IETF Logo Mail Archive

Re: [dmarc-ietf] Signaling forwarders, not just MLMs

Dotzero <dotzero@gmail.com> Thu, 13 April 2023 16:41 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D984C14CE51 for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:41:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtGMUhPp1fcw for <dmarc@ietfa.amsl.com>; Thu, 13 Apr 2023 09:41:37 -0700 (PDT)
Received: from mail-ua1-x92d.google.com (mail-ua1-x92d.google.com [IPv6:2607:f8b0:4864:20::92d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C90F8C14CE4C for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:41:37 -0700 (PDT)
Received: by mail-ua1-x92d.google.com with SMTP id k20so10808438ual.2 for <dmarc@ietf.org>; Thu, 13 Apr 2023 09:41:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681404096; x=1683996096; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=sq/92YowSbTeqvK460z4/qfR3OStx0xkxj0/IzNoxOI=; b=ii74piNl+Loyafbu7yQ8S+dbWLrqOEw2nVbof2/5uKlk8LICARytipR6I2u5NIBhq+ JhpXiISbN29Cn5xfrA5EvzOFfHjn/ciWK500EoCGia/C+woEdpLoSB04q6rMg+zw23j4 8KSIpH5USCZwnoJFsGMX5DxeL0wB5lj4FEROxUEk/WHhM3bqTVAzkmRrdaXNsZ29pSrL X3JUsuijuSsQJlW+9J8OuNQ82wVLMasVX0js+tXklSzSnOV0nSHpa4DH8qCxsrsgkV/y F9X3k02ep7Wy1h0/dHq7yVlRL3DpUS2yr9Fo6bb3ZowHb76JHY7BQIKyVKtaXpO/ku30 MyDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681404096; x=1683996096; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=sq/92YowSbTeqvK460z4/qfR3OStx0xkxj0/IzNoxOI=; b=VXnh2fLm0N6gKlfL4B9h7ndgrOGhjVbyR3POFfAcTDvYcQrGSnKgGbbEqIIOLkU26F E7aolqJ9rsrQ765j8SBBQlsQOYR4vgYiTKSLvcEI4ykDmrg1ef8IY1X+Z+KmM9t1iHYG HSYZ7/IVZbWwenvmmoTDJeTPccdiOKtHq69KHleF5zIWX0/VkDqbe46p70ow+tGtRWZB wHszQpQhDLn30mcqlK5ZfZXBrM2EDRroBeTPhDFNkua5sX3NHmEGTKjZTpVM2ZnpjECR CxSMnZi77ZIMbyYe2PNDyvemkhldX8KFMjgxwGBR210hD21D3qdQAYLvnjrEEmyBEQdr tsgQ==
X-Gm-Message-State: AAQBX9cQG03BUQ6C+Fz0zSW9LB0Z0DbW6CbpPDLkaugrDOngCFP0utFe CzA1EgSZkl/lZGWglpHu9YGzJDHhsDBOvN8GamE=
X-Google-Smtp-Source: AKy350bE4JVx7zXL6Dj4nCT+plyL4aTbIFZpYyJcbDJpT5IaghKVA2iKazQNJXy4z8mRW/91G1MesEfCwCgbm9k6Cgc=
X-Received: by 2002:a1f:2012:0:b0:440:60f4:cb30 with SMTP id g18-20020a1f2012000000b0044060f4cb30mr324450vkg.3.1681404096429; Thu, 13 Apr 2023 09:41:36 -0700 (PDT)
MIME-Version: 1.0
References: <CAL0qLwYbbLLq-qLg_Wnp5aFw_2my4UTZz3U3LjwbCmpMNdudfA@mail.gmail.com> <20230413151342.B96D0BF17F1F@ary.qy> <CALaySJKM5Kct0u0ekuEBS=DVQTXG_CiewpzNwVyPiAaQ9zx3VA@mail.gmail.com> <CAHej_8nyYrCXPo8aYOb+cVSf=2NQDOBmUgo-FD=ohPBZ=yFuHw@mail.gmail.com> <CALaySJ+6JxGua90o8kgyoFH48swn6f0g8x+Jx4By4jQnC7ot8w@mail.gmail.com>
In-Reply-To: <CALaySJ+6JxGua90o8kgyoFH48swn6f0g8x+Jx4By4jQnC7ot8w@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 13 Apr 2023 12:41:25 -0400
Message-ID: <CAJ4XoYddHX20JOJfURAsVhpzi6HobX90qim=5Zw2jpbq5KsNJw@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Todd Herr <todd.herr@valimail.com>, John Levine <johnl@taugh.com>, dmarc@ietf.org, superuser@gmail.com
Content-Type: multipart/alternative; boundary="000000000000e4427905f93a65a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ohEZx-H94COUpbnn676gLybjOMo>
Subject: Re: [dmarc-ietf] Signaling forwarders, not just MLMs
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2023 16:41:41 -0000

