IETF Logo Mail Archive

Re: [dmarc-ietf] [ietf-dkim] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts

Vladimir Dubrovin <dubrovin@corp.mail.ru> Mon, 21 November 2016 09:48 UTC

Return-Path: <dubrovin@corp.mail.ru>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC977129981 for <dmarc@ietfa.amsl.com>; Mon, 21 Nov 2016 01:48:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.317
X-Spam-Level:
X-Spam-Status: No, score=0.317 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_IMAGE_ONLY_24=1.618, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=corp.mail.ru
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cC__2W6V98Hq for <dmarc@ietfa.amsl.com>; Mon, 21 Nov 2016 01:48:13 -0800 (PST)
Received: from smtp48.i.mail.ru (smtp48.i.mail.ru [94.100.177.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62EB712997C for <dmarc@ietf.org>; Mon, 21 Nov 2016 01:48:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=corp.mail.ru; s=mail; h=Content-Type:In-Reply-To:MIME-Version:Date:Message-ID:From:References:To:Subject; bh=H4bTUisY/hB57xf4WRFRriUnz+xPJ4m751AayqmN3RI=; b=ZRxJ/x2QunwNMaE2MqA6vvsAQVxkfp3apeXcZICqky4qHDd4rTA9zavT7OH/we3vc7o7rhgjFy/3m0g1HjZ6T6OC9nPsC6uHNa4xEV2WoBE94TxhdNtzvPnxSat+f1QU+QRg61xYHYrR8CQHBAV/POxqqikiI7B7+GFJqHNSDiU=;
Received: from [178.22.89.88] (port=22492 helo=[127.0.0.1]) by smtp48.i.mail.ru with esmtpa (envelope-from <dubrovin@corp.mail.ru>) id 1c8lCs-0000Kc-66; Mon, 21 Nov 2016 12:48:10 +0300
To: Hector Santos <hsantos@isdg.net>, "dmarc@ietf.org" <dmarc@ietf.org>, Ietf Dkim <ietf-dkim@mipassoc.org>, "Murray S. Kucherawy" <superuser@gmail.com>
References: <alpine.OSX.2.11.1611142158000.21738@ary.local> <01Q7ASDZFS6C011WUX@mauve.mrochek.com> <CAL0qLwazAg2UJvGAr+nx8R_xEbc4xV0ttPEWFKUD69u6xXaMhA@mail.gmail.com> <CAL0qLwaMzy=qeW5XYZ_txPaiYE27Oof+C5V1uRANvv-_cayOcQ@mail.gmail.com> <CY1PR00MB0107389F8FE73F140849A19996BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <2736ea21-69e6-83b1-3b59-377c032290b5@dcrocker.net> <CY1PR00MB01072F4EB32969888104C45196BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <CAL0qLwbdNVwT-xiCmxyhSqKcp4-hCA1COHKh0wdYrYEekzZ=XA@mail.gmail.com> <3009defcc6dc9043823618dbc338460d@xmail.mwn.de> <CY1PR00MB0107C2A78F65F65ED68920A796BE0@CY1PR00MB0107.namprd00.prod.outlook.com> <582DBEF5.5010101@isdg.net>
From: Vladimir Dubrovin <dubrovin@corp.mail.ru>
Message-ID: <5ad68235-1007-26ef-cf08-056df5263167@corp.mail.ru>
Date: Mon, 21 Nov 2016 12:48:06 +0300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <582DBEF5.5010101@isdg.net>
Content-Type: multipart/alternative; boundary="------------A0BB1905CBE749C70461D0FC"
Authentication-Results: smtp48.i.mail.ru; auth=pass smtp.auth=dubrovin@corp.mail.ru smtp.mailfrom=dubrovin@corp.mail.ru
X-Mras: Ok
X-SRW: 606F30325CFA050CC377C1B8681F88D9D097C1E2207D8AD4090598096E5E7227
X-Mru-Trust-IP: 1
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/_qFYtdCjuJgmvgg7lhcCzU_L_uQ>
Subject: Re: [dmarc-ietf] [ietf-dkim] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 09:48:16 -0000

17.11.2016 17:30, Hector Santos пишет:
> On 11/16/2016 1:09 PM, Terry Zink wrote:
>>> This means ARC will be needed not only for mailing lists which
>>> modify the header or
>>> body of an email, but for EVERY mailing list and EVERY forwarded
>>> email or EVERYTIME
>>> the recipient has been modified and the email leaves the ADMD
>>> boundary. From a
>>> DMARC point of view DKIM will not be needed anymore because it has
>>> now the same
>>> function as SPF - verifiying the origin of direct emails - and SPF
>>> is easier to implement
>>> for most administrators.
>>
>> +1.
>>
>> It basically (almost) turns DKIM into SPF. That's not that appealing
>> a solution.
>
> For exclusive policies (SPF -ALL), you really don't need DKIM, DMARC
> or ARC for that matter since the receiver (at least ours) will never
> accept the payload anyway, i.e. it never gets to the SMTP "DATA"
> state.  SPF does not require you to accept the mail for the hard
> reject policy (-ALL).
>

SPF "-all" doesn't protect against spoofing attack, SPF only protects
SMTP envelope which is normally not visible to user. DMARC does.

P.S. Murray, may be it's better to add an option to DKIM-Signature or to
_dmarc DNS record to indicate some mechanism (DKIM or SPF) should not be
used for DMARC verification? It will work in absolutely same way.
draft-kucherawy-dmarc-rcpts  is an equivalent to DMARC with disabled
DKIM authentication.

-- 
Vladimir Dubrovin
@Mail.Ru

v2.23.0 | Report a Bug | By Email