Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
Douglas Foster <dougfoster.emailstandards@gmail.com> Thu, 29 June 2023 00:50 UTC
Return-Path: <dougfoster.emailstandards@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AD66C14CF17 for <dmarc@ietfa.amsl.com>; Wed, 28 Jun 2023 17:50:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6t_OuSJiNwV for <dmarc@ietfa.amsl.com>; Wed, 28 Jun 2023 17:50:21 -0700 (PDT)
Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86B26C14CF05 for <dmarc@ietf.org>; Wed, 28 Jun 2023 17:50:21 -0700 (PDT)
Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-2b69f71a7easo1916921fa.1 for <dmarc@ietf.org>; Wed, 28 Jun 2023 17:50:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687999819; x=1690591819; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=XQbK6oCmuD5UuJt96y5bpYfDhaA/N4THHFuzAppbtlQ=; b=b2+Q3EwLnoAfJTzp8G/j7RTgTuo5lYfVAU3lrwKzhxnfLpDGo6631aQg2zqIMZ7UOL gdzmaJIasrjrwwGd7uKSyZcoy9G5Sh9Fubfn+AEZjbLuGFbYKgdGN857Sc6FmsAeTRFo 1/mMrf+455euesbMHh4doUiRx0WRBYAMR5hgEWAbhPOsG7bnrmMK1neyIWAmqu7NDUE8 Wj+ki7CwAp/ghXD0XZPiIVsV0w05kY7FrZd50v7kKqhEShiNzUvO+l3Iko+1e3Znemyn rnQImkg+syFbHlZsVlAe4rmRFJfmXulSHuYpYMtFxkOzpGaRfrAzZeD3u94e35NXQZ3z yjsA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687999819; x=1690591819; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=XQbK6oCmuD5UuJt96y5bpYfDhaA/N4THHFuzAppbtlQ=; b=B60AFx8FwEPI8ycbnYf/SrM7ljxbhg0/jcJfdMdvSrA1VvoCxicpqtRwbLhZkBFdGc 0KsL6EoqWAc/Tld1gEeYxtEqi+pZIcjX3ZwV/8/kEGEHZrm4hkhHu2u3oZQ4oz55CS6L p2yT/9ZIEAUI4mlNh6T9Bj/Q3xL4qnn61qkUPKhGBgxy9ZIc+ECOJMPCxQDhejWptJO5 Z6nt6VzOjYgm2yWMY/GwRKmWfO3EZU6ixSfNLFVTUqpaAINz/5aSkIIjRd4rzTlXuxlJ gwEP1fghqKyIFHT6Jyo/xKym9wY4udrV2fgwh5/7+FWfkJqtjIFV+6MBy53zpxRpWD7l eqhQ==
X-Gm-Message-State: AC+VfDwD222SoZBl+R2IlTj4asWHGAnKunOEaG3QreLoEc6Iz9kD7Kea 0rumJoXtwjp2hFZve2Kjr2jtuozrm9k7TxxkPPlmHFL8E5M=
X-Google-Smtp-Source: ACHHUZ5fVsCJBdXSWyLTWTH7KgUImzQQ1IufB703+IBGdc9MCM/SLxiQNjJpwA1ToForVcSj9Vthr2MhPqJ714W4HC0=
X-Received: by 2002:a2e:9583:0:b0:2b6:b935:d474 with SMTP id w3-20020a2e9583000000b002b6b935d474mr3128495ljh.14.1687999818881; Wed, 28 Jun 2023 17:50:18 -0700 (PDT)
MIME-Version: 1.0
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CALaySJKZoAPTT-+cZEww+y2eUsDbNXcybb=Z7RxNLyfzPMr7ng@mail.gmail.com> <d3986316-02f9-9d73-be81-37af7cfd40a7@tana.it> <CALaySJLtUtKNtP4__pOryFLaAODjiEx-nbdvF9tL6wYhcRCe_g@mail.gmail.com> <877A1137-3A55-424A-A9C5-FCCA4F2D5436@kitterman.com>
In-Reply-To: <877A1137-3A55-424A-A9C5-FCCA4F2D5436@kitterman.com>
From: Douglas Foster <dougfoster.emailstandards@gmail.com>
Date: Wed, 28 Jun 2023 20:50:07 -0400
Message-ID: <CAH48Zfyp1CvKLaGvYp0eC=E3hG7GU-T2YGR+H64GMzSNjM3AAA@mail.gmail.com>
To: IETF DMARC WG <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000095e11105ff3a1598"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/hW7WRSlZHcHd8TEv9lwB_ytsZwA>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jun 2023 00:50:23 -0000
We are talking about SPF AND DKIM because of the problems with DKIM replay. Can someone summarize the state of the DKIM update options that have been ruled in or ruled out? We have the DARA proposal from Google, which is related to signature replay, but focused on ARC. I am guessing that it correlates closely to the DKIM updates. Should the discussion move to that draft for a bit? I also look forward to Scott's ideas. DARA limits replay by linking the signature to a recipient. An alternative approach is to limit replay be linking the signature to a source server. It may be less effective, but some benefit can be gained from this approach, which does not require a DKIM rewrite. Here are my thoughts: Given a received sequence of - Msg Date - Rcv Date 1 - Rcv Date 2 - .... - Rcv Date N A signature should have a start time between one of these date boundaries. - If the signature start time is equal to, or shortly, after, a Received header timestamp, the signing server is the BY server which create the Received header. - If the signature start time is prior to any Received header timestamp, but on or after the message Date header, then the FROM information on the first Received header identifies the signing server. - If the signature start time is prior to the message Date header, the signature looks suspicious In some cases, clock skew may create ambiguity about the signing server. Even when this occurs, the ambiguous servers are likely to lie behind the same perimeter server, so the ambiguity may not need to be resolved. The first global IP after the signature server becomes the perimeter server which must demonstrate that it's domain has the right to act on behalf of the signing domain. - We do an SPF test on the perimeter server's IP address and the signature domain. If this test produces SPF PASS, the signature has enhanced trust. - If the perimeter server domain matches the signature domain, and the perimeter server host name can be forward confirmed to its IP address, this provides an alternative to SPF PASS. - If either test succeeds, the risk of DKIM reply is significantly lessened. If neither test succeeds, then the signature risk of DKIM replay is greater Improvements within control of the signing server: If the message is not created by the originating server, the message should contain one or more Received headers. The header list on the