IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

"Brotman, Alex" <Alex_Brotman@comcast.com> Fri, 09 June 2023 13:01 UTC

Return-Path: <Alex_Brotman@comcast.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E751BC1519AC for <dmarc@ietfa.amsl.com>; Fri, 9 Jun 2023 06:01:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.com header.b="CIYKgoUy"; dkim=pass (1024-bit key) header.d=comcastcorp.onmicrosoft.com header.b="ihfJtiGX"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lycps6vM2f_M for <dmarc@ietfa.amsl.com>; Fri, 9 Jun 2023 06:01:22 -0700 (PDT)
Received: from mx0b-00143702.pphosted.com (mx0b-00143702.pphosted.com [148.163.141.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 216EBC1519BA for <dmarc@ietf.org>; Fri, 9 Jun 2023 06:01:21 -0700 (PDT)
Received: from pps.filterd (m0156896.ppops.net [127.0.0.1]) by mx0b-00143702.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 359CwMRe003141 for <dmarc@ietf.org>; Fri, 9 Jun 2023 09:01:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=20190412; bh=CVQ2CRKEFpdPQBWorcariOBm8FFhj61TvZiDYKWYA98=; b=CIYKgoUy4+WoQZxnjlibA/d2kVP0G4vPxw7dAOPT73qy7Sqpg07ArNrX11RFHRPpLdK/ aGdUDPVlDTjiZPhlKF54d9Q5TjX3DSmq4VUJCn/99oknPZjnrYJtJzU6Ug4qffulfZKV zFCN7YnGw40Se1xw3muCG6Gr4nK21wZ1TRZY36Rs8G/eAnMnZqF3zLQ2OM4u9LuatvAd 1F5dsRR6t+N76xqAcYigDGAFwE/8pbfJDkypzyQ1LQH56WMhmNG/W6FlZC/VEfw5ZoHU 0uCeh0iWP0QvSmKceZLRK/L/NHM0r6cpK3AFv/JWmZ4fxASdwX7TeAlmFpVAgnPg6EqL Xg==
Received: from nam12-dm6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2173.outbound.protection.outlook.com [104.47.59.173]) by mx0b-00143702.pphosted.com (PPS) with ESMTPS id 3r2a7vn85r-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <dmarc@ietf.org>; Fri, 09 Jun 2023 09:01:18 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Cq++lk11vCROaEeKmLok+fvDAouOLkunKbUwxpO5VLWPbV/t3ARrjLUxGL3N7cfiJrAQmoYLgm0u8sfAsmdsiTLp8eWf6rER6pBLFATOa6ITzIxLWY9F9Zv8PYfGq9k8oQNWqaYCR8ymavbb3+Y/TuDeopuWPMOP+1E46xAvGTBm+TgNPBgY0sxRoKnGCPgh1UCyN5A78S9aQHwiwv4V8/v1hNFtlRx+eAoR9PM6OfJ5QwjP8HBr2ZedjxAe72NlyLzGAaKTj91AmTyWHSiGufhkAwYWL0zs9rtQIx0VAFPOprO7/JKywnX4A2J/aLfYXD/A0lJJKcMjGqWVXVRP5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CVQ2CRKEFpdPQBWorcariOBm8FFhj61TvZiDYKWYA98=; b=CmTpin9dTjpnCvCdq9R/hvEF62yDnvhOM3QIimEgbk8xk6YPYf5D6d4cTPEY9+fvmZyLJDPXeOh6VF/aYWdQ44xrxPFcuowolw7nnnBl5pyn8cN5fV+t3Ou6zI/Xo7DU1GahqnDErrVe3+ZI9Y50sqNyvbg+lADcnethc853IWBmOUTxtUR5ymBvUVaxc7o1fhl6BElZvaeZc5QCZWfbegdKADwWvzYlzfxEKGwI21fHtjkGWczl9iab8QYRFPmdzFiR3rZbsI3KfpL8+LBLsRo5qRYQqKBvQY3e64iBtqOHIaVYaoyFdVpoAUcUn264G+Y69xnQjEr5ZTjz0uRNKw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=comcast.com; dmarc=pass action=none header.from=comcast.com; dkim=pass header.d=comcast.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcastcorp.onmicrosoft.com; s=selector1-comcastcorp-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CVQ2CRKEFpdPQBWorcariOBm8FFhj61TvZiDYKWYA98=; b=ihfJtiGXD1Pt7YhwIXCnRnDXuzA6rPBUkvjGG/Kb1qwSRRY/m5SifIKuXwWO+Yf6sdjDmhPSH6FqxQnnOFl7wkodA2cSZpVdMK4k9Jl4lQ5IrYDco/SoqIFR7YbxZyofW1Rm0i4fPfjALgRqBF7Gh7LQAYPdyGYRVS/4VTlet9Y=
