Re: [dmarc-ietf] Ticket #1 - SPF alignment

Scott Kitterman <sklist@kitterman.com> Fri, 05 February 2021 22:50 UTC

Return-Path: <sklist@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A7553A0CF8 for <dmarc@ietfa.amsl.com>; Fri, 5 Feb 2021 14:50:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=kitterman.com header.b=BCT4gL1Z; dkim=pass (2048-bit key) header.d=kitterman.com header.b=TnAuFeCc
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfS3be0lXGit for <dmarc@ietfa.amsl.com>; Fri, 5 Feb 2021 14:50:36 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 860603A0CF6 for <dmarc@ietf.org>; Fri, 5 Feb 2021 14:50:36 -0800 (PST)
Received: from interserver.kitterman.com (interserver.kitterman.com [64.20.48.66]) by interserver.kitterman.com (Postfix) with ESMTPS id 241BEF80279 for <dmarc@ietf.org>; Fri, 5 Feb 2021 17:50:35 -0500 (EST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903e; t=1612565434; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=DEVHl9jTaJOArQU3ntu1iqhLWKrzmdr5TbXD/Hrkgzc=; b=BCT4gL1ZM/Rn7ETdvIbWV1zEGMDxnB/IXdc2mwePuAzY2PSJDvTQzFyIApnzmIC1Y5/OZ uodDNtJ9+UpDTf/Dw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kitterman.com; i=@kitterman.com; q=dns/txt; s=201903r; t=1612565434; h=from : to : subject : date : message-id : in-reply-to : references : mime-version : content-transfer-encoding : content-type : from; bh=DEVHl9jTaJOArQU3ntu1iqhLWKrzmdr5TbXD/Hrkgzc=; b=TnAuFeCcuRy8Fri/T4B0JS+jgnc423UqIa7qrxyUyNXDVK2gi1sydGoqvVetnsUolWzHO vAg2WZBMknNnvx+E2SuIM1dhF91srC+IxhbnPDLgYRUlEjyIJX72Pc+6gCzvFxdnmLGBpv+ /k5dYaRRsHIZ9BcBcEQ7QfecSdC46O2S1mZ1P3cYMGuKX7tlT8tKSh98CZDaZF3R6XIlWi6 1VoSultgq6915cAonnwgfl3Og4L08ooMOdtOvZuKq0ueMHAiS/73VmhvC3SZZh6PuP7gjiX Uy5jUm8kdiBonOjFAUEDxqI/Z7QoejHUMY/yKm0k3Apuoe3/SbYe77dGdT2Q==
Received: from zini-1880.localnet (static-72-81-252-22.bltmmd.fios.verizon.net [72.81.252.22]) by interserver.kitterman.com (Postfix) with ESMTP id C7AD5F80025 for <dmarc@ietf.org>; Fri, 5 Feb 2021 17:50:34 -0500 (EST)
From: Scott Kitterman <sklist@kitterman.com>
To: dmarc@ietf.org
Date: Fri, 05 Feb 2021 17:50:34 -0500
Message-ID: <2086207.knHnThfGgH@zini-1880>
In-Reply-To: <e169f069-376d-7072-2538-c77bbe7b7540@tana.it>
References: <20210203181226.9AB746D51182@ary.qy> <e169f069-376d-7072-2538-c77bbe7b7540@tana.it>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/g6kIwhvQvNcanVOyXC-DijPsHF8>
Subject: Re: [dmarc-ietf] Ticket #1 - SPF alignment
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2021 22:50:38 -0000

On Thursday, February 4, 2021 7:50:22 AM EST Alessandro Vesely wrote:
> On Wed 03/Feb/2021 19:12:26 +0100 John Levine wrote:
> > In article <b396cf21-05f4-a1a4-5abc-78c5aa276473@tana.it> you write:
> >>On Tue 02/Feb/2021 20:13:42 +0100 John R Levine wrote:
> >>> It's existing practice and I see no reason to change it.
> >>
> >>Software changes all the time.  If we change, ...
> >>
> > Urrgh. There are still MTAs that haven't been updated from RFC 821. If
> > you want a real standard, the closer you can make it to what the
> > running code does, the most likely it will work.
> 
> How about this:
> 
>      NOTE: Historically, SPF was focused on the mfrom identifier.  The helo
>      identifier was retrofitted later, in order to account for delivery
> status notifications.  Earlier DMARC specifications followed suit. 
> Subsequently, it turned out that SPF records for the helo identifier are
> actually sharper than those for mfrom, thereby making successful helo
> verifications very reliable.  However, in the vast majority of cases the
> mfrom identifier is aligned with the main DMARC identifier, while the helo
> identifier often does not have a corresponding SPF record.  Therefore, the
> common practice of using just the SPF result of mfrom unless empty is still
> a valid heuristic.
> 
> ?

I really think we should just stop.  Independently of if your note is a good 
idea (I really don't think it's needed), it's also inaccurate.  As written it 
implies that HELO checking was added to SPF after DMARC was developed.  HELO 
checking was added in 2004 or earlier.  When was DMARC defined?

Please just stop.

Scott K