IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Tobias Herkula <tobias.herkula@1und1.de> Thu, 08 June 2023 16:00 UTC

Return-Path: <tobias.herkula@1und1.de>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0925EC15108F for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 09:00:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.099
X-Spam-Level:
X-Spam-Status: No, score=-7.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=1und1.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FZU9-0_u5Lwh for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 09:00:17 -0700 (PDT)
Received: from moint.1and1.com (moint.1and1.com [212.227.15.8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C600C15108C for <dmarc@ietf.org>; Thu, 8 Jun 2023 09:00:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=1und1.de; s=corp1; h=MIME-Version:Message-ID:Date:Subject:To:From:cc:sender:reply-to; bh=O1qrV02CwVUN4ksK4Idym7KeHhb6VtkfyyyOWE7RQ3s=; b=aSrGnlArr0kwFwFgoKHsXoJ6/ RQx7UiXee6mATzGp7pS8rJ+X+zg4B5zV5KNTWxp4MSDZt+6YZEu7HDPqbvnnrQPZAdHDZzyqDwIC5 I2ucLPxwtdcNonf00CE/XHJhpSfU3Nbr2EARJ71+hMzEyWLlcj8JY5O3TUh6UBVBf7RDssOo/CXDL iqzj/qJrL6MngYyC2+In5IwvjddZXVXM4YMi97DWtlhdqHi/RH/g6dELjtQHUOyXg6PxUhpYpTrua J7IyDTCHadG9b9npZKKnj9VISBEFAxgPYIuZXBIEMFm4/jVpEoM3jAvIZ+onpuH13pBPj+toUk52H HLepBNvTw==;
Received: from [10.98.29.10] (helo=BAPPEX025.united.domain) by mrint.1and1.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <tobias.herkula@1und1.de>) id 1q7I3b-0000rH-HB; Thu, 08 Jun 2023 18:00:15 +0200
From: Tobias Herkula <tobias.herkula@1und1.de>
To: Scott Kitterman <sklist@kitterman.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] DMARC2 & SPF Dependency Removal
Thread-Index: AQHZmh7sQkZMnShQS0aR+SPhLckqSK+A7CiAgAATdQA=
Date: Thu, 08 Jun 2023 16:00:14 +0000
Message-ID: <74EC4AC1-F016-4BDC-BBDE-F4FD2ABA03D9@1und1.de>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAL0qLwbx6Y=kmB5pQZx8gNqD=rLBYz1vLOX6ngL=wUHHUm0Hjw@mail.gmail.com> <CAOZAAfMtsjcp+aCrwQ2QRc+SHsw3rhwMuTBugRYe44NeiMeKyg@mail.gmail.com> <CALaySJKrXJJXz3pgp85BPswoirhPJtD=uuefVfc9sX1fGkj-iA@mail.gmail.com> <CAD2i3WMbVZ0-yQeqoy7P9njyBRU2jdbP2jGtzUnzEE0dfsLR2g@mail.gmail.com> <CALaySJJY3_=HknSBENOjkUomdX_RXMfXyCxYOd3mjsvS-V=-Qw@mail.gmail.com> <CAOZAAfMybMYJrw9dMd=VmhD0oX0w+m1k8Vg=Hn=QJ3UZBLfRNw@mail.gmail.com> <66433CD1-BDDA-429F-B7A4-9E972754719F@kitterman.com>
In-Reply-To: <66433CD1-BDDA-429F-B7A4-9E972754719F@kitterman.com>
Accept-Language: en-US, de-DE
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.98.28.55]
Content-Type: text/plain; charset="utf-8"
Content-ID: <8D46CBAA40F30043894C8D9E22F74057@united.domain>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Virus-Scanned: ClamAV@mvs-ha-bs
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/soOmm2OnItmrombcZcCA3BnTSIA>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 16:00:22 -0000

That's a circle argument, as long as there is a Receiver that's needs SPF, the sender will not disable it.

/ Tobias

Am 08.06.23, 16:51 schrieb "dmarc im Auftrag von Scott Kitterman" <dmarc-bounces@ietf.org <mailto:dmarc-bounces@ietf.org> im Auftrag von sklist@kitterman.com <mailto:sklist@kitterman.com>>:


Isn't the way to say I don't use SPF for DMARC to not publish an SPF record?