Received: from MN2PR11MB4351.namprd11.prod.outlook.com (2603:10b6:208:193::31) by DM8PR11MB5704.namprd11.prod.outlook.com (2603:10b6:8:23::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6455.37; Fri, 9 Jun 2023 13:01:07 +0000
Received: from MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::3e08:43c2:23b:e582]) by MN2PR11MB4351.namprd11.prod.outlook.com ([fe80::3e08:43c2:23b:e582%6]) with mapi id 15.20.6455.030; Fri, 9 Jun 2023 13:01:06 +0000
From: "Brotman, Alex" <Alex_Brotman@comcast.com>
To: "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: DMARC2 & SPF Dependency Removal
Thread-Index: AQHZmgj58ilP1Yl1OkWcMmRlCwBUj6+CZriQ
Date: Fri, 09 Jun 2023 13:01:06 +0000
Message-ID: <MN2PR11MB4351244C0B4ABD4DDC84EF2FF751A@MN2PR11MB4351.namprd11.prod.outlook.com>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de>
In-Reply-To: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ActionId=5d67d583-8c84-4e9d-92a2-bd2b55149441; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_ContentBits=0; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Enabled=true; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Method=Standard; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_Name=Confidential (C); MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SetDate=2023-06-09T12:24:53Z; MSIP_Label_15652fe2-2b59-4d95-925c-ee86d789ff67_SiteId=906aefe9-76a7-4f65-b82d-5ec20775d5aa;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: MN2PR11MB4351:EE_|DM8PR11MB5704:EE_
x-ms-office365-filtering-correlation-id: d0f09b04-1549-4bbc-3b42-08db68e9969f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CFI3UOg9If4Ii+e/hMeTUHEp+pa7+TxehNSm/mdYU7fk3MwvhdhheEDREavxouP1lxuRkVKSzema2346h0rcAfbdROataAfTlRkPDZPRiAPsjZ/0/uOM7DasjIgbDMkWPuSgZqIMkpT+9HZ0wuznTH6vnriCucpChbhoM3AVm42en3JXkmOhBt3Mv/2VH7E0fPWwIMCSftYaQ6VqtlmAxuN0magAd6iSRFsV/qruGuhh6xG4xB8edqmB5b4lqfQDsbnOYx2HaHsNezs0RwOx5JaUuxlkFRqQ4FgDNnWrd5o2ycm5mFFgNAHNxp8afJQN3Oj52T9QYIIBtlBbRIeyWXADSR9Y5z8rRp9FZZ8h7GrBdJlWcfx9bp8b2J8rhcOawYEmZpVGFGAJpCK05J37X+nm29KiAYfQn1Vk+n6x3iQ07CV4y4T/elIX4hTpKo0ycygtFAhPsNn+Gi7UiAPAiqTMYHzfuiLnhyN1tiB20He2zVtShjX/9wx/tuwUW8ccPvVvvBaxJSMYngx4xRYgNDrMNWbs+3dQwLjN6hZEqufihnzqVS6L2i8cQTOsyqKDbStPlm06QPX26aAWMoNspQqAKc5aJH/HqalvbkCTcenGdbryO3z02eJAnPH0LTOW
