Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
Seth Blank <seth@valimail.com> Sun, 31 March 2024 23:38 UTC
Return-Path: <seth@valimail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48A79C14EB19 for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 16:38:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=valimail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g1sM8qOZcLvM for <dmarc@ietfa.amsl.com>; Sun, 31 Mar 2024 16:38:18 -0700 (PDT)
Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7D7FC14EB17 for <dmarc@ietf.org>; Sun, 31 Mar 2024 16:38:18 -0700 (PDT)
Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1e0411c0a52so28652505ad.0 for <dmarc@ietf.org>; Sun, 31 Mar 2024 16:38:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=valimail.com; s=google2048; t=1711928298; x=1712533098; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wiDIj4pwj+j4Ag3zxLeVKHT8TR+gpOper3VZnkI5mm4=; b=XR7Yy+QalwrTLUk2sg8qixkOt6iSYrXxsZiaGY1y2hCWBfLEsJMNAuuwptVwUR3zFl lPqnuiCMaW+IxxGd/LLHEOsIVOUieQRigmeaKhyLFeDQx8lqYJEx3uISgI2eW8UNaRiL mtCL9TzQkbnvFJ/5JbKRNpa3lW4lEyQ6Iu7DOrTyC6xuoh/WdZw4ljz+ApVyuWr+MhnO /mX7cuRFimwDEQqpiqnY7feVqetqUveq8rueVm/dn0MwsTGV0QKE6H1hk1I4XLF56Qan sDGdK9IPJURkVgYpUqNuWoJ7rKD7H2aib1ywlDY7X4Vy8uRh1eVEoX9d1sLn3dBWH8pE eQNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711928298; x=1712533098; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wiDIj4pwj+j4Ag3zxLeVKHT8TR+gpOper3VZnkI5mm4=; b=r3qLrs9rrVd+eteoOdsdtHJDxZbKpH1TU4KcKc2hDobtORTLSW9CnsoqNk647UFP/c 3pj0wEi+liA/sTPuye5JmH/Sa69Qx85UCdkh8JshPfpz1b4phWMvZbC/iwSgXyKyZy3Y eAH/IIiufcINFhSrtaohWish+3kFaUhnIWMy7tWth4E7HTRTz4IgjbOhoxoffVVxZBo4 AG8Qwjk/63KJON0nBeUEcMN+19cJ9XOnPJ3AiygPkwjFo6tzLt26NY/MMiyuWr8kdiHG ZSGvx1n9mhomEd203zfzx8Zxr5OPF76xgiyUXAW2/DeyAH1qHGKtoAEuzS4WGQVUztlT 2aYA==
X-Gm-Message-State: AOJu0Yw779rWyrwTSe/zezqIGxnp1u5VIPzyWfFAnYliwQCSVUtVmo+6 E1mSJ6EA5UtyOvVkQNn8EDBE1ax9Y0W6dVC78+yazcvfGFqKovRVhvb/L4lFPKTVARU6nAJJjW8 LTsaDbnrpeWa3oub90r8mQx3rUrVYe2cAFf3Uh294Q9NVbAKD
X-Google-Smtp-Source: AGHT+IEJABXUT2i6AOJDDPhCX6o5n8hewrci1xXCzBDswnzREupLfbJaj4FsOAxzOLhBeNIrQ8ypzMAWlYOBSZfbLqg=
X-Received: by 2002:a17:903:249:b0:1e0:1486:e808 with SMTP id j9-20020a170903024900b001e01486e808mr8001827plh.13.1711928297842; Sun, 31 Mar 2024 16:38:17 -0700 (PDT)
MIME-Version: 1.0
References: <eda55c54-c149-475c-8117-bfdf3885a883@tekmarc.com> <20240331180009.F36CD8687B50@ary.qy> <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd-7A@mail.gmail.com> <lIU60SB3NeCmFAG+@highwayman.com> <CAL0qLwZt+bo4ydCVOQbfg6bQEv-ufXrrwr8Aege9Wsv7LgH=kA@mail.gmail.com>
In-Reply-To: <CAL0qLwZt+bo4ydCVOQbfg6bQEv-ufXrrwr8Aege9Wsv7LgH=kA@mail.gmail.com>
From: Seth Blank <seth@valimail.com>
Date: Sun, 31 Mar 2024 19:38:06 -0400
Message-ID: <CAOZAAfPtxdBwEthN26cgvAnAbQ70wym+2k0WjtKqNVf44=-vMg@mail.gmail.com>
To: "Murray S. Kucherawy" <superuser@gmail.com>
Cc: dmarc@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001306990614fd5e8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/gZwpbG9r5Vpaa9AnA0ibcwlWmnY>
Subject: Re: [dmarc-ietf] SPF follies, WGLC editorial review of draft-ietf-dmarc-dmarcbis-30
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 23:38:23 -0000
It is a very common issue that companies want DMARC, but their security teams believe an SPF hard fail is more secure, and then all sorts of actual operational issues slam in. It ends up being lots of work to convince those security teams otherwise. I think it is desirable to state that this issue is known, and with respect to DMARC a hard fail can have unintended consequences. Operationally for DMARC, anything that is not an SPF pass is treated the same, so a hard fail is not a stronger signal if you wish to implement DMARC with a policy that is not none. There are two M3AAWG documents that do call out explicit issues and best practice, so I won’t push strongly that this should be in the document. But since there’s already text that’s so close, why not update it to cover this more explicitly? S, participating, after just having this conversation the other week Seth Blank | Chief Technology Officer Email: seth@valimail.com This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. On Sun, Mar 31, 2024 at 18:47 Murray S. Kucherawy <superuser@gmail.com> wrote: > On Sun, Mar 31, 2024 at 3:28 PM Richard Clayton <richard@highwayman.com> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> In