On Thu, Apr 13, 2023 at 12:19 PM Barry Leiba <barryleiba@computer.org>
wrote:

> Maybe just add a sentence to the end of the second paragraph:
>
>    The use of SPF alone, without DKIM, is strongly NOT RECOMMENDED.
>
> Barry
>

I think the opposite. Something along the lines of "Sending domains SHOULD
implement both SPF and DKIM to minimize breakage and non-delivery of mail.

Michael Hammer


>
>
> On Thu, Apr 13, 2023 at 12:04 PM Todd Herr <todd.herr@valimail.com> wrote:
>
>> On Thu, Apr 13, 2023 at 11:21 AM Barry Leiba <barryleiba@computer.org>
>> wrote:
>>
>>> > Anyone who does forwarding is damaged by DMARC because there are a lot
>>> of
>>> > people who do DMARC on the cheap with SPF only.
>>>
>>> This brings up another issue, I think: that there should also be
>>> stronger advice that using DKIM is critical to DMARC reliability, and
>>> using SPF only, without DKIM, is strongly NOT RECOMMENDED.
>>>
>>> I don't disagree.
>>
>> How do we make the following text stronger?
>> 5.5.2.
>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2>Configure
>> Sending System for DKIM Signing Using an Aligned Domain
>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#name-configure-sending-system-fo>
>>
>> While it is possible to secure a DMARC pass verdict based on only one of
>> SPF or DKIM, it is commonly accepted best practice to ensure that both
>> authentication mechanisms are in place to guard against failure of just one
>> of them.
>>
>> This is particularly important because SPF will always fail in situations
>> where mail is sent to a forwarding address offered by a professional
>> society, school or other institution, where the address simply relays the
>> message to the recipient's current "real" address. Many recipients use such
>> addresses and with SPF alone and not DKIM, messages sent to such users will
>> always produce DMARC fail.
>> <https://www.ietf.org/archive/id/draft-ietf-dmarc-dmarcbis-27.html#section-5.5.2-2>
>>
>> The Domain Owner SHOULD choose a DKIM-Signing domain (i.e., the d=
>> domain in the DKIM-Signature header) that aligns with the Author Domain.
>>
>>
>> --
>>
>> *Todd Herr * | Technical Director, Standards and Ecosystem
>> *e:* todd.herr@valimail.com
>> *m:* 703.220.4153
>>
>> This email and all data transmitted with it contains confidential and/or
>> proprietary information intended solely for the use of individual(s)
>> authorized to receive it. If you are not an intended and authorized
>> recipient you are hereby notified of any use, disclosure, copying or
>> distribution of the information included in this transmission is prohibited
>> and may be unlawful. Please immediately notify the sender by replying to
>> this email and then delete it from your system.
>>
> _______________________________________________
> dmarc mailing list
> dmarc@ietf.org
> https://www.ietf.org/mailman/listinfo/dmarc
>

v2.23.0 | Report a Bug | By Email