IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Seth Blank <seth@valimail.com> Thu, 08 June 2023 15:55 UTC

Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06FC7C151097 for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 08:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d9CiWCWUdIDG for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 08:55:40 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B589EC151092 for <dmarc@ietf.org>; Thu, 8 Jun 2023 08:55:40 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id 38308e7fff4ca-2b1ba018d94so7385851fa.0 for <dmarc@ietf.org>; Thu, 08 Jun 2023 08:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1686239738; x=1688831738; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3vcCDrssdmc7HhTU9TRjsg9zAhCOgaVFiqXlb1X7SRc=; b=YHqJ/RGRymlrk/wDUvnhS/NEDkgQMh6Y23r5XkhTjpc1vQEZLd7lOpbGug69HcSe6D fHNHBfGig+RIK5XA5NlZb5E9/N8/lcJJZlgBnLeT5uy10T9CNQBU55FTBdEWIYb7qZ8w ESmPVSz9kSqahG2Vnyzk9eACzYa+ZPfOGrkDm27zqyQGtivBpM3ofRyrOcP66flC3agy mqQTuxEfd0k08fyfw80uGrumKRGXxdV8M1YuIu/YxDfqmm1G5EeIRs7/qYOnsBVQ+1/u N5zMzMm5X8aKNzEnikl7DPUGZeMDNhOIRuhwFyk/MIAEhGL5Psa9NpQOBJPeJAa3hqDs Uj+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686239738; x=1688831738; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3vcCDrssdmc7HhTU9TRjsg9zAhCOgaVFiqXlb1X7SRc=; b=EyXrhpizp2E08ttcgRTLtIzyGkzn+vbUwcWkYDPER37Nk7MIXEgzhafQ9XsX0QiW8C tqaeK4FHhmaOIQ89MwmD3dkpX3tK7d/CE+ErP7bZvHCR11tc5eiNNY+z6PLkfFGKiOZh Es7cNvbJO9gzDjo2R/1wPhCe1H1lpJaEVOd+gzVuUdACU34RPZo88WE4q/W/ozJXyBJ2 cwqUPEUcEvnkdhyKR3abjbFVxQp+44zH0+fGZhdrFKwNex1Tzk6EP130dwxD9EeIZ/y8 3/Vm/xfAugBTdSEanVRpo6GCiLo06rb1JR2y5qkwCX+og/S2u1M9msnKqXfbNeDFWZo1 ljYQ==
X-Gm-Message-State: AC+VfDzBWoHvl6RizcnSo71A5HGpn7NGVSdxK/xts1emMt8mLPVR0afC PBcFB76KK8Ia2ngRiJcjB+KdZnfkhUEpNyPehSQLBN1LrSIFIp12cso=
X-Google-Smtp-Source: ACHHUZ5lFsrRKTBUJrIq60KZgfiDhitrr4eik4kGiGlm4tmVMUUXnT0c8bfLF1/4EipZrkasiZYN/OgqqfBafVkGoHI=
X-Received: by 2002:a2e:a406:0:b0:2b1:e6eb:1ba2 with SMTP id p6-20020a2ea406000000b002b1e6eb1ba2mr4028205ljn.22.1686239738300; Thu, 08 Jun 2023 08:55:38 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAL0qLwbx6Y=kmB5pQZx8gNqD=rLBYz1vLOX6ngL=wUHHUm0Hjw@mail.gmail.com> <CAOZAAfMtsjcp+aCrwQ2QRc+SHsw3rhwMuTBugRYe44NeiMeKyg@mail.gmail.com> <CALaySJKrXJJXz3pgp85BPswoirhPJtD=uuefVfc9sX1fGkj-iA@mail.gmail.com> <CAD2i3WMbVZ0-yQeqoy7P9njyBRU2jdbP2jGtzUnzEE0dfsLR2g@mail.gmail.com> <CALaySJJY3_=HknSBENOjkUomdX_RXMfXyCxYOd3mjsvS-V=-Qw@mail.gmail.com> <CAOZAAfMybMYJrw9dMd=VmhD0oX0w+m1k8Vg=Hn=QJ3UZBLfRNw@mail.gmail.com> <66433CD1-BDDA-429F-B7A4-9E972754719F@kitterman.com>
In-Reply-To: <66433CD1-BDDA-429F-B7A4-9E972754719F@kitterman.com>
From: Seth Blank <seth@valimail.com>
Date: Thu, 08 Jun 2023 16:55:26 +0100
Message-ID: <CAOZAAfMMQLbVOjwuHYb5zxkg8RhMeZW02JAoF7av2RSC73rd2w@mail.gmail.com>
To: Scott Kitterman <sklist@kitterman.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000009ba0d905fda048c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ed3C90XzdHfGLtpO_r-UQElOhVI>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 15:55:45 -0000

It’s not that simple for larger organizations, because of how distributed
control of subdomains can be. You’d want to set an organizational policy to
disallow SPF on the org domain.

