Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Tobias Herkula <tobias.herkula@1und1.de> Thu, 08 June 2023 15:42 UTC

Return-Path: <tobias.herkula@1und1.de>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDEC6C15109A for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 08:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1und1.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRQDjPiXCRFO for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 08:42:33 -0700 (PDT)
Received: from moint.1and1.com (moint.1and1.com [212.227.15.7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB885C151090 for <dmarc@ietf.org>; Thu, 8 Jun 2023 08:42:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=MIME-Version:Message-ID:Date:Subject:CC:To:From:sender:reply-to; bh=0fY8oDPbpFd0Rl1afAv8/xJJRXAL3r+k0FLVtH+l8j8=; b=wWPoT+INxIFC9JvrriYIhPJKI f6Pk0ap6aLXnh0RxamoNEm4ECexMWab75jZfhAFp5TaBP1KN7s15SIkTx5W3znWtIRoTguqin+Oae 3EuPf/UM52MJDa+bP2WFVneWk40fhxgyww4/hoxqkez5Z74x43COnBvf6DBeSUkKuUo+bhNUY2f1t TmBIU55RNAEtr/lF6W7bbVq+IMyA3lzYqFvZrchVlPeaxQ/NTzhf8SIjDg+y/GFd+REoskgcpa6JZ vaU7NI8lNeR7m7r25mqYpsATWhe+8Dv9Jjhw3Xpb8oB9es9bI2w4EOcwsAZGM54LNlO2gTKRnUzhe wSwELAy8w==;
Received: from [10.98.29.10] (helo=BAPPEX025.united.domain) by mrint.1and1.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <tobias.herkula@1und1.de>) id 1q7HmR-0008Ph-3w; Thu, 08 Jun 2023 17:42:31 +0200
From: Tobias Herkula <tobias.herkula@1und1.de>
To: Seth Blank <seth@valimail.com>, Barry Leiba <barryleiba@computer.org>
CC: Seth Blank <seth@sethblank.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] DMARC2 & SPF Dependency Removal
Thread-Index: AQHZmh7sQkZMnShQS0aR+SPhLckqSK+A+qkA
Date: Thu, 08 Jun 2023 15:42:30 +0000
Message-ID: <0CEDBD17-76CF-4D7D-B397-9E34A98160A8@1und1.de>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAL0qLwbx6Y=kmB5pQZx8gNqD=rLBYz1vLOX6ngL=wUHHUm0Hjw@mail.gmail.com> <CAOZAAfMtsjcp+aCrwQ2QRc+SHsw3rhwMuTBugRYe44NeiMeKyg@mail.gmail.com> <CALaySJKrXJJXz3pgp85BPswoirhPJtD=uuefVfc9sX1fGkj-iA@mail.gmail.com> <CAD2i3WMbVZ0-yQeqoy7P9njyBRU2jdbP2jGtzUnzEE0dfsLR2g@mail.gmail.com> <CALaySJJY3_=HknSBENOjkUomdX_RXMfXyCxYOd3mjsvS-V=-Qw@mail.gmail.com> <CAOZAAfMybMYJrw9dMd=VmhD0oX0w+m1k8Vg=Hn=QJ3UZBLfRNw@mail.gmail.com>
In-Reply-To: <CAOZAAfMybMYJrw9dMd=VmhD0oX0w+m1k8Vg=Hn=QJ3UZBLfRNw@mail.gmail.com>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.98.28.55]
Content-Type: multipart/alternative; boundary="_000_0CEDBD1776CF4D7DB3979E34A98160A81und1de_"
MIME-Version: 1.0
X-Virus-Scanned: ClamAV@mvs-ha-bs
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sA_GygjzrYLL4rRTrV7zIQZ2AIc>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 15:42:37 -0000

If we move to DMARC2 version string this would be solved easily, we could add the requirement to the tree-walk algo, we fallback to DMARC1 records if the tree-walk does not find a DMARC2 one. So, the long-tail can continue running in their current environment and upgrade on their own pace to the next DKIM only DMARC.

/ Tobias

Von: Seth Blank <seth@valimail.com>
Datum: Donnerstag, 8. Juni 2023 um 16:35
An: Barry Leiba <barryleiba@computer.org>
Cc: Seth Blank <seth@sethblank.com>, Tobias Herkula <tobias.herkula@1und1.de>, "dmarc@ietf.org" <dmarc@ietf.org>
Betreff: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

I’ll bring data. I think there’s a practical problem here and a class of services that are not email-first which will break completely (ie get immediately rejected) were such a change to be made.

This feels like a significant interoperability problem we’d be introducing.

I’m loathe to add flags when we’ve been so good at simplifying DMARC through the bis process and removing flags, but what about a way to say “I only send with DKIM, and do not evaluate SPF on my behalf”?

That wouldn’t create an interop problem, and gives a path to upgrade without creating breaking change out of the gate?