signature should contain "Received" entries to match the number of Received headers at the time of signing. This further identifies the signature's position in the Received chain. Improvements requiring changes to the DKIM specification They could identify a way to document the signing server's domain in the signature. Then the perimeter server host names can be tested to see if they match the signature's server domain and can be forward-confirmed to the Source IP. This provides an alternative to SPF for configurations where the server domain and the signature domain are different organizations. Doug Foster On Wed, Jun 28, 2023 at 3:44 PM Scott Kitterman <sklist@kitterman.com> wrote: > I think it's quite relevant. > > The assumption that this is based on is there's a need to specify because > SPF data is not reliable enough for everyone. If that premise is correct > (I don't agree with it, but it's a separate issue), then I think telling > people that they should use DKIM because it IS reliable, when it's got its > own issues isn't a great idea. > > I've been mulling this whole topic over and I think I'm close to having > mulled it enough to have a useful proposal. SPF bad, DKIM good is a gross > over-simplification, but so is if it passed SPF, it's authorized, so go > whine at the provider. > > Scott K > > On June 28, 2023 6:32:41 PM UTC, Barry Leiba <barryleiba@computer.org> > wrote: > >I think DKIM replay is largely irrelevant to this discussion (about > >the sender specifying which authentication to use), because if that's > >your biggest concern with respect to DMARC, then "SPF only" is the > >answer. "SPF *and* DKIM" is not any better than that. > > > >> You seem to imply that auth=dkim+spf wouldn't be effective against DKIM > reply > > > >(Assuming you mean "replay".) "SPF and DKIM" does not give any > >benefit beyond "SPF only" in this case. > > > >Look, either SPF fails because the message was relayed illegitimately... > >...or SPF passes because the replayer used the sender's legitimate > >infrastructure to do the replay. > > > >Barry > > > >On Wed, Jun 28, 2023 at 12:43 PM Alessandro Vesely <vesely@tana.it> > wrote: > >> > >> Thank you for your analysis. However, it doesn't touch on DKIM replay. > >> > >> I know this topic belongs to the other list. Let me briefly recall it, > if this > >> doesn't take too many cycles from core matters: It occurs when a signed > >> message is replayed by unauthorized hosts to recipients which were not > >> originally addressed. So, it is one case of your 3rd proposition: In > some > >> scenarios, DKIM will pass when SPF fails. > >> > >> You say that it is technically unnecessary to test both because DKIM > should > >> always pass when SPF passes (1st proposition). > >> > >> You claim: > >> > But where the harm comes is in cases of mis-configuration, because > now if > >> > *either* of them is misconfigured, the whole thing fails -- neither > of them > >> > serves as a backup for the other; instead, the misconfiguration of > either > >> > one causes deliverability problems. > >> > >> > >> I agree. But what if SPF and DKIM are both configured properly? You > seem to > >> imply that auth=dkim+spf wouldn't be effective against DKIM reply, but > your > >> analysis doesn't cover that case explicitly. > >> > >> Perhaps there are better ways to counter that specific problem, and > certainly > >> it's not what this WG is tasked to do. But, just to make the point, I > think > >> it's interesting to know. > >> > >> > >> Best > >> Ale > >> > >> > >> On Tue 27/Jun/2023 16:24:21 +0200 Barry Leiba wrote: > >> > I don't understand how most of your message fits into this discussion: > >> > you're comparing SPF's policy points with DMARC policy. we're talking > >> > about SPF as an authentication mechanism together with DKIM (not > >> > DMARC) as an authentication mechanism... and then using those > >> > authentication results in DMARC policy evaluation. > >> > > >> > But here: I've said all this before in separate places, so I'll put it > >> > in one place, here, one more time: > >> > > >> > Given that SPF and DKIM are both configured properly: > >> > 1. If SPF passes, DKIM will always pass. > >> > 2. If DKIM fails, SPF will always fail. > >> > 3. In some scenarios, DKIM will pass when SPF fails. > >> > > >> > Therefore, when everything is configured properly, SPF adds no value > >> > beyond what DKIM does, and DKIM does add value beyond what SPF does. > >> > That's why I am (and others are) arguing that we should remove SPF > >> > *from DMARC evaluation*. There's no argument that for now, or some, > >> > SPF outside of DMARC still has value. > >> > > >> > What others are arguing is that in the real world, things do get > >> > mis-configured, and if DKIM is misconfigured and fails when it > >> > shouldn't, SPF adds value by providing a working authentication. > >> > (And, of course, similarly the other way around, plus DKIM covers some > >> > cases when messages are relayed or forwarded.) That speaks for "SPF > >> > *or* DKIM". > >> > > >> > But "SPF *and* DKIM" -- requiring *both* to pass -- is technically > >> > unnecessary at best, because of (1) above: DKIM should always pass > >> > when SPF passes. But where the harm comes is in cases of > >> > mis-configuration, because now if *either* of them