Scott K


On June 8, 2023 3:35:38 PM UTC, Seth Blank <seth=40valimail.com@dmarc.ietf.org <mailto:40valimail.com@dmarc.ietf.org>> wrote:
>I’ll bring data. I think there’s a practical problem here and a class of
>services that are not email-first which will break completely (ie get
>immediately rejected) were such a change to be made.
>
>This feels like a significant interoperability problem we’d be introducing.
>
>I’m loathe to add flags when we’ve been so good at simplifying DMARC
>through the bis process and removing flags, but what about a way to say “I
>only send with DKIM, and do not evaluate SPF on my behalf”?
>
>That wouldn’t create an interop problem, and gives a path to upgrade
>without creating breaking change out of the gate?
>
>Seth
>
>On Thu, Jun 8, 2023 at 16:05 Barry Leiba <barryleiba@computer.org <mailto:barryleiba@computer.org>> wrote:
>
>> Oh, and as to your last paragraph, I think it’s the wrong question. What
>> we need to understand is that SPF is ineffective, and DKIM is what’s
>> necessary to make DMARC work effectively. When we started, DKIM was not as
>> broadly deployed and we didn’t understand how bad SPF would be. We have
>> different information now, and we need to say that of you want to reliably
>> authenticate you have to use DKIM… that’s it.
>>
>> Barry
>>
>> On Thu, Jun 8, 2023 at 3:54 PM Seth Blank <seth@sethblank.com <mailto:seth@sethblank.com>> wrote:
>>
>>> Participating, while running around so apologies for terseness:
>>>
>>> Sophisticated senders do DKIM. The long tail, we're lucky if they do SPF.
>>> Some authentication is better than none.
>>>
>>> The problem isn't people evaluating SPF vs DKIM and choosing the easier
>>> option. It's people who have a business, who bolt on email, and then
>>> struggle to authenticate through any means. Again, we're lucky when we get
>>> SPF from them, and I'll still take that over no auth all day every day.
>>>
>>> Don't disagree at all with the myriad problems with SPF, and that the
>>> goal should be to eliminate it. I just don't believe we're anywhere close
>>> to that being a reality yet.
>>>
>>> The data that led to DMARC showed that SPF and DKIM were both necessary
>>> to determine legitimacy broadly. What would we need to understand now to
>>> see if only DKIM is necessary?
>>>
>>> On Thu, Jun 8, 2023 at 3:44 PM Barry Leiba <barryleiba@computer.org <mailto:barryleiba@computer.org>>
>>> wrote:
>>>
>>>> See, I don't look at it as "harmed". Rather, I think they're using "we
>>>> use SPF" as a *reason* not to use DKIM, and I think that *causes* harm.
>>>>
>>>> SPF is, as I see it, worse than useless, as it adds no value to domain
>>>> that use DKIM -- any time DKIM fails SPF will also fail -- and actually
>>>> impedes the adoption of DKIM. Reliance on SPF causes DMARC failures that
>>>> result in deliverability problems for legitimate mail. I wholeheartedly
>>>> support removal of SPF as an authentication mechanism that DMARC accepts.
>>>>
>>>> Barry, as participant
>>>>
>>>> On Thu, Jun 8, 2023 at 3:30 PM Seth Blank <seth=
>>>> 40valimail.com@dmarc.ietf.org <mailto:40valimail.com@dmarc.ietf.org>> wrote:
>>>>
>>>>> Participating, I have data that I believe points to a long tail of
>>>>> businesses who predominantly only authenticate on behalf of others using
>>>>> SPF, and would be harmed by such a change. It will take me a little while
>>>>> to confirm and share.
>>>>>
>>>>> I also know a predominant ccTLD with millions of registrations, that
>>>>> has SPF on roughly 80% of them, but DMARC on barely 5%. I don't have data
>>>>> on DKIM for those, but I assume it's closer to the DMARC penetration than
>>>>> the SPF one. I'll see if I can get this data to share more publically, and
>>>>> also get the DKIM answer.
>>>>>
>>>>> Of course the goal is aligned dkim with a stated policy, but I don't
>>>>> think the data supports us being anywhere close to that realistically.
>>>>>
>>>>> As Chair, this is a valuable conversation to have with real data on
