IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Scott Kitterman <sklist@kitterman.com> Thu, 22 June 2023 13:55 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C08BC169513 for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 06:55:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b="toimKsEa"; dkim=pass (2048-bit key) header.d=kitterman.com header.b="YYvJP7yp"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kR54D2FeduiY for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 06:54:57 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2433CC169518 for <dmarc@ietf.org>; Thu, 22 Jun 2023 06:54:56 -0700 (PDT)
Received: from interserver.kitterman.com (interserver.kitterman.com [IPv6:2604:a00:6:1039:225:90ff:feaa:b169]) by interserver.kitterman.com (Postfix) with ESMTPS id 65A90F80268 for <dmarc@ietf.org>; Thu, 22 Jun 2023 09:54:44 -0400 (EDT)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1687442062; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=OQBTVmt7d8zRKY3r/lBsRVj4Fm33ViQ8V/Z5hJresL4=; b=toimKsEa1xbyKe1v30kANvdCmvxNCRKBmDnB3HZ3bMTEIZEVDegKapDHn9jF9JAhu/0vX Hm4UQjbrRc2E5SkAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1687442062; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=OQBTVmt7d8zRKY3r/lBsRVj4Fm33ViQ8V/Z5hJresL4=; b=YYvJP7yp+AcNqli/XAHcblfoGG5nrd5TfM0tvRaTVI2LTVT0hWLg4PinW2bY4d7n4Z6+B zC641hmAAtN87+clApwo4Y6L4AkOo12yNsKcvtQlv2ZSQYZJFK63hhvq7670b6n7T6zqke9 Ow131w9uMddxMRhAAOpN11u3aDL6JjDCZYzUZAi/SlJyl7EKvOwe0ysAI/nyT40Swez8/Eq zwuMPkpeBIRMO3/8LLvO0acSeaozJ41DOpe93/QTNnUiTJn3EA9Ss3DEM95KwYrhvAI7OY8 35KbetUAHqb9SlfSv5tRRcydzZvVk1HF2DqbZv8Fjvl/3CDkjUNzVsVw7BVA==
Received: from localhost.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id 56FC9F80256 for <dmarc@ietf.org>; Thu, 22 Jun 2023 09:54:22 -0400 (EDT)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Thu, 22 Jun 2023 09:54:17 -0400
Message-ID: <3315842.y3rMdDZ7an@localhost>
In-Reply-To: <d30d574d-0cb8-bfc4-0d9f-7176882fc81e@inboxsys.com>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com> <d30d574d-0cb8-bfc4-0d9f-7176882fc81e@inboxsys.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/aXWMfEYlmzVunaPFfvuLc7bgTbo>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Jun 2023 13:55:01 -0000

My conclusion (it won't surprise you to learn) from this thread is precisely 
the opposite.  

In theory, DKIM is enough for DMARC (this was always true), but in practice it 
is not.

I don't think there's evidence of a systemic weakness in the protocol.  We've 
seen evidence of poor deployment of the protocol for SPF, but I think the 
solution is to fix that (see the separate thread on data hygiene).

Scott K

On Thursday, June 22, 2023 9:46:07 AM EDT Sebastiaan de Vos wrote:
> It's not easy to set a DKIM key, I can agree with that. I do think,
> Marty should have tested before sending, though.
> 
> None of this, however, solves the issue of SPF weakening the DMARC
> standard. The weakness in SPF is not incidental, but systematic. That is
> - independent of the numbers - the reason why I vote to have SPF removed
> from the DMARC standard.
> 
> On 22.06.23 15:31, Todd Herr wrote:
> > When we look at the numbers others have posted on the topic, and we
> > see a perhaps higher than expected percentage of DMARC passes that
> > relied on SPF only (or at least a higher than expected rate of DKIM
> > failures) I'd posit that many of those DKIM failures are due to the
> > challenges that Marty and people like them face with getting the key
> > published.

v2.23.0 | Report a Bug | By Email