IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Jan Dušátko <jan@dusatko.org> Mon, 26 June 2023 14:15 UTC

Return-Path: <jan@dusatko.org>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACA6EC1519B8 for <dmarc@ietfa.amsl.com>; Mon, 26 Jun 2023 07:15:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=dusatko.org header.b="HdAMmIuu"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="R9Vz6Do0"; dkim=pass (2048-bit key) header.d=dusatko.org header.b="MvCcvQ29"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E94ss2-W9Jvu for <dmarc@ietfa.amsl.com>; Mon, 26 Jun 2023 07:15:17 -0700 (PDT)
Received: from vhost.cz (hermes.vhost.cz [82.208.29.84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F9E8C151538 for <dmarc@ietf.org>; Mon, 26 Jun 2023 07:15:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687788905; bh=eEnZrYrtqSYxMYt05wzZDoLebaYrOMElnTkyx4YAoig=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=HdAMmIuuYYuON0sLTiq9dKWJjUykEVdGTPgiYZexZ0xQDH/Vib9y87myj1GQd84gW mPsoKGSBLntthyyZyFkzIq12WGFraNrBNsNY3UWc3uEmmM0ke/3l4JXMMPtHWcuo7T VnWPcxGjeWV0u7d6eYmtXxFbJUrBvMt8BGQuK11748CrkyryxR0LPAs9GDvuTYgrGs vo0QcejwvWJC0o5Uc8QOwtZhYpraoy5KykCvaseH41/QwmPyQGzHL2Kpqdhe1fqV14 dY01rbkDW72EN6yJd6VZYVZLVLMDQjkGAd9v249lJwoIaSTbgPfEBa82UNAYdmgU5M jrJz9aa7Mfq+w==
Received: from localhost (localhost [127.0.0.1]) by hermes.vhost.cz (Postfix) with ESMTP id AE88D80023 for <dmarc@ietf.org>; Mon, 26 Jun 2023 16:15:05 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at hermes.vhost.cz
Received: from vhost.cz ([127.0.0.1]) by localhost (hermes.vhost.cz [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rMR7OddBjEqq for <dmarc@ietf.org>; Mon, 26 Jun 2023 16:15:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687788904; bh=eEnZrYrtqSYxMYt05wzZDoLebaYrOMElnTkyx4YAoig=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=R9Vz6Do0r36ja836V71JcVGXgqFVpdTjT4ZAlBJgckV5gdXlxqTRsBRA4WwI2O5DC tfpxJa6QrYjU/cydBF+nXx4xGPFfTw0UDhmJKgmnCFSvoU+t19xLuwsum60RCyBSYq roohLpA1OHBkphHKrwvhk+HRpD6U7h+w8dmQtBEDTD1Gywd/hEqWpXRxnNudTA9ayk C36aRf2rosEA2kBbqntjoi9e3HPA0kydcZvNjsJdh4GKMOWEqyTcb4mdT3WURZcocg rYBxrVkdUB8Tb7HQCk3rERzWV6m7srOBc05ruogASAtZMBhPiImz62j/c3xk+u00Pm KexLqhdPr377A==
Received: by hermes.vhost.cz (Postfix, from userid 115) id 4951B80094; Mon, 26 Jun 2023 16:15:04 +0200 (CEST)
X-Spam-Virus: _CLAMAVRESULT_
X-Spam-Pyzor: Reported 0 times.
X-Spam-DCC: :
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dusatko.org; s=key2048; t=1687788901; bh=eEnZrYrtqSYxMYt05wzZDoLebaYrOMElnTkyx4YAoig=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=MvCcvQ29Boqe6OAWC34LpDGmj//+zUgALS1YDJkPzg5wO82iYpW/WP1Ji80nFZYVG +bjdiqS7bLipLY6pWdz+e6NYNtQMd54ER6A9WXXlJBZvPxTi4RbRpsahA5HMKjzcmI TeT627sOEM24yHH04Y4PR6ORAAv9sHs1oMEkLO3yFrnvDw/jLn1XmKAZdpS+oC2BJB BzcltitStgaT0nhHlzpl9M9Zyjxre7QsIyYWkjvylKez9t105H/jfF6zq2eFl+UD5C zf7h81WcwE8gm9fijClp3pfAp4pGwRBOYncIiGQeh7HQo9O6Ltq5YW4EH+Wv2HVP2O 1/uml+S+/fKEQ==
Received: from [192.168.1.160] (static-84-242-66-51.bb.vodafone.cz [84.242.66.51]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (Client did not present a certificate) by hermes.vhost.cz (Postfix) with ESMTPSA id 7FD0680023; Mon, 26 Jun 2023 16:15:01 +0200 (CEST)
Message-ID: <fbcce1e4-b295-0265-37aa-3214b2776d30@dusatko.org>
Date: Mon, 26 Jun 2023 16:15:00 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.12.0
Content-Language: en-GB
To: Barry Leiba <barryleiba@computer.org>
Cc: dmarc@ietf.org
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com>
From: Jan Dušátko <jan@dusatko.org>
In-Reply-To: <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/chwGejNdeSN-qJYkDgCmBMiA2gE>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2023 14:15:22 -0000

