IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Hector Santos <hsantos@isdg.net> Sat, 24 June 2023 18:07 UTC

Return-Path: <hsantos@isdg.net>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C1E8C1575D9 for <dmarc@ietfa.amsl.com>; Sat, 24 Jun 2023 11:07:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isdg.net header.b="KZL8EM6o"; dkim=pass (1024-bit key) header.d=beta.winserver.com header.b="Gz/bHXbI"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFj6dixkPEau for <dmarc@ietfa.amsl.com>; Sat, 24 Jun 2023 11:07:00 -0700 (PDT)
Received: from mail.winserver.com (mail.winserver.com [3.137.120.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C256CC1575DE for <dmarc@ietf.org>; Sat, 24 Jun 2023 11:06:59 -0700 (PDT)
DKIM-Signature: v=1; d=isdg.net; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1409; t=1687630009; atps=ietf.org; atpsh=sha1; h=Received:Received:Received:Received:Subject:From:Date: Message-Id:To:Organization:List-ID; bh=gTBy9nHTowN9do4tQ4vrjZKTU otrshDpPPRIuDmpLo4=; b=KZL8EM6oBPsj6iYLBUkWihdvCBimapU9k1OWVAtT5 5az8CcJAHLnkNdjsQg3wYWvtaACrvd6gp5pjJua+u4F4vPzuo0V5t4rbBDwoFauA DdHY/7sawLljrWhUZLvcj/tJN6uvavQ68VDYTXNTo1Z+BOFZf0zuTpPwmHWuYdof 4Y=
Received: by winserver.com (Wildcat! SMTP Router v8.0.454.13) for dmarc@ietf.org; Sat, 24 Jun 2023 14:06:49 -0400
Authentication-Results: dkim.winserver.com; dkim=pass header.d=beta.winserver.com header.s=tms1 header.i=beta.winserver.com; adsp=none author.d=isdg.net signer.d=beta.winserver.com; dmarc=pass policy=reject author.d=isdg.net signer.d=beta.winserver.com (atps signer);
Received: from beta.winserver.com ([3.132.92.116]) by winserver.com (Wildcat! SMTP v8.0.454.13) with ESMTP id 3727725427.1.856; Sat, 24 Jun 2023 14:06:48 -0400
DKIM-Signature: v=1; d=beta.winserver.com; s=tms1; a=rsa-sha256; c=simple/relaxed; l=1409; t=1687630003; h=Received:Received: Subject:From:Date:Message-Id:To:Organization:List-ID; bh=gTBy9nH TowN9do4tQ4vrjZKTUotrshDpPPRIuDmpLo4=; b=Gz/bHXbIkBTXYsx8Pwb98PC PEFMUb2xB2DQzDBQFknrE2g4udmTNvFMdyVfe7DuraDkALH+Noak5qDbhx5ZVnDL ABIG9ygwSb5OZcjPdt5X3PvdlnIQ0Lj47vlU7Oth/F00Us4pMusU19m6O5IktIUk eEZjlt2cI7Y3MgOOghFA=
Received: by beta.winserver.com (Wildcat! SMTP Router v8.0.454.12) for dmarc@ietf.org; Sat, 24 Jun 2023 14:06:43 -0400
Received: from smtpclient.apple ([99.122.210.89]) by beta.winserver.com (Wildcat! SMTP v8.0.454.12) with ESMTP id 4173777005.1.13504; Sat, 24 Jun 2023 14:06:43 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Hector Santos <hsantos@isdg.net>
In-Reply-To: <CALaySJJZ7rvQ72MRMJLpOF7+LffBYcoTqCaDV3FM+YZdGWMs2Q@mail.gmail.com>
Date: Sat, 24 Jun 2023 14:06:31 -0400
Cc: John R Levine <johnl@taugh.com>, dmarc@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <639A7933-833A-4383-9939-9712B76A1CE3@isdg.net>
References: <CABZJ8kmg75qo70V-N65b6C4w+g7gX0ehv3CsqG-765BbBGcn=A@mail.gmail.com> <20230623021810.E5F8DF9B3B94@ary.qy> <CAFcYR_WY8MEag7sup_7DnmzRuZJ7zeyJT6TATL45wCKBrsF3UQ@mail.gmail.com> <bfbe77ad-8aba-d803-de06-d734a177066b@taugh.com> <CAFcYR_U=qW0k5EC2_y+B1roXK91uzscT+vS5Y7jrNkG1bTxw5Q@mail.gmail.com> <c1b091c1-86a9-d3e3-5fcb-0b8d7d33fcf2@taugh.com> <CALaySJ+tKTCEJcNR0ehCNq6rGz-ARe=P72OTgOuKoAj1G1zjmA@mail.gmail.com> <024535ba-5845-fe35-5cfe-1302bae55659@taugh.com> <CALaySJJZ7rvQ72MRMJLpOF7+LffBYcoTqCaDV3FM+YZdGWMs2Q@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/ph7a2Q6QsbfGQyIbaIMpXo0_4n8>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jun 2023 18:07:04 -0000

> If the DMARC spec makes that clear, I think we win.  And recipients
> can still do what they want: if DMARCbis goes out with "use DKIM only"
> and a recipient wants to use SPF anyway, they can do that... just as a
> recipient that decides to use best-guess-SPF in the absence of actual
> SPF records is free to make that choice.

When said that way, I believe that requires a version bump v2 which would inherently means “use DKIM only,"

So supporters all do a version check:


   bUseDKIMOnly =  (DMARC[“v=“] == “DMARC2”)?1:0


And the new supporter will use the flag bUseDKIMOnly throughout its current DMARC1 evaluation accordingly.  

Or via “Add-on” tag extension:

   bUseDKIMOnly =  (DMARC[“auth="] == “dkim”)?1:0

Six in one, Half Dozen of the other?

The problem is that there are implementations that do check for v=DMARC1 and will not required DMARC2 as a valid record when in fact a DMARC2 record exist whose only purpose in life was to signify a relaxed DMARC1 evaluation regarding SPF.

I like the tag extension instead.  Make coding life easier, I think.   But if  v=DMARC2 is the way Levine wishes to go, I’m ok.  I see issues with just changing the inherent behavior without any protocol negotiating signals.

—
HLS

v2.23.0 | Report a Bug | By Email