>>>>> problems and opportunities at scale, and am excited to see Tobias share and
>>>>> see what others have to say.
>>>>>
>>>>> Seth
>>>>>
>>>>> On Thu, Jun 8, 2023 at 3:21 PM Murray S. Kucherawy <superuser@gmail.com <mailto:superuser@gmail.com>>
>>>>> wrote:
>>>>>
>>>>>> On Thu, Jun 8, 2023 at 6:00 AM Tobias Herkula <tobias.herkula=
>>>>>> 401und1.de@dmarc.ietf.org <mailto:401und1.de@dmarc.ietf.org>> wrote:
>>>>>>
>>>>>>> My team recently concluded an extensive study on the current use and
>>>>>>> performance of DMARC. We analyzed a staggering 3.2 billion emails, and the
>>>>>>> insights drawn are quite enlightening. Of these, 2.2 billion emails
>>>>>>> (approximately 69%) passed the DMARC check successfully. It's quite an
>>>>>>> achievement, reflective of our collective hard work in fostering a safer,
>>>>>>> more secure email environment.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> However, upon further analysis, it's evident that a mere 1.6% (or
>>>>>>> thirty-six million) of these DMARC-passed emails relied exclusively on the
>>>>>>> Sender Policy Framework (SPF) for validation. This is a remarkably low
>>>>>>> volume compared to the overall DMARC-passed traffic, raising questions
>>>>>>> about SPF's relevancy and the load it imposes on the DNS systems.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Given the current use case scenarios and the desire to optimize our
>>>>>>> resources, I propose that we explore the possibility of removing the SPF
>>>>>>> dependency from DMARC. This step could result in a significant reduction in
>>>>>>> DNS load, increased efficiency, and an accurate alignment with our
>>>>>>> predominant use cases.
>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>
>>>>>> Does anyone have consonant (or dissonant) data?
>>>>>>
>>>>>> -MSK, participating
>>>>>> _______________________________________________
>>>>>> dmarc mailing list
>>>>>> dmarc@ietf.org <mailto:dmarc@ietf.org>
>>>>>> https://www.ietf.org/mailman/listinfo/dmarc <https://www.ietf.org/mailman/listinfo/dmarc>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>
>>>>> *Seth Blank * | Chief Technology Officer
>>>>> *e:* seth@valimail.com <mailto:seth@valimail.com>
>>>>> *p:* 415.273.8818
>>>>>
>>>>> This email and all data transmitted with it contains confidential
>>>>> and/or proprietary information intended solely for the use of individual(s)
>>>>> authorized to receive it. If you are not an intended and authorized
>>>>> recipient you are hereby notified of any use, disclosure, copying or
>>>>> distribution of the information included in this transmission is prohibited
>>>>> and may be unlawful. Please immediately notify the sender by replying to
>>>>> this email and then delete it from your system.
>>>>> _______________________________________________
>>>>> dmarc mailing list
>>>>> dmarc@ietf.org <mailto:dmarc@ietf.org>
>>>>> https://www.ietf.org/mailman/listinfo/dmarc <https://www.ietf.org/mailman/listinfo/dmarc>
>>>>>
>>>> _______________________________________________
>>>> dmarc mailing list
>>>> dmarc@ietf.org <mailto:dmarc@ietf.org>
>>>> https://www.ietf.org/mailman/listinfo/dmarc <https://www.ietf.org/mailman/listinfo/dmarc>
>>>>
>>> --
>
>*Seth Blank * | Chief Technology Officer
>*e:* seth@valimail.com <mailto:seth@valimail.com>
>*p:* 415.273.8818
>
>This email and all data transmitted with it contains confidential and/or
>proprietary information intended solely for the use of individual(s)
>authorized to receive it. If you are not an intended and authorized
>recipient you are hereby notified of any use, disclosure, copying or
>distribution of the information included in this transmission is prohibited
>and may be unlawful. Please immediately notify the sender by replying to
>this email and then delete it from your system.


_______________________________________________
dmarc mailing list
dmarc@ietf.org <mailto:dmarc@ietf.org>
https://www.ietf.org/mailman/listinfo/dmarc <https://www.ietf.org/mailman/listinfo/dmarc>

v2.23.0 | Report a Bug | By Email