IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Barry Leiba <barryleiba@computer.org> Tue, 13 June 2023 22:01 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06E9EC151089 for <dmarc@ietfa.amsl.com>; Tue, 13 Jun 2023 15:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.553
X-Spam-Level:
X-Spam-Status: No, score=-1.553 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id osODHFtrV4fW for <dmarc@ietfa.amsl.com>; Tue, 13 Jun 2023 15:01:56 -0700 (PDT)
Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B6F0C14CF15 for <dmarc@ietf.org>; Tue, 13 Jun 2023 15:01:56 -0700 (PDT)
Received: by mail-ej1-f44.google.com with SMTP id a640c23a62f3a-97458c97333so3933266b.2 for <dmarc@ietf.org>; Tue, 13 Jun 2023 15:01:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686693714; x=1689285714; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=io5sCdNVfYy6GNar3aVco90wnytDRQrm2vyqT9gRYjE=; b=FKSVykQ+teB5z6qgv/2lVLieazu78kQNG/Fo2+3CLzDCVtaOTCrpNfxVIzebD/jwsO L+qx1cp3SZMKK/5F5fJgsxcKcLC/hXS/tB2geqMkrPwi9202GI+fg8ALLfncEBlaiKh6 aI4PFzj2gLI/NgVmpILbaLme7QHBEzmzyWOTR1b5UB+vgEpJR35PMSuyG4LCWJuRGnqw xaXZ6GuSVBslig8QBq96jLITW2oZoEzZuKFStwvS60T/M5KBmbHMsPrpDTnuUpTOI2gD Hyi/wcA3KbBdbi5/5iNx3vcxETJ9SZFahwERfXRAgmsUfki5CtJBjl09iBbSTOB7+ccp B2kA==
X-Gm-Message-State: AC+VfDxkIq7I2B57An+NkKUYR/XVjcKA5Uwr2LUm1jGD8bdKpXtEkPiM EXwNcSXEjg1mXTiWxwVR/cBCHjLL1+S5Nwl7J8GMS4cA
X-Google-Smtp-Source: ACHHUZ7xmhvVKUu1LmXodljmvkHir8SDaDSvYdLQy0pMMrbLoQQfJf1PWnNVuNMfcceizZaJNt2eNWKAUx+r7BNeLUA=
X-Received: by 2002:a17:906:dac7:b0:974:86a7:d3a3 with SMTP id xi7-20020a170906dac700b0097486a7d3a3mr13798372ejb.13.1686693713811; Tue, 13 Jun 2023 15:01:53 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi>
In-Reply-To: <25736.57534.195344.782189@fireball.acr.fi>
From: Barry Leiba <barryleiba@computer.org>
Date: Tue, 13 Jun 2023 18:01:41 -0400
Message-ID: <CALaySJK6fGW53QtFDj+pxL8UguZGkMWR_3G8A04K9fpvKDRczg@mail.gmail.com>
To: Tero Kivinen <kivinen@iki.fi>
Cc: Scott Kitterman <sklist@kitterman.com>, dmarc@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hRdFoORqJdxZ0h4TIu6qyry8EBU>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2023 22:01:57 -0000

Thanks for all this detail, Tero!  I will have to digest it and reply
further later.

Barry

On Tue, Jun 13, 2023 at 5:34 PM Tero Kivinen <kivinen@iki.fi> wrote:
>
> Barry Leiba writes:
> > > DKIM only: ~99.5%
> > > DKIM + SPF: ~100%
> > > SPF only: ~100%
> >
> > That's interesting and disturbing if it remains consistent.
>
> The statistics I have are quite different. The failure rate is much
> bigger both in DKIM and SPF.
>
> Following statistics is random subset of emails going through iki.fi
> system, from last 30 days, consisting bit less than 4 million emails.
> Iki.fi is email forwarding service, so about 90% of those emails will
> fail SPF checks after iki.fi sends them forward. DKIM will go through
> unmodified, and we do not modify normal messages (spam messages might
> get tagged as spam depending on the members configuration), so 85.75%
> of emails will still have valid DKIM signature after passing iki.
>
> We do graylisting of blacklisted ip-addresses, thus spammers that do
> not work around graylisting are not part of the statistics.
>
> There is significant amount of mailing lists going through iki, and
> quickly checking that 1.58% of emails going through has spf-errors,
> dkim signers or similar with domain name in form of list.domain or
> lists.domain, so that will cause some of the SPF and DKIM failures.
> Note, that this only counts cases where the domain name was used in
> the verification and printed in the logs i.e., only in error cases.
>
> As we are using ARC, and we add ARC-Authentication-Results header to
> all emails as first step when they come in, and I used those headers
> to generate these statistics.
>
> First some generic statistics:
>
>         Number of ARC-header levels
>         ===========================
>         95.61%  3811208 1
>         3.83%   152487  2
>         0.44%   17711   3
>         0.09%   3586    4
>         0.01%   460     5
>         0.01%   349     6
>         0.01%   207     7
>         0.00%   36      8
>         0.00%   15      9
>         0.00%   1       10
>
>         Mailer
>         ======================
>         91.96%  3665744 MTA-v4
>         8.04%   320315  MTA-v6
>         0.00%   1       MSA
>
> So 3.83% of emails already had one ARC header, and 0.56% had more than
> one arc header, with exactly one email having 10
> ARC-Authentication-Results headers. Most of the emails do not have ARC
> headers.