message <CAOZAAfP9tXi80Fi=ZkgPpGwHo1fDbdSOZwVcnuPDbbc2xQd- >> 7A@mail.gmail.com>, Seth Blank <seth=40valimail.com@dmarc.ietf.org> >> writes >> >> > Some Mail Receiver architectures implement SPF in advance of any >> > DMARC operations. This means that an SPF hard fail ("-") prefix on >> > a sender's SPF mechanism, such as "-all", could cause that >> > rejection to go into effect early in handling, causing message >> > rejection before any DMARC processing takes place, and DKIM has a >> > chance to validate the message instead of SPF. Operators choosing >> > to use "-all" to terminate SPF records should be aware of this. >> >> I understood what this said thus far ... but I wonder what it is doing >> in a document about DMARC. Some architectures may reject email from >> IPs listed in the PBL ... again nothing to do with DMARC. This isn't a >> document on how to improve deliverability is it ? >> > > I don't understand the link being made here between operational details > and deliverability. I understand this to be pointing out that if you do > any short circuiting, DMARC can't be evaluated. That includes any early > rejection, be that based on SPF results, DKIM signature failures, domain > reputation rejections, or anything of the sort. > > Mind you, I'm a little worried about anyone that plans to rely seriously > on DMARC yet to whom this isn't relatively obvious. You need those results > before DMARC can even begin, and the DKIM result comes only after the body > arrives. > > -MSK, p11g > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- [dmarc-ietf] WGLC editorial review of draft-ietf-… Seth Blank
- Re: [dmarc-ietf] WGLC editorial review of draft-i… John Levine
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Seth Blank
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Douglas Foster
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Mark Alley
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… John Levine
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Seth Blank
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Murray S. Kucherawy
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Richard Clayton
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Seth Blank
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Tero Kivinen
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Brotman, Alex
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Dotzero
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Tim Wicinski
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Todd Herr
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Tim Wicinski
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Jim Fenton
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Brotman, Alex
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Todd Herr
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Murray S. Kucherawy
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… John Levine
- Re: [dmarc-ietf] ARC, was WGLC editorial review o… Alessandro Vesely
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Tim Wicinski
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Laura Atkins
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Dotzero
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Scott Kitterman
- Re: [dmarc-ietf] WGLC editorial review of draft-i… Scott Kitterman
- Re: [dmarc-ietf] the long march, WGLC editorial r… John R. Levine
- Re: [dmarc-ietf] the long march, WGLC editorial r… Scott Kitterman
- Re: [dmarc-ietf] SPF follies, WGLC editorial revi… Neil Anuskiewicz
- Re: [dmarc-ietf] the long march, WGLC editorial r… Murray S. Kucherawy
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N Alessandro Vesely
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Todd Herr
- Re: [dmarc-ietf] Thoughts on choosing N Murray S. Kucherawy
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N (choose 6) Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N Todd Herr
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Todd Herr
- Re: [dmarc-ietf] Thoughts on choosing N Alessandro Vesely
- Re: [dmarc-ietf] Thoughts on choosing N John Levine
- Re: [dmarc-ietf] Thoughts on choosing N Neil Anuskiewicz
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Scott Kitterman
- Re: [dmarc-ietf] Thoughts on choosing N Douglas Foster
- Re: [dmarc-ietf] Thoughts on choosing N Alessandro Vesely