The problem with SPF is shared services. This has become so bad recently as
to render many of the valuable bits of SPF more problematic.

I’m in general agreement with you that SPF and DKIM work in concert, and
you can’t just look at them in isolation. Even small percentages in email
represent billions of messages, as we all know from mailing list damage
from DMARC being “less than a percent.”

On Thu, Jun 8, 2023 at 16:51 Scott Kitterman <sklist@kitterman.com> wrote:

> Isn't the way to say I don't use SPF for DMARC to not publish an SPF
> record?
>
> Scott K
>
> On June 8, 2023 3:35:38 PM UTC, Seth Blank <seth=
> 40valimail.com@dmarc.ietf.org> wrote:
> >I’ll bring data. I think there’s a practical problem here and a class of
> >services that are not email-first which will break completely (ie get
> >immediately rejected) were such a change to be made.
> >
> >This feels like a significant interoperability problem we’d be
> introducing.
> >
> >I’m loathe to add flags when we’ve been so good at simplifying DMARC
> >through the bis process and removing flags, but what about a way to say “I
> >only send with DKIM, and do not evaluate SPF on my behalf”?
> >
> >That wouldn’t create an interop problem, and gives a path to upgrade
> >without creating breaking change out of the gate?
> >
> >Seth
> >
> >On Thu, Jun 8, 2023 at 16:05 Barry Leiba <barryleiba@computer.org> wrote:
> >
> >> Oh, and as to your last paragraph, I think it’s the wrong question.
> What
> >> we need to understand is that SPF is ineffective, and DKIM is what’s
> >> necessary to make DMARC work effectively.  When we started, DKIM was
> not as
> >> broadly deployed and we didn’t understand how bad SPF would be.  We have
> >> different information now, and we need to say that of you want to
> reliably
> >> authenticate you have to use DKIM… that’s it.
> >>
> >> Barry
> >>
> >> On Thu, Jun 8, 2023 at 3:54 PM Seth Blank <seth@sethblank.com> wrote:
> >>
> >>> Participating, while running around so apologies for terseness:
> >>>
> >>> Sophisticated senders do DKIM. The long tail, we're lucky if they do
> SPF.
> >>> Some authentication is better than none.
> >>>
> >>> The problem isn't people evaluating SPF vs DKIM and choosing the easier
> >>> option. It's people who have a business, who bolt on email, and then
> >>> struggle to authenticate through any means. Again, we're lucky when we
> get
> >>> SPF from them, and I'll still take that over no auth all day every day.
> >>>
> >>> Don't disagree at all with the myriad problems with SPF, and that the
> >>> goal should be to eliminate it. I just don't believe we're anywhere
> close
> >>> to that being a reality yet.
> >>>
> >>> The data that led to DMARC showed that SPF and DKIM were both necessary
> >>> to determine legitimacy broadly. What would we need to understand now
> to
> >>> see if only DKIM is necessary?
> >>>
> >>> On Thu, Jun 8, 2023 at 3:44 PM Barry Leiba <barryleiba@computer.org>
> >>> wrote:
> >>>
> >>>> See, I don't look at it as "harmed".  Rather, I think they're using
> "we
> >>>> use SPF" as a *reason* not to use DKIM, and I think that *causes*
> harm.
> >>>>
> >>>> SPF is, as I see it, worse than useless, as it adds no value to domain
> >>>> that use DKIM -- any time DKIM fails SPF will also fail -- and
> actually
> >>>> impedes the adoption of DKIM.  Reliance on SPF causes DMARC failures
> that
> >>>> result in deliverability problems for legitimate mail.  I
> wholeheartedly
> >>>> support removal of SPF as an authentication mechanism that DMARC
> accepts.
> >>>>
> >>>> Barry, as participant
> >>>>
> >>>> On Thu, Jun 8, 2023 at 3:30 PM Seth Blank <seth=
> >>>> 40valimail.com@dmarc.ietf.org> wrote:
> >>>>
> >>>>> Participating, I have data that I believe points to a long tail of
> >>>>> businesses who predominantly only authenticate on behalf of others
> using
> >>>>> SPF, and would be harmed by such a change. It will take me a little
> while
> >>>>> to confirm and share.
> >>>>>
> >>>>> I also know a predominant ccTLD with millions of registrations, that
> >>>>> has SPF on roughly 80% of them, but DMARC on barely 5%. I don't have
> data
> >>>>> on DKIM for those, but I assume it's closer to the DMARC penetration
> than
> >>>>> the SPF one. I'll see if I can get this data to share more
> publically, and
> >>>>> also get the DKIM answer.
> >>>>>
> >>>>> Of course the goal is aligned dkim with a stated policy, but I don't