>
> 92% of traffic came in using IPv4..
>
> Then lets compare DKIM, SPF, DMARC and ARC results
>
>         DKIM summary results
>         =========================
>         85.75%  3417541 pass
>         13.11%  522367  none
>         1.12%   44604   fail
>         0.02%   893     temperror
>
>         SPF results
>         =========================
>         86.50%  3447577 pass
>         8.78%   349947  none
>         1.89%   75137   softfail
>         1.18%   46913   permerror
>         1.12%   44553   fail
>         0.49%   19536   neutral
>         0.05%   2037    temperror
>
>         DMARC results
>         =========================
>         62.82%  1243393 pass
>         30.99%  613478  none
>         6.05%   119800  fail
>         0.08%   1485    temperror
>         0.06%   1244    permerror
>
>         ARC results
>         =========================
>         91.66%  160268  pass
>         8.34%   14584   reject
>
> As you can see 85.75% of incoming email was already signed by DKIM,
> and 86.5% of emails had SPF records that passed. So they both have
> about same amount if usage coming in to our servers.
>
> The difference is that only 1.14% of emails had errors (fail, or
> temperror) in their DKIM signatures (most of those were because the
> email was from the mailing list that modified the body, but did not
> generate new DKIM header), compared to the 4.24% of emails having SPF
> failures (softfail, permerror, fail or temperror). Meaning there were
> much more emails that failed SPF than DKIM. Even if we ignore the
> softfails, we still have about double the emails failing (2.35%).
>
> Note, that the dmarc and arc statistics are not from all of the
> emails, it only includes those which actually had DMARC or ARC
> information. For dmarc this was about 50%, and for ARC it was only
> 4.3% of all emails.
>
> Here are some statistics abut the DKIM processing and the error cases.
> 76.75% had one DKIM signature, and over 20% had more than one
> signature. Here is number of DKIM signatures and their results, i.e.,
> 22.22% of emails had two DKIM signatures both passing, and 0.34% had
> one signature that passed, and another that failed etc:
>
>         DKIM results
>         =======================================
>         62.67%  2497633 pass
>         22.22%  885372  pass,pass
>         13.06%  520332  none
>         1.04%   41477   fail
>         0.34%   13353   pass,fail
>         0.19%   7506    none,pass
>         0.15%   5910    pass,none
>         0.07%   2635    fail,fail
>         0.06%   2235    pass,pass,pass
>         0.05%   2034    none,none
>         0.03%   1296    pass,pass,pass,pass
>         0.03%   1026    pass,pass,fail
>         0.03%   1002    fail,pass
>         0.02%   892     temperror
>         0.02%   631     pass,fail,fail
>         0.01%   583     pass,none,none
>         0.01%   369     fail,fail,fail
>         0.01%   356     fail,fail,pass
>         0.01%   335     pass,pass,none
>         0.00%   86      pass,fail,fail,fail
>         0.00%   69      none,fail
>         0.00%   67      pass,fail,pass
>         0.00%   48      pass,pass,fail,fail
>         0.00%   27      temperror,pass
>         0.00%   26      fail,fail,none
>         0.00%   22      pass,temperror
>         0.00%   15      pass,pass,none,none
>         0.00%   10      none,pass,pass
>         0.00%   9       fail,fail,fail,fail
>         0.00%   7       pass,fail,none
>         0.00%   7       none,fail,fail
>         0.00%   7       fail,fail,fail,fail,none
>         0.00%   4       pass,none,pass
>         0.00%   4       fail,none
>         0.00%   4       pass,fail,fail,fail,fail
>         0.00%   3       fail,pass,pass
>         0.00%   2       pass,pass,pass,pass,pass,pass
>         0.00%   2       pass,none,fail
>         0.00%   2       pass,pass,pass,fail
>         0.00%   2       none,fail,pass
>         0.00%   1       temperror,temperror
>         0.00%   1       pass,pass,pass,pass,fail
>         0.00%   1       fail,fail,temperror
>         0.00%   1       pass,temperror,pass
>         0.00%   1       none,none,none
>
> The none,none,none cases etc are where it had 3 DKIM signatures but it
> could not find any DKIM records from the DNS, and was not able to
> verify the signatures.
>
> And here are reasons why dkim signature checking failed. The Invalid
> DKIM record actually results the dkim result to be none, but other
> errors result to the final result to be fail. As you can see there is
> significant part where the body hash did not verify (most likely
> because this is coming from mailing list). This only includes those
> emails where there was no passing DKIM signature at all.
