IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Sebastiaan de Vos <sebastiaan@inboxsys.com> Fri, 16 June 2023 11:29 UTC

Return-Path: <sebastiaan@inboxsys.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B0DFC151992 for <dmarc@ietfa.amsl.com>; Fri, 16 Jun 2023 04:29:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=inboxsys.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p3Y8Dt2kdPju for <dmarc@ietfa.amsl.com>; Fri, 16 Jun 2023 04:28:58 -0700 (PDT)
Received: from mta1.inboxsys.net (mta1.inboxsys.net [168.119.108.63]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D36AC15198D for <dmarc@ietf.org>; Fri, 16 Jun 2023 04:28:57 -0700 (PDT)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by mta1.inboxsys.net (Postfix) with ESMTPSA id 283A93FB64 for <dmarc@ietf.org>; Fri, 16 Jun 2023 13:28:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inboxsys.com; s=deliv202301; t=1686914935; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=8uOeRtVSwH/q0Mu7JLn3NaC2nXAqHe4uBfFtRLuL2Vk=; b=gLcCOGQ4Pit18ve0ibm29rnishN/vnIextt0AduZvZaq9OOJMyQfPiJ4J8G/eHYBAYxEv7 Soz6OibYRiKu+VbiFykavJwxcndLT6gZ8CtLUe70ZKPsKq6Uon/YdokBph3W8/5YOxwOR3 XKTVGY5EylRWB7QipSZjWQYYNNg64p3wIJ18fcRF7V3/HJUiCw/mjcG6rJ+hqS8dJ+j7qf yw4jHboWjol7MmR3KYuagD1YT4EgN+iGLhNPsVsfsugSSQ/7POD7we9DDqy4vG30N1KA89 rRZCsLLwvfPu7h2n2oFzVQdzO9ZR4S9415xGazI7S4U3LY4YTG0G+HewKInc5A==
Authentication-Results: mta1.inboxsys.net; auth=pass smtp.mailfrom=sebastiaan@inboxsys.com
Message-ID: <47b8a0c7-6a52-a4ad-e98e-8cb2f881713e@inboxsys.com>
Date: Fri, 16 Jun 2023 13:28:51 +0200
MIME-Version: 1.0
To: dmarc@ietf.org
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <D225D7FC-C570-4B63-A694-9F16DB1F33E1@kitterman.com> <CALaySJKwuOK-81dW2H9dtURxa5mLQDUNo+MWcs+Hho8N+yP9qg@mail.gmail.com> <2817813.dRqVH37e0G@localhost> <CALaySJJbPFBAV_7mZaARYWuMzuX+74r2Cm0jD+z92_iuFRn_MQ@mail.gmail.com> <25736.57534.195344.782189@fireball.acr.fi> <1ec42959-977a-9ce0-907a-83a5eb2b6ef2@tana.it> <25739.5435.550786.601699@fireball.acr.fi> <25739.33240.127804.524371@fireball.acr.fi> <5d9a0b0f-8777-2494-d779-376c6ab8b37d@tana.it> <7d39aa8e-dacc-05fa-eff1-2cc350d521db@inboxsys.com> <CAH48ZfwyBwfKzG_3R5uyV6tmY0yUtWy=5yAoAOEhUGn_Rz6HNw@mail.gmail.com>
Content-Language: en-US
From: Sebastiaan de Vos <sebastiaan@inboxsys.com>
In-Reply-To: <CAH48ZfwyBwfKzG_3R5uyV6tmY0yUtWy=5yAoAOEhUGn_Rz6HNw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/p-71fbm4dPa2-tS62g4lWbFqjTk>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2023 11:29:03 -0000

The need for separate DKIM failure codes to be able to separate between 
in-transit changes and public key errors is more than just valid and I 
don't consider SPF worthless in general, but I just find it disturbing 
how the obviously misplaced confidence in SPF currently weakens the 
whole DMARC standard.

Is it not in our best interest to encourage and motivate in particular 
the less sophisticated senders to use the higher confidence mechanisms?


On 16.06.23 13:02, Douglas Foster wrote:
> RFC 7489 takes 8 different authentication mechanisms and lumps them 
> into a single PASS result:
> DKIM or SPF, each with up to four types of alignment:  same domain, 
> parent->child, child->parent, and sibling->sibling
>
> These eight mechanisms all provide some level of confidence that the 
> message is not impersonated, but they do not provide an equal level of 
> confidence.
>
> Unsophisticated senders have little incentive to use the higher 
> confidence mechanisms because any PASS result is still PASS.   The 
> solution is not to pretend that SPF is worthless, because that is an 
> overstatement.   The solution is to talk about the differences in 
> confidence provided by the different authentication methods, and note 
> that evaluators have reason to distrust some of them.   That distrust 
> could cause a weakly authenticated message to be distrusted by some 
> evaluators.
>
> Similarly, needs multiple types of FAIL.   Since the data indicates 
> that missing (or invalid) public keys are a significant portion of all 
> failures, it needs a separate failure code from "normal" failures 
> which suggest in-transit changes.   The DKIM group needs to define the 
> result code but this group would need to integrate it into our 
> aggregate reports.

v2.23.0 | Report a Bug | By Email