> >>>>> think the data supports us being anywhere close to that
> realistically.
> >>>>>
> >>>>> As Chair, this is a valuable conversation to have with real data on
> >>>>> problems and opportunities at scale, and am excited to see Tobias
> share and
> >>>>> see what others have to say.
> >>>>>
> >>>>> Seth
> >>>>>
> >>>>> On Thu, Jun 8, 2023 at 3:21 PM Murray S. Kucherawy <
> superuser@gmail.com>
> >>>>> wrote:
> >>>>>
> >>>>>> On Thu, Jun 8, 2023 at 6:00 AM Tobias Herkula <tobias.herkula=
> >>>>>> 401und1.de@dmarc.ietf.org> wrote:
> >>>>>>
> >>>>>>> My team recently concluded an extensive study on the current use
> and
> >>>>>>> performance of DMARC. We analyzed a staggering 3.2 billion emails,
> and the
> >>>>>>> insights drawn are quite enlightening. Of these, 2.2 billion emails
> >>>>>>> (approximately 69%) passed the DMARC check successfully. It's
> quite an
> >>>>>>> achievement, reflective of our collective hard work in fostering a
> safer,
> >>>>>>> more secure email environment.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> However, upon further analysis, it's evident that a mere 1.6% (or
> >>>>>>> thirty-six million) of these DMARC-passed emails relied
> exclusively on the
> >>>>>>> Sender Policy Framework (SPF) for validation. This is a remarkably
> low
> >>>>>>> volume compared to the overall DMARC-passed traffic, raising
> questions
> >>>>>>> about SPF's relevancy and the load it imposes on the DNS systems.
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> Given the current use case scenarios and the desire to optimize our
> >>>>>>> resources, I propose that we explore the possibility of removing
> the SPF
> >>>>>>> dependency from DMARC. This step could result in a significant
> reduction in
> >>>>>>> DNS load, increased efficiency, and an accurate alignment with our
> >>>>>>> predominant use cases.
> >>>>>>>
> >>>>>>> [...]
> >>>>>>>
> >>>>>>
> >>>>>> Does anyone have consonant (or dissonant) data?
> >>>>>>
> >>>>>> -MSK, participating
> >>>>>> _______________________________________________
> >>>>>> dmarc mailing list
> >>>>>> dmarc@ietf.org
> >>>>>> https://www.ietf.org/mailman/listinfo/dmarc
> >>>>>>
> >>>>>
> >>>>>
> >>>>> --
> >>>>>
> >>>>> *Seth Blank * | Chief Technology Officer
> >>>>> *e:* seth@valimail.com
> >>>>> *p:* 415.273.8818
> >>>>>
> >>>>> This email and all data transmitted with it contains confidential
> >>>>> and/or proprietary information intended solely for the use of
> individual(s)
> >>>>> authorized to receive it. If you are not an intended and authorized
> >>>>> recipient you are hereby notified of any use, disclosure, copying or
> >>>>> distribution of the information included in this transmission is
> prohibited
> >>>>> and may be unlawful. Please immediately notify the sender by
> replying to
> >>>>> this email and then delete it from your system.
> >>>>> _______________________________________________
> >>>>> dmarc mailing list
> >>>>> dmarc@ietf.org
> >>>>> https://www.ietf.org/mailman/listinfo/dmarc
> >>>>>
> >>>> _______________________________________________
> >>>> dmarc mailing list
> >>>> dmarc@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/dmarc
> >>>>
> >>> --
> >
> >*Seth Blank * | Chief Technology Officer
> >*e:* seth@valimail.com
> >*p:* 415.273.8818
> >
> >This email and all data transmitted with it contains confidential and/or
> >proprietary information intended solely for the use of individual(s)
> >authorized to receive it. If you are not an intended and authorized
> >recipient you are hereby notified of any use, disclosure, copying or
> >distribution of the information included in this transmission is
> prohibited
> >and may be unlawful. Please immediately notify the sender by replying to
> >this email and then delete it from your system.
>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>
-- 

*Seth Blank * | Chief Technology Officer
*e:* seth@valimail.com
*p:* 415.273.8818

This email and all data transmitted with it contains confidential and/or
proprietary information intended solely for the use of individual(s)
authorized to receive it. If you are not an intended and authorized
recipient you are hereby notified of any use, disclosure, copying or
distribution of the information included in this transmission is prohibited
and may be unlawful. Please immediately notify the sender by replying to
this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email