IETF Logo Mail Archive

Re: [dmarc-ietf] [ietf-dkim] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts

Scott Kitterman <ietf-dkim@kitterman.com> Mon, 21 November 2016 13:10 UTC

Return-Path: <ietf-dkim@kitterman.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3358129445 for <dmarc@ietfa.amsl.com>; Mon, 21 Nov 2016 05:10:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kitterman.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEZMYBEo8eL3 for <dmarc@ietfa.amsl.com>; Mon, 21 Nov 2016 05:10:29 -0800 (PST)
Received: from mailout03.controlledmail.com (mailout03.controlledmail.com [IPv6:2607:f0d0:3001:aa::2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 537521299FD for <dmarc@ietf.org>; Mon, 21 Nov 2016 05:10:29 -0800 (PST)
Received: from kitterma-e6430.localnet (static-72-81-252-21.bltmmd.fios.verizon.net [72.81.252.21]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mailout03.controlledmail.com (Postfix) with ESMTPSA id 74DCAC4036A for <dmarc@ietf.org>; Mon, 21 Nov 2016 07:10:27 -0600 (CST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=kitterman.com; s=201409; t=1479733827; bh=+rcJ5lU7L3DhzOwcMwIxAyZ71XY6co7wYRdGSKdifPs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=VGO58+stdPtgOJlZFZcouviJ10R9n6+KN6mfdHwjSbMxwWcvRrZqLYWGU2RayKVOF KaLTcIbPZQNybEjhPNY6t6AWdZwxYhJTFqr7wgTNhVXvLgmLMa81Im8hiEGrrR6JEL DA7f9mbuoDiyGK8tzSwUB5qX9T7Ky5AKJf24qm2M=
From: Scott Kitterman <ietf-dkim@kitterman.com>
To: dmarc@ietf.org
Date: Mon, 21 Nov 2016 08:10:23 -0500
Message-ID: <1953678.JQRY6mivmH@kitterma-e6430>
User-Agent: KMail/4.13.3 (Linux/3.13.0-101-generic; KDE/4.13.3; x86_64; ; )
In-Reply-To: <5ad68235-1007-26ef-cf08-056df5263167@corp.mail.ru>
References: <alpine.OSX.2.11.1611142158000.21738@ary.local> <582DBEF5.5010101@isdg.net> <5ad68235-1007-26ef-cf08-056df5263167@corp.mail.ru>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/iV8G8CdcpyX64YlalFvrkLI9YJE>
Subject: Re: [dmarc-ietf] [ietf-dkim] a slightly less kludge alternative to draft-kucherawy-dmarc-rcpts
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Nov 2016 13:10:31 -0000

On Monday, November 21, 2016 12:48:06 PM Vladimir Dubrovin wrote:
> 17.11.2016 17:30, Hector Santos пишет:
> > On 11/16/2016 1:09 PM, Terry Zink wrote:
> >>> This means ARC will be needed not only for mailing lists which
> >>> modify the header or
> >>> body of an email, but for EVERY mailing list and EVERY forwarded
> >>> email or EVERYTIME
> >>> the recipient has been modified and the email leaves the ADMD
> >>> boundary. From a
> >>> DMARC point of view DKIM will not be needed anymore because it has
> >>> now the same
> >>> function as SPF - verifiying the origin of direct emails - and SPF
> >>> is easier to implement
> >>> for most administrators.
> >> 
> >> +1.
> >> 
> >> It basically (almost) turns DKIM into SPF. That's not that appealing
> >> a solution.
> > 
> > For exclusive policies (SPF -ALL), you really don't need DKIM, DMARC
> > or ARC for that matter since the receiver (at least ours) will never
> > accept the payload anyway, i.e. it never gets to the SMTP "DATA"
> > state.  SPF does not require you to accept the mail for the hard
> > reject policy (-ALL).
> 
> SPF "-all" doesn't protect against spoofing attack, SPF only protects
> SMTP envelope which is normally not visible to user. DMARC does.
> 
> P.S. Murray, may be it's better to add an option to DKIM-Signature or to
> _dmarc DNS record to indicate some mechanism (DKIM or SPF) should not be
> used for DMARC verification? It will work in absolutely same way.
> draft-kucherawy-dmarc-rcpts  is an equivalent to DMARC with disabled
> DKIM authentication.

Or, if you don't want people to use DKIM for DMARC, don't sign the message.

Scott K

v2.23.0 | Report a Bug | By Email