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB4351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(376002)(136003)(396003)(346002)(366004)(39860400002)(84050400002)(451199021)(7696005)(478600001)(71200400001)(186003)(86362001)(38100700002)(83380400001)(26005)(122000001)(55016003)(82960400001)(33656002)(9686003)(53546011)(6506007)(5660300002)(8936002)(52536014)(8676002)(41300700001)(38070700005)(2906002)(316002)(6916009)(66556008)(66446008)(66476007)(64756008)(66946007)(76116006); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JwkxQ+prvyGHzieAeyJI1AGCi2+c4czgjhR6uKBnHWU/dUPqgfyS13nAbkeaZgpvs2JGtEYO6Qe9Sqyu2Nf9YWdMFZQXz9fy73bFDpyM1MzpYJKtn32nKEulAiZq8+T+72C8dUHeEkQiwkWMWbdFtKbNIZbyBg6CyHIov8SuyULRj4VNJCVMQ5Nz1X8JMPAei8rkGRSqRxUQAEXlELlX3oPw65kWgzkAUZLrVVdLmYS7kuJuGnLi4ODUmPUSJCv7PHT4ds5bdDsPeF52YFdZoR3gokEtGRcGKycW7yPAdhstUJ3ymEeaCbi2TqHQspBqkoQPUZl2Q5C02JRzdXbBwjGgCBB1qZRQQ9AN8oboPBUuFRXm4rbdB+NJUEAjQTRDPXBz42X4fiRgv4tiEo1YzaR6WIq/kRqFs1IQ3beLDRZvesOO85KtZK2m0dUQc0gP7aKv/bDEIyQPCnJQoJimKgr0NlSqBJE3Z5GUNpS3a/36bXjQlwNrFufyZ/OgCorn2yekeWXIdz5HX7Kj21EYH5YrjLuZlDzWlh7MuA7h423yUcm5os4q8+lI6OLTHwEbBBU2ZXmqsBycRpXOAW41mdTzvZj1R8FgcHNxPPtK22SxCuq8z4O9qYeoLTrvbw7Zj/D2RVd65BZYGxEmHowvKHTlloMIWt2wPqv0wodFSK5QWbGGtwau/X01YnGZ2/jFUb3EQxKx5eQbk4RcQNJYZcsn+AjTJfNlUnCHHVX66nPx3z8SNq7u6OxCErYNIWXfH6pLsCQN9kNdj5V3I2qkEWGlGieu4grtRjh1xXFNB1xmtfwhg7cDjfH+EoPRMJx+TUpvySd4/t0Pti2Bh9TVg16IAkslx2ZUI/l0g0qEG0aVVZdWQ/i9Xn6Cj2CdUznDhAjhnfFVjfkMVb5sj7fyjgfUanz4oZDAGIK57UDkVLA+e48I5TcUq4V3dicD5kWmRD93MMhHz7QG9soscpL2L98vyc3PNq5iPaszvRaYoJ7R9sdsRuAoSiqcQTNwlbC5YDECOhzSqXc3W4p0k7AhEMfc+5lbEyJmXfrrd1fhZUvZhz8t9GEYMSFupz21pc0S16r1tledJkN/U+ZoVtwikLdPppl1zjVCFDgelwxJ0DUlLpvmtiLUITJZdyAq5U02vfrPnJlQPfPiq73ovxgJGqUG8hFEfODvKHhZ+PYlFTAkyMmwCnpfxh/5uwasgd7rznsRoEpqUcMR1zIvyR4nK/G0L2TyRGYVOTP2acXIcns94qh6TIEhvpELp87vTzCKzkuZe0fFil/WC2DGUZ/Kbd7nrVsO6elnRFghAzGT22yKEfhjohw9Q5Mwz6dIoFl8VT7KGmWMwoxn18f//JYNBgZ0jnFOiKclEPFspmVv5vjebPascTie3q7chy9Ffg81KKd0KMx7u+eCwQttqW6AWyordYA85DmxzMiBtH4o5igFFYWIEC1e5rC2pUMnez1dpUwcS6ZSAQUjrh2pk0hw5R2xTt2KF3zUiqd0BYbcj2MyAkUL4KR2ZpMKrzE8EecRrCYDw3QkkBJwGf698qiZpAz6alxUz28GLkmBLq15HFqwxkx5QD0kTpHL5oOMiLu3FgGU4x88AbfS/xBhf/7OkQ==
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB4351244C0B4ABD4DDC84EF2FF751AMN2PR11MB4351namp_"
MIME-Version: 1.0
X-OriginatorOrg: comcast.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB4351.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d0f09b04-1549-4bbc-3b42-08db68e9969f
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2023 13:01:06.6215 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 906aefe9-76a7-4f65-b82d-5ec20775d5aa
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nMDC2MBXit1Dutr72uUj/4yKg5dh9uHwx3uMdmRZMUEIOqNMX6YByFngRLCrBxDqi985simAME0vGIO4u2SxtPG6fCu8pLU9Klvrp4Yqowo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR11MB5704
X-Proofpoint-GUID: h8nJ1F1RRYCrYcCNkxQukHchxkeo1UJl
X-Proofpoint-ORIG-GUID: h8nJ1F1RRYCrYcCNkxQukHchxkeo1UJl
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.254,Aquarius:18.0.957,Hydra:6.0.573,FMLib:17.11.176.26 definitions=2023-06-09_08,2023-06-09_01,2023-05-22_02
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/sGw1z-eSWrijW_EWVGfEfW3gVks>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2023 13:01:27 -0000