Seth

On Thu, Jun 8, 2023 at 16:05 Barry Leiba <barryleiba@computer.org<mailto:barryleiba@computer.org>> wrote:
Oh, and as to your last paragraph, I think it’s the wrong question.  What we need to understand is that SPF is ineffective, and DKIM is what’s necessary to make DMARC work effectively.  When we started, DKIM was not as broadly deployed and we didn’t understand how bad SPF would be.  We have different information now, and we need to say that of you want to reliably authenticate you have to use DKIM… that’s it.

Barry

On Thu, Jun 8, 2023 at 3:54 PM Seth Blank <seth@sethblank.com<mailto:seth@sethblank.com>> wrote:
Participating, while running around so apologies for terseness:

Sophisticated senders do DKIM. The long tail, we're lucky if they do SPF. Some authentication is better than none.

The problem isn't people evaluating SPF vs DKIM and choosing the easier option. It's people who have a business, who bolt on email, and then struggle to authenticate through any means. Again, we're lucky when we get SPF from them, and I'll still take that over no auth all day every day.

Don't disagree at all with the myriad problems with SPF, and that the goal should be to eliminate it. I just don't believe we're anywhere close to that being a reality yet.

The data that led to DMARC showed that SPF and DKIM were both necessary to determine legitimacy broadly. What would we need to understand now to see if only DKIM is necessary?

On Thu, Jun 8, 2023 at 3:44 PM Barry Leiba <barryleiba@computer.org<mailto:barryleiba@computer.org>> wrote:
See, I don't look at it as "harmed".  Rather, I think they're using "we use SPF" as a *reason* not to use DKIM, and I think that *causes* harm.

SPF is, as I see it, worse than useless, as it adds no value to domain that use DKIM -- any time DKIM fails SPF will also fail -- and actually impedes the adoption of DKIM.  Reliance on SPF causes DMARC failures that result in deliverability problems for legitimate mail.  I wholeheartedly support removal of SPF as an authentication mechanism that DMARC accepts.

Barry, as participant

On Thu, Jun 8, 2023 at 3:30 PM Seth Blank <seth=40valimail.com@dmarc.ietf.org<mailto:40valimail.com@dmarc.ietf.org>> wrote:
Participating, I have data that I believe points to a long tail of businesses who predominantly only authenticate on behalf of others using SPF, and would be harmed by such a change. It will take me a little while to confirm and share.

I also know a predominant ccTLD with millions of registrations, that has SPF on roughly 80% of them, but DMARC on barely 5%. I don't have data on DKIM for those, but I assume it's closer to the DMARC penetration than the SPF one. I'll see if I can get this data to share more publically, and also get the DKIM answer.

Of course the goal is aligned dkim with a stated policy, but I don't think the data supports us being anywhere close to that realistically.

As Chair, this is a valuable conversation to have with real data on problems and opportunities at scale, and am excited to see Tobias share and see what others have to say.

Seth

On Thu, Jun 8, 2023 at 3:21 PM Murray S. Kucherawy <superuser@gmail.com<mailto:superuser@gmail.com>> wrote:
On Thu, Jun 8, 2023 at 6:00 AM Tobias Herkula <tobias.herkula=401und1.de@dmarc.ietf.org<mailto:401und1.de@dmarc.ietf.org>> wrote:
My team recently concluded an extensive study on the current use and performance of DMARC. We analyzed a staggering 3.2 billion emails, and the insights drawn are quite enlightening. Of these, 2.2 billion emails (approximately 69%) passed the DMARC check successfully. It's quite an achievement, reflective of our collective hard work in fostering a safer, more secure email environment.

However, upon further analysis, it's evident that a mere 1.6% (or thirty-six million) of these DMARC-passed emails relied exclusively on the Sender Policy Framework (SPF) for validation. This is a remarkably low volume compared to the overall DMARC-passed traffic, raising questions about SPF's relevancy and the load it imposes on the DNS systems.

Given the current use case scenarios and the desire to optimize our resources, I propose that we explore the possibility of removing the SPF dependency from DMARC. This step could result in a significant reduction in DNS load, increased efficiency, and an accurate alignment with our predominant use cases.
[...]

Does anyone have consonant (or dissonant) data?

-MSK, participating
_______________________________________________
dmarc mailing list
dmarc@ietf.org<mailto:dmarc@ietf.org>
https://www.ietf.org/mailman/listinfo/dmarc


--
Seth Blank | Chief Technology Officer
e: seth@valimail.com<mailto:seth@valimail.com>
p: 415.273.8818
Fehler! Es wurde kein Dateiname angegeben.

This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.
_______________________________________________
dmarc mailing list
dmarc@ietf.org<mailto:dmarc@ietf.org>
https://www.ietf.org/mailman/listinfo/dmarc
_______________________________________________
dmarc mailing list
dmarc@ietf.org<mailto:dmarc@ietf.org>
https://www.ietf.org/mailman/listinfo/dmarc
--
Seth Blank | Chief Technology Officer
e: seth@valimail.com<mailto:seth@valimail.com>
p: 415.273.8818
[Das Bild wurde vom Absender entfernt.]

This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.