is misconfigured, > >> > the whole thing fails -- neither of them serves as a backup for the > >> > other; instead, the misconfiguration of either one causes > >> > deliverability problems. DMARC is damaged by requiring an > >> > authentication situation that is unnecessary when things are properly > >> > configured, and that is more fragile than what we've been using, more > >> > susceptible to configuration errors than we've seen before. > >> > > >> > And I'm afraid that people will use it preferentially, *thinking* that > >> > it provides better "security" -- surely, double authentication is > >> > better than single, no? > >> > > >> > No. > >> > > >> > Barry > >> > > >> > On Tue, Jun 27, 2023 at 6:36 AM Alessandro Vesely <vesely@tana.it> > wrote: > >> >> > >> >> On Mon 26/Jun/2023 20:13:53 +0200 Barry Leiba wrote: > >> >>> I'm saying I don't want "and" to be an option, because I think it's > >> >>> damaging to DMARC. There is no reason anyone should ever want to > say > >> >>> that, and providing the option asks for misconfigurations because > >> >>> people think it's somehow "more secure". It's not more secure. It > >> >>> would be very bad for deliverability of legitimate mail and would > >> >>> provide no additional security. It would be a terrible mistake. > >> >> > >> >> > >> >> I've been sporting spf-all for years, and seldom experienced > bounces, mostly > >> >> due to misconfigured secondary MXes. Out of 39 domains whose posts > to this > >> >> list in the past year are still in my inbox, 14 have spf-all. So, > while I'm > >> >> not the only one, not many published -all even though it may seem to > be somehow > >> >> more secure. > >> >> > >> >> I think it can be worth to compare SPF and DMARC. Another sender > policy a > >> >> decade and an authentication method after. What adoption, what hype. > >> >> > >> >> Both policies ask receivers to reject a domain identifier in some > cases. RFC > >> >> 7208 explicitly suggests to consider whitelisting (Appendix D). > DMARC provides > >> >> for overrides but is less clear about how to handle exceptions. > After SPF > >> >> broke forwarding, the reaction was split between some changing > identifier and > >> >> turning to ~all; after DMARC broke mailing lists, between changing > identifier > >> >> and not altering messages. In my limited experience, the ratio > seems to be > >> >> higher for DMARC than SPF, but I may be wrong. > >> >> > >> >> In theory, domains that currently have a strict DMARC policy and > spf-all, 6 of > >> >> the above, should have their messages blocked when either method > fails, up to > >> >> changing identifiers. Why would it be so bad for deliverability to > >> >> additionally require DMARC alignment, which is the difference > between that and > >> >> the "and"? > >> >> > >> >> And, it seems to me that an ESP not having a bloated SPF record > could stop a > >> >> good deal of DKIM replay by resorting to auth=dkim+spf. Besides > collateral > >> >> deliverability problems, why wouldn't that work? > >> >> > >> >> Wht would "and" damage DMARC more than -all damaged SPF? > >> >> > >> >> I hope we can discuss detailed criticism rather than vague ostracism. > >> >> > >> >> > >> >> Best > >> >> Ale > >> >> -- > >> >> > >> >> > >> >> > >> >> > >> >> > >> > > >> > _______________________________________________ > >> > dmarc mailing list > >> > dmarc@ietf.org > >> > https://www.ietf.org/mailman/listinfo/dmarc > > > >_______________________________________________ > >dmarc mailing list > >dmarc@ietf.org > >https://www.ietf.org/mailman/listinfo/dmarc > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
- [dmarc-ietf] DMARC2 & SPF Dependency Removal Tobias Herkula
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Seth Blank
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Seth Blank
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Seth Blank
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tobias Herkula
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Seth Blank
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tobias Herkula
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Benny Pedersen
- Re: [dmarc-ietf] version bump to DMARC2 John Levine
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Dotzero
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Dotzero
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Douglas Foster
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Brotman, Alex
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] version bump to DMARC2 Emil Gustafsson
- Re: [dmarc-ietf] version bump to DMARC2 Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] Errors in the tree walk, was ver… Alessandro Vesely
- [dmarc-ietf] Version bump: was DMARC2 & SPF Depen… Scott Kitterman
- Re: [dmarc-ietf] Version bump: was DMARC2 & SPF D… Tim Wicinski
- Re: [dmarc-ietf] Version bump: was DMARC2 & SPF D… Scott Kitterman
- Re: [dmarc-ietf] Version bump: was DMARC2 & SPF D… Tim Wicinski
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Jesse Thompson
- Re: [dmarc-ietf] PSD flag vs Version bump John Levine
- Re: [dmarc-ietf] PSD flag vs Version bump Barry Leiba
- Re: [dmarc-ietf] PSD flag vs Version bump John R Levine
- Re: [dmarc-ietf] PSD flag vs Version bump Scott Kitterman
- Re: [dmarc-ietf] PSD flag vs Version bump Richard Clayton