A bit of additional data.  A single day of data for “many millions of messages”.   I did not (yet) look at alignment relating to DMARC, only the DMARC policies, and values of SPF/DKIM pass/fail.

For messages that were accepted:

37% reject
11% quarantine
24% none
28% absent

Of the ones that did have a policy of any sort (there is overlap for the domain count, as some messages from the same domain may have different states), and again, no DMARC alignment evaluated as part of these data queries:

DKIM Pass
SPF Pass
Message Count
Distinct Domain Count
N
N
0.16%
16.22%
N
Y
2.39%
13.70%
Y
N
1.02%
10.27%
Y
Y
96.43%
59.81%


However, while looking the SPF-only pass, roughly 32% of those had attempted DKIM, but were failing.  Some of these are failing all of the time, some a fair bit less.  I did not try to analyze why they might be failing.  To give a sample, here are the most popular failing domains.

twitter.com
tommybahama.com
news.saks.com
e.redrobin.com
redfin.com
emails.beallsoutlet.com
fedex.com
gmail.com
bestfriends.org

I took a closer look at “twitter.com”, and their messages are failing about 50% of the time.  The Gmail ones are largely coming from Google systems (the majority of related subjects seem suspect, so perhaps they do not sign messages they believe to be spam).  I also looked at those that were not attempting any sort of DKIM (that we appeared to log), and these had the highest incidence rate:

e.officedepot.com
snapsteps.com
remedina.com
catchmycity.com
emailinfo.bestbuy.com
quirky.retroidols.com
little-open.com
engage.minecraft.net
BroadwayInChicago.com
leblanc.crystalpurtechnology.org

If folks are curious about other data points, I’ll do my best to provide them.

--
Alex Brotman
Sr. Engineer, Anti-Abuse & Messaging Policy
Comcast

From: dmarc <dmarc-bounces@ietf.org> On Behalf Of Tobias Herkula
Sent: Thursday, June 8, 2023 1:59 PM
To: dmarc@ietf.org
Subject: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Hi All,

This message comes out of some discussions I had at the current MAAWG meeting in Dublin.

I hope this message finds you well. The intent of this is to propose and discuss an evolutionary step in the DMARC protocol, which I believe will result in increased efficiency, reduced DNS load, and a more accurate reflection of the current email landscape.

My team recently concluded an extensive study on the current use and performance of DMARC. We analyzed a staggering 3.2 billion emails, and the insights drawn are quite enlightening. Of these, 2.2 billion emails (approximately 69%) passed the DMARC check successfully. It's quite an achievement, reflective of our collective hard work in fostering a safer, more secure email environment.

However, upon further analysis, it's evident that a mere 1.6% (or thirty-six million) of these DMARC-passed emails relied exclusively on the Sender Policy Framework (SPF) for validation. This is a remarkably low volume compared to the overall DMARC-passed traffic, raising questions about SPF's relevancy and the load it imposes on the DNS systems.

Given the current use case scenarios and the desire to optimize our resources, I propose that we explore the possibility of removing the SPF dependency from DMARC. This step could result in a significant reduction in DNS load, increased efficiency, and an accurate alignment with our predominant use cases.

However, such a fundamental shift in the protocol's architecture warrants a clear signifier. I suggest we upgrade our DMARC version string from the current state to 'DMARC2.' This upgrade would not only denote the change of SPF removal, but also the switch from the Public Suffix List (PSL) to the Tree-Walk algorithm.

By moving towards DMARC2, we not only update our standard to better reflect our present requirements, but we also make a clear commitment to the ongoing evolution and improvement of the protocol.

Best regards,

Tobias Herkula
Mail Security & Transfer
1&1 (GMX, Web.de, Mail.com, IONOS)

v2.23.0 | Report a Bug | By Email