IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

"John Levine" <johnl@iecc.com> Mon, 01 April 2013 22:17 UTC

Return-Path: <johnl@iecc.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC86F21E80B5 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 15:17:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.9
X-Spam-Level:
X-Spam-Status: No, score=-106.9 tagged_above=-999 required=5 tests=[AWL=4.300, BAYES_00=-2.599, HABEAS_ACCREDITED_SOI=-4.3, RCVD_IN_BSP_TRUSTED=-4.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VvCxgTygL83L for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 15:17:26 -0700 (PDT)
Received: from leila.iecc.com (leila6.iecc.com [IPv6:2001:470:1f07:1126:0:4c:6569:6c61]) by ietfa.amsl.com (Postfix) with ESMTP id 363CD21E80B4 for <dmarc@ietf.org>; Mon, 1 Apr 2013 15:17:25 -0700 (PDT)
Received: (qmail 71156 invoked from network); 1 Apr 2013 22:17:25 -0000
Received: from leila.iecc.com (64.57.183.34) by mail1.iecc.com with QMQP; 1 Apr 2013 22:17:25 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:vbr-info; s=515a0774.xn--i8sz2z.k1304; i=johnl@user.iecc.com; bh=PAZDRtK82FkKETA6HK+J59u1+g7HBzCztEpYgYfl7yo=; b=IHkCDz73e76lfCSaswMlYdbWj3cKbgeBD7qoX6WOFJ3eqA5JlxCzyvV1puskIJrl6fQDQbL+56phUgNBjqaeWsMXWsBSiomkxBdesKjxZutBl2F8o7uqHT8V1GZzUR29EJ88nEM0spx/fc1Wm6/s2o5vuaTLGlf1fXUSArvg+8E=
VBR-Info: md=iecc.com; mc=all; mv=dwl.spamhaus.org
Date: Mon, 01 Apr 2013 22:17:02 -0000
Message-ID: <20130401221702.5500.qmail@joyce.lan>
From: John Levine <johnl@iecc.com>
To: dmarc@ietf.org
In-Reply-To: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Organization:
X-Headerized: yes
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 7bit
Cc: tzink@exchange.microsoft.com
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 22:17:31 -0000

>Extending DMARC this way lets brands/domains protect their outbound reputation behind a shared service without worrying
>whether or not some other customer will spoof them.
>
>Make sense?

Well, no.

Your problem as I understand it is that you have a shared
infrastructure accessed by untrusted clients, and you want to defend
against the threat that one client sends mail impersonating another.

The DKIM signatures are secure, a client can only sign for itself, but
there's no way to map an IP address to a particular sender.

The solution here is quite simple: adjust the SPF records to reflect
what's actually going on.  An SPF pass means, approximately, yes this
message is really from the alleged sender.  But you can't say that,
you can only say that it might be or it might not be.  So an
appropriate SPF record would be something like this (using a handful
of the of Frontbridge IP ranges as an example):

bigbank.com txt "v=spf1 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all"

Those question marks in the record on the Frontbridge ranges make them
neutral rather than pass, which is appropriate in this case.  Since
all of the real mail the client sends through your system will have a
DKIM signature, it will still pass DMARC.

If the bank has its own private ranges for its non-bulk mail, those
could go in as SPF pass, e.g.

bigbank.comm txt "v=spf1 +ip4:22.22.22.22 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24 ?ip4:157.56.112.0/24 ~all"

Remember that a major point of DKIM is to attach an identity to mail
that is independent of the mail's path.  DKIM currently works just
great for the usual kinds of forwarded mail.  If you insist on both
SPF and DKIM, you lose the path independence and break the forwarding
while gaining nothing, since the DKIM signature still tells you what
you need to know.  If the bank sends its own unsigned mail through its
own mail servers, the SPF record reflects that, and it'll pass DMARC,
too (give or take the known SPF forwarding issues.)

Bonus advantage of this approach: existing software supports it now,
no upgrades needed.

R's,
John

v2.23.0 | Report a Bug | By Email