IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

Tim Draegen <tim@eudaemon.net> Wed, 03 April 2013 06:04 UTC

Return-Path: <tim@eudaemon.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69EEF21F8550 for <dmarc@ietfa.amsl.com>; Tue, 2 Apr 2013 23:04:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.284
X-Spam-Level:
X-Spam-Status: No, score=-2.284 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CwB9RsR2xU9x for <dmarc@ietfa.amsl.com>; Tue, 2 Apr 2013 23:04:42 -0700 (PDT)
Received: from pie.eudaemon.net (pie.eudaemon.net [72.250.241.194]) by ietfa.amsl.com (Postfix) with ESMTP id C88EF21F854E for <dmarc@ietf.org>; Tue, 2 Apr 2013 23:04:42 -0700 (PDT)
Received: from [10.0.1.7] (sctv-72-100.mounet.com [216.145.72.100]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by pie.eudaemon.net (Postfix) with ESMTPSA id 27E6ECB46; Wed, 3 Apr 2013 02:05:19 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Tim Draegen <tim@eudaemon.net>
In-Reply-To: <3cc1dd69471d4f059fff49ecd3c6f45d@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Date: Wed, 03 Apr 2013 02:04:41 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <D7368D6C-88A7-4CC7-9A2F-824FCECAC6BC@eudaemon.net>
References: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <515A02DB.2010309@gmail.com> <CE39F90A45FF0C49A1EA229FC9899B05633D4E@USCLES544.agna.amgreetings.com> <9b3745d8976d42df8fc9521e7f4c4b49@BL2SR01MB605.namsdf01.sdf.exchangelabs.com> <CE39F90A45FF0C49A1EA229FC9899B05633F90@USCLES544.agna.amgreetings.com> <3cc1dd69471d4f059fff49ecd3c6f45d@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
To: Terry Zink <tzink@exchange.microsoft.com>
X-Mailer: Apple Mail (2.1503)
Cc: "dmarc@ietf.org" <dmarc@ietf.org>
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Apr 2013 06:04:43 -0000

Hi Terry,

I like your proposal, but see problems:

- SPF and DKIM don't always work in production.

	By themselves, both SPF and DKIM sometimes fail to yield correct results, even when they *should*.  Be this because of transient DNS errors, DKIM canonicalization errors (its a real thing, and "relaxed" unintuitively breaks more), or bad luck, the error rate introduced by requiring both SPF and DKIM to pass 100% of the time is just too high to be useful.  Keep in mind that this is not about Domain-A sending just to Receiver-B; the problem space is every domain sending to every possible receiver/stack/environment.

- Requiring both DKIM and SPF to yield aligned domain identifiers overshoots the goal.

	The Receiver side of the coin (the "receiving function" if you'll allow me to talk about all and everything that processes incoming email) needs a basic, reliable way to link a domain to a piece of email.. when processing trillions of emails from across millions of domains on top of thousands of software environments.  Even if the reality of imperfect implementations didn't matter (see #1), the receiving function is hunting for an assertion of "this email really does come from X domain".  By requiring both DKIM and SPF to "pass", you're asking the receiving function to consider an extra assertion of "does this email really *really* come from X domain?".

- Complexity is an adoption barrier.

	Because email is used everywhere by everyone all the time and dwarfs everything else, trying to change it is really hard.  The installed base is "yes", everyone has their customized way to squeeze it, Mars lost its water when it tried to upgrade its email.  Any bell, whistle, or tiny piece of extra functionality equates to a real-life adoption barrier.  If said bell, whistle, or tiny piece of extra functionality *significantly* increases the ability to adopt DMARC everywhere, then OK, let's all talk about it and do it.

- DMARC cannot fix the shared IP problem.

	If a company:
		- is activity managing its security envelope,
		- determines that it needs DMARC, and
		- is using a service provider that allows any of its clients to send email pretending to be any other client..
	..then the company needs to think in terms of risk management.  I won't break this down any further unless someone asks.

- There is a work-around to address your proposal:

	What the company can do in this situation is: use a different domain or a sub-domain for the traffic coming out of the service provider, and require "strict" identifier alignment as needed.  Problem solved without changing DMARC.

Lastly, I hope the above does not read like it contains any hostility.  The tone of email-related IETF lists are sometimes hard to modulate, so I just want to be clear: I like your idea, but for the above reasons I think it asks DMARC to do too much for too little (esp 'cause there's a viable way to work-around your scenario).

=- Tim

v2.23.0 | Report a Bug | By Email