>
>         DKIM failures
>         ================================================================
>         36.34%  26619   invalid DKIM record
>         36.28%  26577   body hash did not verify
>         20.34%  14900   headers rsa verify failed
>         2.78%   2034    invalid DKIM record,invalid DKIM record
>         1.62%   1186    headers rsa verify failed,headers rsa verify
>                         failed
>         1.62%   1185    body hash did not verify,body hash did not
>                         verify
>         0.49%   360     body hash did not verify,body hash did not
>                         verify,body hash did not verify
>         0.30%   218     headers rsa verify failed,headers eddsa verify
>                         failed
>         0.09%   65      invalid DKIM record,body hash did not verify
>         0.05%   37      headers rsa verify failed,body hash did not
>                         verify
>         0.04%   26      body hash did not verify,body hash did not
>                         verify,invalid DKIM record
>         0.01%   9       headers eddsa verify failed,headers rsa verify
>                         failed
>         0.01%   9       body hash did not verify,body hash did not
>                         verify,body hash did not verify,body hash did
>                         not verify
>         0.01%   7       body hash did not verify,body hash did not
>                         verify,body hash did not verify,body hash did
>                         not verify,invalid DKIM record
>         0.01%   6       invalid DKIM record,body hash did not
>                         verify,body hash did not verify
>         0.01%   4       headers rsa verify failed,headers rsa verify
>                         failed,body hash did not verify
>         0.01%   4       invalid DKIM record,headers rsa verify failed
>         0.00%   3       headers rsa verify failed,headers rsa verify
>                         failed,headers rsa verify failed
>         0.00%   2       headers rsa verify failed,invalid DKIM record
>         0.00%   2       headers rsa verify failed,body hash did not
>                         verify,body hash did not verify
>         0.00%   2       body hash did not verify,invalid DKIM record
>         0.00%   1       invalid DKIM record,invalid DKIM
>                         record,invalid DKIM record
>         0.00%   1       body hash did not verify,headers rsa verify
>                         failed
>         0.00%   1       invalid DKIM record,headers rsa verify
>                         failed,headers rsa verify failed
>
> SPF failures show that it is not that big difference whether you use
> IPv4, or IPv6, as this matches the generic use of IP protocols for
> these incoming emails:
>
>         SPF failures
>         ==============================================================
>         92.71%  41307   MTA-v4: domain of x@y does not designate ipxxx
>                         as permitted sender
>         7.29%   3246    MTA-v6: domain of x@y does not designate ipxxx
>                         as permitted sender
>
> For DMARC failures there is quite a large number of those which do not
> have SPF or DKIM. I do not really known what I should interpret from
> those other errors for DMARC.
>
>         DMARC failures
>         ============================================================
>         52.53%  62925   No valid SPF, No valid DKIM
>         32.97%  39504   SPF not aligned (relaxed), DKIM not aligned (relaxed)
>         5.41%   6486    SPF not aligned (relaxed), No valid DKIM
>         3.49%   4186    No valid SPF
>         2.68%   3213    SPF not aligned (relaxed)
>         2.07%   2484    No valid SPF, DKIM not aligned (relaxed)
>         0.25%   297     SPF not aligned (strict), DKIM not aligned (strict)
>         0.21%   256     SPF not aligned (relaxed), DKIM not aligned (strict)
>         0.17%   207     SPF not aligned (strict)
>         0.09%   106     SPF not aligned (strict), No valid DKIM
>         0.08%   100     SPF not aligned (strict), DKIM not aligned (relaxed)
>         0.03%   36      No valid SPF, DKIM not aligned (strict)
>
> For ARC there is quite big number of signature check failures, I am
> not actually sure whether that is because there is no key to be found
> or what is the issue.
>
>         ARC failures
>         ===========================================================
>         80.36%  11720   "signature check failed: fail, {[1] = sig:xxx:reject}"
>         6.37%   929     "cv is fail on i=4"
>         6.31%   920     "cv is fail on i=2"
>         3.73%   544     "seal check failed: fail, {[1] = sig:xxx:reject}"
>         1.89%   275     "cv is none on i=2"
>         0.80%   116     "signature check failed: fail, {[1] =
>                         sig:xxx:dns request to xxx
>         0.52%   76      "cv is fail on i=3"
>         0.02%   3       "seal check failed: fail, {[1] = sig:xxx:dns
>                         request to xxx
>         0.01%   1       unknown
>
>
> Summary: Looking at the data there is much more SPF related failures
> than DKIM related failures, and as I said 90% of these emails WILL
> FAIL SPF checks when iki.fi will forward them to their final
> destination (only those that say +all or do not publish SPF record
> will survive), while the DKIM records still are correct.
>
> We have several cases where final email domain where the user asks us
> to forward his email is only using SPF, thus we simply ask them to
> switch to someone who does email properly and uses DKIM too...
>
> If the DMARCv2 would mandate support of DKIM and would get rid of the
> SPF checks completely then hopefully more people would actually start
> using DKIM also in the verification. It is quite widely already used
> in the generation of the messages.
>
> Of course this is selected data-set as if out user find out he can't
> use his iki.fi address for certain service as it does not do DKIM, and
> his/her final destination checks SPF, he/she will not use his iki.fi
> address in those places or he/she changes his email mailbox provider
> (which is easy to do if all your emails go through iki, you simply
> change the forward to go to your new address, and hour later
> all your emails go there :-)
> --
> kivinen@iki.fi

v2.23.0 | Report a Bug | By Email