IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

"John Levine" <johnl@taugh.com> Tue, 02 April 2013 01:53 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA2B11E80CC for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 18:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.583
X-Spam-Level:
X-Spam-Status: No, score=-110.583 tagged_above=-999 required=5 tests=[AWL=0.016, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, J_CHICKENPOX_16=0.6, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S1QOZAgqLUkn for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 18:53:43 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 2641511E80A6 for <dmarc@ietf.org>; Mon, 1 Apr 2013 18:53:43 -0700 (PDT)
Received: (qmail 35164 invoked from network); 2 Apr 2013 01:53:42 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 2 Apr 2013 01:53:42 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:vbr-info; s=515a3a26.xn--9vv.k1304; i=johnl@user.iecc.com; bh=yryyXlmU+JjOExoF7HDgXudynLgSBfCNx1a2rveyYPk=; b=gU5I80vwZv38dXUm+0nmsT3DNdcl3hDVwyw0eZWKeFeJspzFkKwfDB6JLHIwvZxByuzETH0m/nlLsCLrB2s4Bhhg90x4KrMf2f9JYtgH6bb40RpshTRpGWB22nBURjpY4+xPEqzWwtLDM5hDRQl11QfyFUtETlrLaXSYcuhC2lc=
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:vbr-info; s=515a3a26.xn--9vv.k1304; olt=johnl@user.iecc.com; bh=yryyXlmU+JjOExoF7HDgXudynLgSBfCNx1a2rveyYPk=; b=f54DmiCdfg7QDwd8GLeX2pwLMcDgOH6GKnh2mnol0PR+eoC8JEk5Vt7sYblKsnr7+9KzWtPO2WebK/U+2KhwGLCmDipcvFVw24RMkXXtzTfqTxWhY/bOHJTyJNbNaRtnN5zs6gG0Rr7TSKLO+AEUr+RT4a6/cjjIDi5YXIjvIRU=
VBR-Info: md=iecc.com; mc=all; mv=dwl.spamhaus.org
Date: Tue, 02 Apr 2013 01:53:19 -0000
Message-ID: <20130402015319.6440.qmail@joyce.lan>
From: John Levine <johnl@taugh.com>
To: dmarc@ietf.org
In-Reply-To: <abadaedab23c43a793a53eaa235a885d@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 7bit
Cc: tzink@exchange.microsoft.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 01:53:44 -0000

>> bigbank.com txt "v=spf1 +ip4:22.22.22.22 ?ip4:157.55.158.0/23 
>> ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all"
>
>example.com ------------+
>                        |
>BigBank.com ------------+----> Microsoft Forefront IPs ----> Internet
>                        |
>Learning.edu            |
> security@bigbank.com --+
>
>Case 1 - Mail comes from 22.22.22.22 -> Forefront scans it

Oh, no, I had in mind customers who send mail through Forefront, but
also send some of their own mail directly from 22.22.22.22.  If it all
goes through Forefront, it all gets Forefront's ?ip SPF rules.

>Case 2 - Mail comes from 1.2.3.4 (Learning.edu malicious spoof) -> Forefront scans it and it SPF fails -> Relays to Internet (e.g.,
>Hotmail) who scans it and it is Neutral
>
>But real mail from BigBank.com would have a DKIM header and so therefore it would DMARC pass at the Hotmail side.
>
>Is that right?

Right.

>But wouldn't it mean that a 3rd party who didn't validate DKIM or DMARC would always get SPF Neutral in the case of a legitimate message?

Right.  Since we know the same IP can emit both real and bogus
messages and SPF can't tell the difference, what other result could
you honestly provide?  Is it really a good idea to return an SPF pass
for a message that might be a phish?

>> Or you can sign all your mail with DKIM, publish no SPF at all, and use DMARC p=reject.
>
>I've thought of that, too. I think that would be a good solution if DMARC compliance was more widespread than it is

>From a security point of view, it's really the same as what you have
now, since you can't count on the bounce address as an identifier nor
SPF to tell you whether a message is authorized.

>I've thought of that, too. But I heard ADSP was basically dead and superseded by DMARC.

ADSP is kaput.  No great loss.

It seems to me that you have an opportunity here for some client
behavior modification that can be applied incrementally.

If you don't know what domains a client uses, you can't make any
meaningful path authorization assertions.  (I don't want to think
about who gets the blame when you send those SPF approved phishes.)

But when a client gives you their list of domains, you can then filter
their mail to only allow those domains in their mailstream, and more
important, filter all your other clients' mail to forbid them.  Now
you have your paths back under control, and you can publish SPF
records for that client that provide pass results.  That's a feature
that adds customer value or whatever it's called these days.

R's,
John

v2.23.0 | Report a Bug | By Email