IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Emanuel Schorsch <emschorsch@google.com> Fri, 23 June 2023 18:01 UTC

Return-Path: <emschorsch@google.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A223EC1524AA for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 11:01:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4DX5KrJhdzC for <dmarc@ietfa.amsl.com>; Fri, 23 Jun 2023 11:01:31 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 473A0C1524A3 for <dmarc@ietf.org>; Fri, 23 Jun 2023 11:01:31 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-98d34f1e54fso98364566b.2 for <dmarc@ietf.org>; Fri, 23 Jun 2023 11:01:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687543289; x=1690135289; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=WU/wZpZCKGjEgiDqMyhMDA3vrY2y4/tQq60jWhaPWqc=; b=dy4EsLyQWMBYuCzTWaxznNbTHyXCKLNq15NFVp8Nze31n2/jpS1RXpMvClXimQOtTu KNHvQqOmb5LF1WQbadWkYaMSdsQGqcEkm/PAe4lyeVXMjKI3sMkOUzHH0c4aw4p1nth9 5r+3vePDG9QIGTAOxPztrV+J7AiTJ5uh4+9Y7W6dfhkwcriB9YEtGcHoWwlDdcMyVrad 53j2k++beuvBf43ojd1Yq+y4CE87QQ1lK3FYUW6uWiHExCZ5Nu1vqgnPZ4adVU+00Xy+ rFkrSbMfPqnlGSo4TFXGMPdfaxgAD1BTR8Mv4EtZthtWlbnoC2MSvrHE7okTLRNyWh52 guxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687543289; x=1690135289; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=WU/wZpZCKGjEgiDqMyhMDA3vrY2y4/tQq60jWhaPWqc=; b=BKWQyA3gANPZe9VHAC3Bx/+hc7sb9+uSz/qaYkUXw4kQeKCaoFi+dj98tBmVbB1orN g5yCKLnwu+5g5+g6zVkzqiVKBjiTku/by3sjEy+RioAthCU6CxJgY9uJ4yKajW5WxjSx wLulZyxOQ4OFdQy50QaFQikRm9D29ZHQS+IiN2FMxoOZwprO/Cmg13Y1imNS5x5BSgar oxsUNk6aLqszVTezt6l8s4D5uiFXNJn+dsuKvZRHjpbd/uFNZmFFv5XqPLJDDWAzsEIw Tq8VkgHB2/xPct2DFaq+E624V/D3GyOtz3tNqivV/2k+PH96h7bk3ruTIP1WJDv11L1S cT4w==
X-Gm-Message-State: AC+VfDykYrTBTkppph7iFZkD98QMjka46QmbOKyFt28ulAs1D15BQuyg evBRRZdzx+Ul9DYv7WYaNDU2swBaFt/HNw44E60cxg==
X-Google-Smtp-Source: ACHHUZ7jD/jBCGTHuks+sYaWyFGnAX4L13g27txt0qRofAdYuW79Tmwl7POYZhgt0laiadiEigMQI2YPHYeSvoPpSyg=
X-Received: by 2002:a17:907:6d8a:b0:988:9621:d855 with SMTP id sb10-20020a1709076d8a00b009889621d855mr12938676ejc.61.1687543289496; Fri, 23 Jun 2023 11:01:29 -0700 (PDT)
MIME-Version: 1.0
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com> <bfbe77ad-8aba-d803-de06-d734a177066b@taugh.com> <CAFcYR_U=qW0k5EC2_y+B1roXK91uzscT+vS5Y7jrNkG1bTxw5Q@mail.gmail.com> <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com>
In-Reply-To: <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com>
From: Emanuel Schorsch <emschorsch@google.com>
Date: Fri, 23 Jun 2023 11:00:52 -0700
Message-ID: <CAFcYR_UovpSntzLuFFAt9JwPz-+X5TuVoP88SYwwju0OVK9U1A@mail.gmail.com>
To: John R Levine <johnl@taugh.com>
Cc: dmarc@ietf.org, emgu@google.com
Content-Type: multipart/alternative; boundary="00000000000050a35605fecfcaf4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/npoYy8VRB9RfyjTfIH3OxS-3U04>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2023 18:01:31 -0000

>
> > It would be a way for senders to say "yes I checked that all my DKIM
> > signatures are working and aligned, I don't need you to look at SPF and
> > don't want to have the risk of SPF Upgrades.
>
> So why do you publish an SPF record?  Presumably so someone will accept
> your mail who wouldn't otherwise, except you just said they shouldn't.
> Still not making sense to me.
>

DKIM Replay is still an issue. If you don't publish any SPF record then
your mail will look fairly similar to replay attacks. In this case the SPF
isn't helping recipients accept mail that has a broken DKIM, it's helping
recipients additionally reject/spam-folder replayed mail which will
according to the spec have a DMARC pass.

But putting aside DKIM Replay I think most senders would still want to
publish an SPF record since SPF has been around for a while and many
reputation systems use it as one of the factors. You just wouldn't be
publishing an SPF record to help from a DMARC perspective.

v2.23.0 | Report a Bug | By Email