IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Barry Leiba <barryleiba@computer.org> Wed, 28 June 2023 18:33 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E420C15152C for <dmarc@ietfa.amsl.com>; Wed, 28 Jun 2023 11:33:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.551
X-Spam-Level:
X-Spam-Status: No, score=-6.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.096, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OlG8mG3D_03a for <dmarc@ietfa.amsl.com>; Wed, 28 Jun 2023 11:32:56 -0700 (PDT)
Received: from mail-lj1-f181.google.com (mail-lj1-f181.google.com [209.85.208.181]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C91A6C151085 for <dmarc@ietf.org>; Wed, 28 Jun 2023 11:32:56 -0700 (PDT)
Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-2b69f71a7easo2085951fa.1 for <dmarc@ietf.org>; Wed, 28 Jun 2023 11:32:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687977175; x=1690569175; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TVSKuJzYhMwwkjgsNfgxItNKKRxYmZ2F3cVnmVpZgEQ=; b=JKCVGd65BJNylGWT8KJmkDqaf7L8rr/Buv9OCKsKA56Z/2gY+8qDMGsqtBnYd5JgVI 6CU+Z1ttDFMZyVUG+AtMvtiR1WJ3IWyvd22490E34ald4Q4F/W+gKj4aILFR387Vq/ZY uePk+xqIIy0WyAmYHRaxp2XxyB3oc/FG6+9fDSB5skfB0JnBLW+x1gUu95PQbZ/cWLdB 4ICazczOlqLaDy0/VGMW3zcvoC+rZsHMGDDrdqDcGBrDctwDaFySrR/PUilu+ZxtVsCf kL19BYUIgCs+mPxK5eThQ8SiZP3R2QO4Q8nKbstFriq71RuIMqFC0RvjoC/5HmCZBtRm 6/zg==
X-Gm-Message-State: AC+VfDzXrYQnNRAuIrd3FTe5XDIY1GOB9DFXUnAJMAUmid10+L38Vtlu 9/zp4eTKApus8MYv+CVBc6qAmaQCt3HgE51tVay7O+HefYg=
X-Google-Smtp-Source: ACHHUZ42i0i4pXGg50B29begQv8Z1ArhsbZ0FtQM27EC235y0gLAC6XBNZbfoWFQqMe00xeCt9uS6+RD5i/pMuwXSH8=
X-Received: by 2002:a2e:300e:0:b0:2b6:a76f:fc2c with SMTP id w14-20020a2e300e000000b002b6a76ffc2cmr5607887ljw.19.1687977174357; Wed, 28 Jun 2023 11:32:54 -0700 (PDT)
MIME-Version: 1.0
References: <20230623021810.E5F8DF9B3B94@ary.qy> <6495D504.4090809@isdg.net> <839aa10b-f7fa-c7a2-76db-6441189afca2@dusatko.org> <CALaySJ+gcVvpzJcrpUbOkOvjUFAhzw=pZovpZC7BhW_x7VW7nA@mail.gmail.com> <CAL0qLwasxzqJt7Hr7gZd86C=ivCrDUci_i6pkJJUTnqzL1pHMA@mail.gmail.com> <CALaySJ+gjR6D-OSE_07iSH2zXa7wypUQwPN1cL-1s+NC2S4L8g@mail.gmail.com> <99e1ef2d-053b-8cfe-f369-fa8475d142ae@tana.it> <CALaySJKZoAPTT-+cZEww+y2eUsDbNXcybb=Z7RxNLyfzPMr7ng@mail.gmail.com> <d3986316-02f9-9d73-be81-37af7cfd40a7@tana.it>
In-Reply-To: <d3986316-02f9-9d73-be81-37af7cfd40a7@tana.it>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 28 Jun 2023 14:32:41 -0400
Message-ID: <CALaySJLtUtKNtP4__pOryFLaAODjiEx-nbdvF9tL6wYhcRCe_g@mail.gmail.com>
To: Alessandro Vesely <vesely@tana.it>
Cc: dmarc@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/nwYMgsT8JJhX0Es8OkWx1ptdbsM>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2023 18:33:01 -0000

I think DKIM replay is largely irrelevant to this discussion (about
the sender specifying which authentication to use), because if that's
your biggest concern with respect to DMARC, then "SPF only" is the
answer.  "SPF *and* DKIM" is not any better than that.

> You seem to imply that auth=dkim+spf wouldn't be effective against DKIM reply

(Assuming you mean "replay".)  "SPF and DKIM" does not give any
benefit beyond "SPF only" in this case.

Look, either SPF fails because the message was relayed illegitimately...
...or SPF passes because the replayer used the sender's legitimate
infrastructure to do the replay.

