Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
"John Levine" <johnl@iecc.com> Mon, 01 April 2013 22:17 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC86F21E80B5 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 15:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.9
X-Spam-Level:
X-Spam-Status: No, score=-106.9 tagged_above=-999 required=5 tests=[AWL=4.300, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvCxgTygL83L for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 15:17:26 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 363CD21E80B4 for <dmarc@ietf.org>; Mon, 1 Apr 2013 15:17:25 -0700 (PDT)
Received: (qmail 71156 invoked from network); 1 Apr 2013 22:17:25 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 1 Apr 2013 22:17:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:vbr-info; s=515a0774.xn--i8sz2z.k1304; i=johnl@user.iecc.com; bh=PAZDRtK82FkKETA6HK+J59u1+g7HBzCztEpYgYfl7yo=; b=IHkCDz73e76lfCSaswMlYdbWj3cKbgeBD7qoX6WOFJ3eqA5JlxCzyvV1puskIJrl6fQDQbL+56phUgNBjqaeWsMXWsBSiomkxBdesKjxZutBl2F8o7uqHT8V1GZzUR29EJ88nEM0spx/fc1Wm6/s2o5vuaTLGlf1fXUSArvg+8E=
VBR-Info: md=iecc.com; mc=all; mv=dwl.spamhaus.org
Date: Mon, 01 Apr 2013 22:17:02 -0000
Message-ID: <20130401221702.5500.qmail@joyce.lan>
From: John Levine <johnl@iecc.com>
To: dmarc@ietf.org
In-Reply-To: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 7bit
Cc: tzink@exchange.microsoft.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 22:17:31 -0000
>Extending DMARC this way lets brands/domains protect their outbound reputation behind a shared service without worrying >whether or not some other customer will spoof them. > >Make sense? Well, no. Your problem as I understand it is that you have a shared infrastructure accessed by untrusted clients, and you want to defend against the threat that one client sends mail impersonating another. The DKIM signatures are secure, a client can only sign for itself, but there's no way to map an IP address to a particular sender. The solution here is quite simple: adjust the SPF records to reflect what's actually going on. An SPF pass means, approximately, yes this message is really from the alleged sender. But you can't say that, you can only say that it might be or it might not be. So an appropriate SPF record would be something like this (using a handful of the of Frontbridge IP ranges as an example): bigbank.com txt "v=spf1 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all" Those question marks in the record on the Frontbridge ranges make them neutral rather than pass, which is appropriate in this case. Since all of the real mail the client sends through your system will have a DKIM signature, it will still pass DMARC. If the bank has its own private ranges for its non-bulk mail, those could go in as SPF pass, e.g. bigbank.comm txt "v=spf1 +ip4:22.22.22.22 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all" Remember that a major point of DKIM is to attach an identity to mail that is independent of the mail's path. DKIM currently works just great for the usual kinds of forwarded mail. If you insist on both SPF and DKIM, you lose the path independence and break the forwarding while gaining nothing, since the DKIM signature still tells you what you need to know. If the bank sends its own unsigned mail through its own mail servers, the SPF record reflects that, and it'll pass DMARC, too (give or take the known SPF forwarding issues.) Bonus advantage of this approach: existing software supports it now, no upgrades needed. R's, John
- [dmarc-ietf] Proposing an extension to DMARC to o… Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Dave Crocker
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Franck Martin
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … John Levine
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … J. Gomez
- Re: [dmarc-ietf] Proposing an extension to DMARC … Scott Kitterman
- Re: [dmarc-ietf] Proposing an extension to DMARC … MH Michael Hammer (5304)
- Re: [dmarc-ietf] Proposing an extension to DMARC … Murray S. Kucherawy
- Re: [dmarc-ietf] Proposing an extension to DMARC … Terry Zink
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Elizabeth Zwicky
- Re: [dmarc-ietf] Proposing an extension to DMARC … Tim Draegen