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Richard Clayton
- Re: [dmarc-ietf] Version bump: was DMARC2 & SPF D… Alessandro Vesely
- Re: [dmarc-ietf] PSD flag vs Version bump Alessandro Vesely
- Re: [dmarc-ietf] PSD flag vs Version bump Barry Leiba
- Re: [dmarc-ietf] version bump to DMARC2 Emil Gustafsson
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Jim Fenton
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tero Kivinen
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Douglas Foster
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Seth Blank
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Richard Clayton
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tero Kivinen
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tero Kivinen
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tero Kivinen
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Sebastiaan de Vos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Douglas Foster
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Sebastiaan de Vos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Michael Kliewe
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Jan Dušátko
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Douglas Foster
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Ken Simpson
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Murray S. Kucherawy
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal John Levine
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Hector Santos
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Douglas Foster
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Jan Dušátko
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Ken Simpson
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Barry Leiba
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Patrick Ben Koetter
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John R Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Benny Pedersen
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Wei Chuang
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal David Verdin
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Alessandro Vesely
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Tobias Herkula
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Douglas Foster
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Scott Kitterman
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Todd Herr
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal John Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Todd Herr
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Sebastiaan de Vos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Sebastiaan de Vos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Todd Herr
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Sebastiaan de Vos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Scott Kitterman
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Murray S. Kucherawy
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Dotzero
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Ken Simpson
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Emil Gustafsson
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Emanuel Schorsch
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John R Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Emanuel Schorsch
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John R Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Emanuel Schorsch
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John R Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Jan Dušátko
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Florian.Kunkel
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Scott Kitterman
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Jan Dušátko
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Murray S. Kucherawy
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Tobias Herkula
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Scott Kitterman
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Emanuel Schorsch
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Murray S. Kucherawy
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Douglas Foster
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Murray S. Kucherawy
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… John Levine
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Barry Leiba
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Tero Kivinen
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Jan Dušátko
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Alessandro Vesely
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Murray S. Kucherawy
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Hector Santos
- Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Depend… Tero Kivinen
- [dmarc-ietf] Why does DKIM fail when SPF succeeds… Matthäus Wander
- Re: [dmarc-ietf] Why does DKIM fail when SPF succ… Murray S. Kucherawy
- Re: [dmarc-ietf] Why does DKIM fail when SPF succ… Matthäus Wander
- Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal Neil Anuskiewicz
- Re: [dmarc-ietf] Why does DKIM fail when SPF succ… OLIVIER HUREAU
- Re: [dmarc-ietf] Why does DKIM fail when SPF succ… Matthäus Wander