Barry

On Wed, Jun 28, 2023 at 12:43 PM Alessandro Vesely <vesely@tana.it> wrote:
>
> Thank you for your analysis.  However, it doesn't touch on DKIM replay.
>
> I know this topic belongs to the other list.  Let me briefly recall it, if this
> doesn't take too many cycles from core matters:  It occurs when a signed
> message is replayed by unauthorized hosts to recipients which were not
> originally addressed.  So, it is one case of your 3rd proposition: In some
> scenarios, DKIM will pass when SPF fails.
>
> You say that it is technically unnecessary to test both because DKIM should
> always pass when SPF passes (1st proposition).
>
> You claim:
> > But where the harm comes is in cases of mis-configuration, because now if
> > *either* of them is misconfigured, the whole thing fails -- neither of them
> > serves as a backup for the other; instead, the misconfiguration of either
> > one causes deliverability problems.
>
>
> I agree.  But what if SPF and DKIM are both configured properly?  You seem to
> imply that auth=dkim+spf wouldn't be effective against DKIM reply, but your
> analysis doesn't cover that case explicitly.
>
> Perhaps there are better ways to counter that specific problem, and certainly
> it's not what this WG is tasked to do.  But, just to make the point, I think
> it's interesting to know.
>
>
> Best
> Ale
>
>
> On Tue 27/Jun/2023 16:24:21 +0200 Barry Leiba wrote:
> > I don't understand how most of your message fits into this discussion:
> > you're comparing SPF's policy points with DMARC policy.  we're talking
> > about SPF as an authentication mechanism together with DKIM (not
> > DMARC) as an authentication mechanism... and then using those
> > authentication results in DMARC policy evaluation.
> >
> > But here: I've said all this before in separate places, so I'll put it
> > in one place, here, one more time:
> >
> > Given that SPF and DKIM are both configured properly:
> > 1. If SPF passes, DKIM will always pass.
> > 2. If DKIM fails, SPF will always fail.
> > 3. In some scenarios, DKIM will pass when SPF fails.
> >
> > Therefore, when everything is configured properly, SPF adds no value
> > beyond what DKIM does, and DKIM does add value beyond what SPF does.
> > That's why I am (and others are) arguing that we should remove SPF
> > *from DMARC evaluation*.  There's no argument that for now, or some,
> > SPF outside of DMARC still has value.
> >
> > What others are arguing is that in the real world, things do get
> > mis-configured, and if DKIM is misconfigured and fails when it
> > shouldn't, SPF adds value by providing a working authentication.
> > (And, of course, similarly the other way around, plus DKIM covers some
> > cases when messages are relayed or forwarded.)  That speaks for "SPF
> > *or* DKIM".
> >
> > But "SPF *and* DKIM" -- requiring *both* to pass -- is technically
> > unnecessary at best, because of (1) above: DKIM should always pass
> > when SPF passes.  But where the harm comes is in cases of
> > mis-configuration, because now if *either* of them is misconfigured,
> > the whole thing fails -- neither of them serves as a backup for the
> > other; instead, the misconfiguration of either one causes
> > deliverability problems.  DMARC is damaged by requiring an
> > authentication situation that is unnecessary when things are properly
> > configured, and that is more fragile than what we've been using, more
> > susceptible to configuration errors than we've seen before.
> >
> > And I'm afraid that people will use it preferentially, *thinking* that
> > it provides better "security" -- surely, double authentication is
> > better than single, no?
> >
> > No.
> >
> > Barry
> >
> > On Tue, Jun 27, 2023 at 6:36 AM Alessandro Vesely <vesely@tana.it> wrote:
> >>
> >> On Mon 26/Jun/2023 20:13:53 +0200 Barry Leiba wrote:
> >>> I'm saying I don't want "and" to be an option, because I think it's
> >>> damaging to DMARC.  There is no reason anyone should ever want to say
> >>> that, and providing the option asks for misconfigurations because
> >>> people think it's somehow "more secure".  It's not more secure.  It
> >>> would be very bad for deliverability of legitimate mail and would
> >>> provide no additional security.  It would be a terrible mistake.
> >>
> >>
> >> I've been sporting spf-all for years, and seldom experienced bounces, mostly
> >> due to misconfigured secondary MXes.  Out of 39 domains whose posts to this
> >> list in the past year are still in my inbox, 14 have spf-all.  So, while I'm
> >> not the only one, not many published -all even though it may seem to be somehow
> >> more secure.
> >>
> >> I think it can be worth to compare SPF and DMARC.  Another sender policy a
> >> decade and an authentication method after.  What adoption, what hype.
> >>
> >> Both policies ask receivers to reject a domain identifier in some cases.  RFC
> >> 7208 explicitly suggests to consider whitelisting (Appendix D).  DMARC provides
> >> for overrides but is less clear about how to handle exceptions.  After SPF
> >> broke forwarding, the reaction was split between some changing identifier and
> >> turning to ~all; after DMARC broke mailing lists, between changing identifier
> >> and not altering messages.  In my limited experience, the ratio seems to be
> >> higher for DMARC than SPF, but I may be wrong.
> >>
> >> In theory, domains that currently have a strict DMARC policy and spf-all, 6 of
> >> the above, should have their messages blocked when either method fails, up to
> >> changing identifiers.  Why would it be so bad for deliverability to
> >> additionally require DMARC alignment, which is the difference between that and
> >> the "and"?
> >>
> >> And, it seems to me that an ESP not having a bloated SPF record could stop a
> >> good deal of DKIM replay by resorting to auth=dkim+spf.  Besides collateral
> >> deliverability problems, why wouldn't that work?
> >>
> >> Wht would "and" damage DMARC more than -all damaged SPF?
> >>
> >> I hope we can discuss detailed criticism rather than vague ostracism.
> >>
> >>
> >> Best
> >> Ale
> >> --
> >>
> >>
> >>
> >>
> >>
> >
> > _______________________________________________
> > dmarc mailing list
> > dmarc@ietf.org
> > https://www.ietf.org/mailman/listinfo/dmarc

v2.23.0 | Report a Bug | By Email