Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Franck Martin <fmartin@linkedin.com> Tue, 02 April 2013 00:31 UTC
Return-Path: <prvs=797119cd4=fmartin@linkedin.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC23F21E8108 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:31:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p7g+gfYhPOjl for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:31:40 -0700 (PDT)
Received: from esv4-mav04.corp.linkedin.com (esv4-mav04.corp.linkedin.com [69.28.149.80]) by ietfa.amsl.com (Postfix) with ESMTP id 02A9E11E80E2 for <dmarc@ietf.org>; Mon, 1 Apr 2013 17:31:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; i=@linkedin.com; q=dns/txt; s=proddkim1024; t=1364862699; x=1396398699; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=wyJ6JT6XQJLionJ09IFtiWCvKU3BJziddELaGypCP+k=; b=tFWEtOaXY+MfbBlaHtLoFDda07bvsHVUp0Y+uVIBfrT/NEWXWvSGSKrX oa2v9RYj6DipPOZD2UXuiJoTUei6Iz8pc86fpZFAq7gvrITXdT61vujUi rYNVVJ41ifslcHPOFqpWSTxT0yhytRs9ACraY8jUqVXk3jnqaeWNmmq0D w=;
X-IronPort-AV: E=Sophos;i="4.87,390,1363158000"; d="scan'208";a="42730468"
Received: from ESV4-HT02.linkedin.biz (172.18.46.236) by esv4-cas02.linkedin.biz (172.18.46.142) with Microsoft SMTP Server (TLS) id 14.2.328.11; Mon, 1 Apr 2013 17:31:30 -0700
Received: from ESV4-MBX01.linkedin.biz ([fe80::d029:a1fa:62c4:2641]) by ESV4-HT02.linkedin.biz ([::1]) with mapi id 14.02.0328.009; Mon, 1 Apr 2013 17:31:30 -0700
From: Franck Martin <fmartin@linkedin.com>
To: "J. Gomez" <jgomez@seryrich.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Thread-Index: AQHOLzlrMFmZeDohV0et6KgQ/yQZZQ==
Date: Tue, 02 Apr 2013 00:31:30 +0000
Message-ID: <77426B543150464AA3F30DF1A91365DE52EA0E4A@ESV4-MBX01.linkedin.biz>
In-Reply-To: <A633CECE8D6642D7A5C2B99C5AF5BC92@fgsr.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.18.46.250]
Content-Type: text/plain; charset="utf-8"
Content-ID: <F5C3CB06DE813A45970532782E44AA7B@linkedin.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 00:31:41 -0000
On 4/1/13 5:26 PM, "J. Gomez" <jgomez@seryrich.com> wrote: >On Tuesday, April 02, 2013 1:28 AM [GMT+1=CET], Franck Martin wrote: > >> On 4/1/13 4:15 PM, "J. Gomez" <jgomez@seryrich.com> wrote: >> >>> On Monday, April 01, 2013 11:15 PM [GMT+1=CET], Terry Zink wrote: >>> >>>> I am proposing an extension to DMARC. Whereas today DMARC requires >>>> one of a DKIM pass or SPF pass, I propose we extend DMARC so that is >>>> has the *option* to require both. >>>> >>>> (...) >>>> >>>> Let's assume that BigBank.com has been dutiful and has published a >>>> DMARC record. The problem occurs when Learning.edu gets compromised >>>> and starts sending out spam. If a user starts sending out spam from >>>> joe@learning.edu, we can detect this and shut it down. But what >>>> happens if they start sending out mail as security@bigbank.com? >>>> >>>> example.com ------------+ >>>> | >>>> BigBank.com ------------+----> Microsoft Forefront IPs ----> >>>> Internet | >>>> Learning.edu | >>>> security@bigbank.com --+ >>>> >>>> (...) >>>> >>>> Extending DMARC this way lets brands/domains protect their outbound >>>> reputation behind a shared service without worrying whether or not >>>> some other customer will spoof them. >>>> >>>> Make sense? >>> >>> I does make sense. I also like the explanation in your blog: >>> >>> >>>http://blogs.msdn.com/b/tzink/archive/2012/10/18/how-should-large-financ >>>ia >>> l-institutions-use-hosted-filtering.aspx >>> >>> In a multitenant cloud environment, and/or when you are giving >>> customers a MTA-smarthost service to gateway their mail to the >>> Internet, you cannot be sure that they will always be signing their >>> email with DKIM, and you usually will not have their private DKIM >>> keys to sign their email yourself as it flows through the smarthost >>> towards the Internet, so taking the DMARC oportunity to close this >>> hole in SPF is golden. >> >> Google apps, send grid, messagebus, (and many other ESPs) do not have >> problem to create a DKIM key for each customer, to sign the emails >> that pass through them. We used to have open-relays because they were >> easy to setup/manage, but we moved away from them because they were >> insecure. > >If your worry is moving away from insecure, then Terry Zink's proposal is >just making DMARC more secure, as it is raising the bar on the mechanisms >that have (optionally) to concur to obtain a DMARC-pass. > >Apart from that, you would need to control your client's DNS to sign >their DKIM in their behalf, and that only works with very small clients >which lack in-house technical people and outsource the whole thing to >you. But if you want to have clients of medium size which gateway their >mail to the Internet through your cloud service, good luck getting their >technical people to surrender their administrative control of their DNS >to you. > We do that all the time with sub domains. Don't see where is the issue.
- [dmarc-ietf] Proposing an extension to DMARC to o… Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Dave Crocker
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Murray S. Kucherawy
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Tim Draegen