IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Emanuel Schorsch <emschorsch@google.com> Fri, 23 June 2023 04:43 UTC

Return-Path: <emschorsch@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 283D3C1881B0 for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 21:43:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id li1vWDc6OR8s for <dmarc@ietfa.amsl.com>; Thu, 22 Jun 2023 21:43:34 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05544C17EE2F for <dmarc@ietf.org>; Thu, 22 Jun 2023 21:43:33 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-98d8c38549dso17386766b.1 for <dmarc@ietf.org>; Thu, 22 Jun 2023 21:43:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687495412; x=1690087412; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XpAWiTkAdPD8tRXhWOqfMph5EjpB50rHrPKmXxAzCao=; b=dAr1YyLsng0oxHCgZJutg2F01EbjnWg8GnYVxNWwD1zkeuK0ASCYuOC19JfsFI506C 1XeEpuFe8U5DVg5LjVV3OLusTNX/kKM9js8/ZZJhFlTS2R7mZE+d7fm2Ncr7XdqRZm9B qOS+6x1zzQyifECR4AUZEYcOOb5ZZwO3n1S7ulfn9RZ3j/tqE7joXUmdTyTzBKyW8OwP RxZKU3TUcMR3v34+eOKzddghe0aViM9IDy5IjUUAB3HUMWozafiJOEQK7vN5f0l+dXxd tGk9cDcIbZ6ZKJpStNUF3p7rJuDL2umh2SJ1gTX0JYLc4lfgqkFtG0Qp4VUoZsxJ7J1q HpZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687495412; x=1690087412; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XpAWiTkAdPD8tRXhWOqfMph5EjpB50rHrPKmXxAzCao=; b=BCate5fjMFtmesLIqJU8zu0bNtzvshW42a3payTjq8sv0uwSRDVnrku1QaPFU/oRPm tEIz316H1q4NF/sYurNEEAF6UhwdsfBVwWQsdAs4y9pEkU2sV+ih4IG3n/Q7ghlHqnqX ABA8wBkZezT06TfHGuo1Q0bn347OvoJnmk7Y6cH/T0uok9VxQjcGxb3W5TsbWiYzrWmG z28+n/CdfLKzPQR9G0UoRuv1h2K6Y5fmteypEPIPluRUu+woUtpyI7d0KN14MrKKb0/Z B0OEuE4Dhoz6J8A/8UvMH3wBz86fFZkSmSXAmVpcfMIioPamMon+NuvoxIS8RAI6XAt+ hDRQ==
X-Gm-Message-State: AC+VfDyZ+6gYk1eBq+HapYjuu9LCrKdLYBGc2DSqSg31Ij2Z9OT7PwIw azm76C1VJHg2egiZ9fwZCzGQ5rwlwR+k1pAk0ML6gg==
X-Google-Smtp-Source: ACHHUZ4Ay6qXyYNdiiVoxNcCARh1Vuj+85c7b+jZrSeVO37jjo3SRa4u7FbNJlvGOTbuTwJnLd4M3aXAeBnoiZv+GeM=
X-Received: by 2002:a17:907:168c:b0:98c:e3a1:dbba with SMTP id hc12-20020a170907168c00b0098ce3a1dbbamr5327964ejc.4.1687495412163; Thu, 22 Jun 2023 21:43:32 -0700 (PDT)
MIME-Version: 1.0
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy>
In-Reply-To: <20230623021810.E5F8DF9B3B94@ary.qy>
From: Emanuel Schorsch <emschorsch@google.com>
Date: Thu, 22 Jun 2023 21:42:54 -0700
Message-ID: <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com>
To: John Levine <johnl@taugh.com>
Cc: dmarc@ietf.org, emgu@google.com
Content-Type: multipart/alternative; boundary="0000000000009ac21105fec4a419"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/eoluBQDw59EOtfUH6tY5EB31C0U>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 04:43:36 -0000

On Thu, Jun 22, 2023 at 7:18 PM John Levine <johnl@taugh.com> wrote:

> It appears that Emil Gustafsson  <emgu@google.com> said:
> >I don't know if there is a better way to encode that, but I'm supportive
> of
> >making a change that that would allow domains to tell us (gmail) that they
> >prefer us to require both dkim and spf for DMARC evaluation (or whatever
> >combination of DKIM and SPF they desire).
>
> I really don't understand what problem this solves. More likely people
> will see blog posts telling them auth=dkim+spf is "more secure",
> they'll add that without understanding what it means, and all that
> will happen is that more of their legit mail will disappear.
>
> If you're worried about DKIM replay attacks, let's fix that rather
> than trying to use SPF, which as we know has all sorts of problems of
> its own, as a band-aid.
>
> R's,
> John
>

I agree with John's point that dkim+spf doesn't make sense in the context
of strict DMARC enforcement (I think it provides value for p=none domains
but it's not worth that complexity). If we leave out `dkim+spf` as an
option then we can still solve >90% of the problem at hand without having
confused users misusing that option. I would support allowing the following
options for the auth tag:
   "auth=dkim|spf (default value: same as current state), auth=dkim,
auth=spf"

v2.23.0 | Report a Bug | By Email