Barry,
I understand your concerns. Use SPF *and* DKIM could cause issues for 
any kind of mail conferencing and forwarding. Situation are quite 
complicated right now. Use of these method, as well as combination of 
these methods, could lower deliverability due protection mechanism 
contrary of forwarding/conferencing principle. But the goal of 
protection methods is to ensure the authenticity of the e-mail source. 
This means that the sender is responsible for protecting the 
domain/brand. And this ultimately requires that the owner has methods 
that are able to provide enough data to ensure its full verifiability. 
Whether these methods are properly implemented is the responsibility of 
the sender's system administrator, whether they are checked upon receipt 
is the responsibility of the recipient's system administrator. Some of 
organization checks SPF only, some DKIM only, some SFP then DKIM, some 
SPF and DKIM (but logic of that use OR), in few tenth of precents also 
followed by DMARC. And some of organizations still does not check anything.
Please, can you consider the possibility that the owner of several 
hundred or even several thousand domains is trying to protect his 
business and does not have the possibility to provide verifiable 
authenticity? If he understands the situation with their impacts, the 
possibility of using SPF and DKIM is a method to ensure adequate 
protection. By this I mean protection from where the mail can be sent 
and at the same time whether it will be signed. Despite the problems 
with mail conferences and forwarding, this may be an acceptable way to 
solve specific problems. In other cases, how we can mitigate as much of 
situation mentioned above?
If the possibility of using only DKIM, I see the risk of how the DMARC 
policy will be evaluated. If the error state of the policy is ensured 
for specific cases (non-existent public key, non-existent subdomain, 
non-existing signature), I have no problem with the approach. All that 
is needed to ensure is a precise procedure, what conditions the 
implementation must meet. And we need method, how we can enforce use of 
DKIM, else we will be in situation without any protection. This is a 
reason, why I concern about protection.

Regards

Jan

Dne 26. 6. 2023 v 14:51 Barry Leiba napsal(a):
> If we consider this sort of thing, I want to push to keep one thing
> off the table:
>
> Saying that SPF *and* DKIM *both* have to pass is a VERY BAD approach.
> Let's please just remove that from consideration.  It has not been in
> DMARC up to this point, and it would be really bad to add it.
> Deliverability would be worse than ever because we would get the worst
> of both: fragility of SPF when messages are relayed/forwarded, *and*
> problems caused by misconfigurations in *either* SPF *or* DKIM.
>
> I can accept some mechanism for the sender to say "SPF only", "DKIM
> only", or "either SPF or DKIM".  I cannot except a version of DMARC
> where *both* must pass.
>
> Barry, as participant
>
> On Sat, Jun 24, 2023 at 3:01 PM Jan Dušátko
> <jan=40dusatko.org@dmarc.ietf.org> wrote:
>> Hector,
>> I think Levin's original suggestion to use the setting option like SPF
>> AND DKIM, SPF OR DKIM, SPF only, DKIM only is excellent. It could solve
>> a lot of problems. System administrators know best how to set up their
>> system and for what purposes they need that setting. I can imagine a
>> great many reasons for and against those combinations. What seems to me
>> to be important here is that DMARC is able to use policies to solve not
>> only common but also error states. In that case, it is able to
>> successfully solve the problems caused by the attackers.
>>
>> Jan
>>
>> Dne 23. 6. 2023 v 19:23 Hector Santos napsal(a):
>>> Levine makes a good point. A less complex option would be:
>>>
>>> auth=dkim          # apply dkim only, ignore spf, dkim failure is
>>> dmarc=fail
>>> auth=spf            # apply spf only, ignore dkim, spf failure is
>>> dmarc=fail
>>>
>>> the default auth=dkim,spf SHOULD NOT be explicitly be required. It
>>> adds no additional security value.  I would like to note that some DNS
>>> Zone Managers with DMARC record support will add the complete tags
>>> available for the protocol with the default conditions making the
>>> record look more complex than it really it.
>>>
>>> Other system integration options would (forgive me for I have sinned):
>>>
>>> atps=1     # we support ATPS protocol for 3rd party signer.
>>> rewrite=1  # we are perfectly fine with Author Rewrite
>>>
>>> --
>>> HLS
>>>
>>>
>>>
>>>
>>>
>>> On 6/22/2023 10:18 PM, John Levine wrote:
>>>> It appears that Emil Gustafsson <emgu@google.com> said:
>>>>> I don't know if there is a better way to encode that, but I'm
>>>>> supportive of
>>>>> making a change that that would allow domains to tell us (gmail)
>>>>> that they
>>>>> prefer us to require both dkim and spf for DMARC evaluation (or
>>>>> whatever
>>>>> combination of DKIM and SPF they desire).
>>>> I really don't understand what problem this solves. More likely people
>>>> will see blog posts telling them auth=dkim+spf is "more secure",
>>>> they'll add that without understanding what it means, and all that
>>>> will happen is that more of their legit mail will disappear.
>>>>
>>>> If you're worried about DKIM replay attacks, let's fix that rather
>>>> than trying to use SPF, which as we know has all sorts of problems of
>>>> its own, as a band-aid.
>>>>
>>>> R's,
>>>> John
>>>>
>>>> _______________________________________________
>>>> dmarc mailing list
>>>> dmarc@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dmarc
>>>>
>>>>
>>>
>> _______________________________________________
>> dmarc mailing list
>> dmarc@ietf.org
>> https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email