13:13 -0400
Message-ID: <CAH48ZfyeQjC3qXtotjD5239jfusasRf4a5zXNFEw2cepdJiFgw@mail.gmail.com>
To: Emanuel Schorsch <emschorsch=40google.com@dmarc.ietf.org>
Cc: John Levine <johnl@taugh.com>, IETF DMARC WG <dmarc@ietf.org>, emgu@google.com
Content-Type: multipart/alternative; boundary="0000000000006b298505fecaed5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/Zyzuae-hLC_8_HuuHzELRs42sHQ>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 12:13:26 -0000

Is there a use case for "SPF only"?

1) "We use ESPs but we never sign, so don't expect one."

2) "We have so many problems with DKIM reply that you should ignore
signatures even if they verify."

3) "We never sign, so if you see a failed signature, it is a fraud attempt."

None of these seem important to me.

Doug

On Fri, Jun 23, 2023, 12:43 AM Emanuel Schorsch <emschorsch=
40google.com@dmarc.ietf.org> wrote:

>
>
> On Thu, Jun 22, 2023 at 7:18 PM John Levine <johnl@taugh.com> wrote:
>
>> It appears that Emil Gustafsson  <emgu@google.com> said:
>> >I don't know if there is a better way to encode that, but I'm supportive
>> of
>> >making a change that that would allow domains to tell us (gmail) that
>> they
>> >prefer us to require both dkim and spf for DMARC evaluation (or whatever
>> >combination of DKIM and SPF they desire).
>>
>> I really don't understand what problem this solves. More likely people
>> will see blog posts telling them auth=dkim+spf is "more secure",
>> they'll add that without understanding what it means, and all that
>> will happen is that more of their legit mail will disappear.
>>
>> If you're worried about DKIM replay attacks, let's fix that rather
>> than trying to use SPF, which as we know has all sorts of problems of
>> its own, as a band-aid.
>>
>> R's,
>> John
>>
>
> I agree with John's point that dkim+spf doesn't make sense in the context
> of strict DMARC enforcement (I think it provides value for p=none domains
> but it's not worth that complexity). If we leave out `dkim+spf` as an
> option then we can still solve >90% of the problem at hand without having
> confused users misusing that option. I would support allowing the following
> options for the auth tag:
>    "auth=dkim|spf (default value: same as current state), auth=dkim,
> auth=spf"
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email