IETF Logo Mail Archive

Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal

Dotzero <dotzero@gmail.com> Thu, 08 June 2023 21:05 UTC

Return-Path: <dotzero@gmail.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45ABBC151093 for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 14:05:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gt3ksyYw1r4t for <dmarc@ietfa.amsl.com>; Thu, 8 Jun 2023 14:05:55 -0700 (PDT)
Received: from mail-vk1-xa33.google.com (mail-vk1-xa33.google.com [IPv6:2607:f8b0:4864:20::a33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C24D3C14F73E for <dmarc@ietf.org>; Thu, 8 Jun 2023 14:05:55 -0700 (PDT)
Received: by mail-vk1-xa33.google.com with SMTP id 71dfb90a1353d-462a2998bceso415586e0c.2 for <dmarc@ietf.org>; Thu, 08 Jun 2023 14:05:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1686258354; x=1688850354; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9PddIB8+gy8MjYDwpsiog6Q+XX1RFGFVGNy5hItzttM=; b=eht86NB2pG6UIQAvdky0NvJqUDCextzJiWbPRKV4WT8wJuUh787N44OeoyxdIEmVku X+Vuq15UGz4tPVPMNavH/Gp0C9tU2EcpyK18V3W8JhlZ0DTA/kCkDdNxmgYKMNMJK3cI FCq9w1oAp7drbV7jX3qI7aWIdUXhNyi0DzvEnxceYU2VRdhVvvaC3zcOuVkMorvOEAeK upuNWOe7bjwHQ7tZo6OFYT1ECNNoF9mk0qZAcjQm71yJ5Xez8N4K0r2ej5qhoPQR1jG6 xrgQeahJkdVNLzWvHvAoh8lgL6F+GrY4RJVpvaF4831FqLDY/sY14V7JdP/wZjqHqQfX g5sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1686258354; x=1688850354; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9PddIB8+gy8MjYDwpsiog6Q+XX1RFGFVGNy5hItzttM=; b=daRr8UItAxAw+2iHVvgwG8FdZrpc69WHrd1ZrJ37DoBHGLebWvgZxxrONQMDaZfmDT /IQIYaUrxSk1ZyNFND1QNaM7X0wn3C8dmOqvgoKRm/VJpSBiSXw6enESkr7/k2sLBsNl M2CxCMyouyF5+OnPekUnFY1itYtMsauPndxcOKXY1RifarrmO6t3I1CeSv46fMDMHUP+ XEbtzN8aVyGxHEnn18u/x+wofFzUiSrSs2GDO7cdLa9yLnEgslByPLTKPNDqB4ajvr/q /QLoHtoSu3Dr3AihoRv9bO0Myt9tbhlUnxmJg9H8zY9sIXKFdkLNCtJBXPtecJd982lY z/Fg==
X-Gm-Message-State: AC+VfDwDwkteIWOaHEWtvvL9ZVav3Ziupg2gSRE4vo/Lx74pdc+F8uP0 JKQj3f70QF++xu3uqX8ntMlYlVKE+AMyoXiMMvw=
X-Google-Smtp-Source: ACHHUZ5IVjdazjpbnzkw2b/k2QuKNW2qzHGHzfZivB8QHgLEfVPc97sE7JHBX+r/wf17tTkYpfkZkhhLfPFTisSG9oA=
X-Received: by 2002:a05:6102:3bc6:b0:43c:d5c5:2733 with SMTP id a6-20020a0561023bc600b0043cd5c52733mr2953184vsv.23.1686258354614; Thu, 08 Jun 2023 14:05:54 -0700 (PDT)
MIME-Version: 1.0
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAL0qLwbx6Y=kmB5pQZx8gNqD=rLBYz1vLOX6ngL=wUHHUm0Hjw@mail.gmail.com> <CAOZAAfMtsjcp+aCrwQ2QRc+SHsw3rhwMuTBugRYe44NeiMeKyg@mail.gmail.com> <CALaySJKrXJJXz3pgp85BPswoirhPJtD=uuefVfc9sX1fGkj-iA@mail.gmail.com> <CAJ4XoYc++Ossx-1oAX6fK12a3v=yz8XhoXKHdNF7-e8p=O3OCA@mail.gmail.com> <CALaySJJU+AAbfYnzm2vHGNzo-BpEHAVUxTw_HmrvDo414MKq+g@mail.gmail.com>
In-Reply-To: <CALaySJJU+AAbfYnzm2vHGNzo-BpEHAVUxTw_HmrvDo414MKq+g@mail.gmail.com>
From: Dotzero <dotzero@gmail.com>
Date: Thu, 08 Jun 2023 17:05:44 -0400
Message-ID: <CAJ4XoYfQ4HJ8qxDdhr7Bc=up=kKAytVrC-SN2CkN9Gkjwwcu0A@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: Tobias Herkula <tobias.herkula=401und1.de@dmarc.ietf.org>, "dmarc@ietf.org" <dmarc@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000039f6d105fda49e43"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/tOEepJj0zzsf1tFpHled_V5AG5g>
Subject: Re: [dmarc-ietf] DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2023 21:05:56 -0000

On Thu, Jun 8, 2023 at 4:35 PM Barry Leiba <barryleiba@computer.org> wrote:

> > A sender using both SPF and DMARC will see a slight
> > boost in validation rates due to increased resiliency when there are
> > transient DNS failures and other problems.
>
> Do you mean "both SPF and DKIM", perhaps?
>

My bad. I responded while in the middle of something else. Proof that one
should always proof read before hitting send.

>
> I don't see how that makes sense: if there's a transient DNS failure,
> then neither the SPF nor the DKIM (nor the DMARC) records can be
> retrieved.
>

One example is where there are a pool of DNS servers. One server in a pool
might have an issue while others are fine. All the lookups do not
necessarily hit the same server. You also don't factor in cached results
for SPF as well as potentially different TTLs for those results.

>
> I also don't see how using an unreliable mechanism is a benefit.  It
> demonstrably hurts validation rates related to relayed/forwarded mail,
> and can cause *false* validations in cases of overly-broad SPF
> configurations (as when a large provider that also hosts many spammers
> is used).
>

It's all in the mail flow and configurations. YMMV. I was dealing almost
overwhelmingly with transactional emails in a well configured environment
(from the day that DMARC was originally published we were at p=reject)).
Yes, we had to fix some things beforehand. I strongly believe that the 2
biggest problems with setting up email authentication as a sender is that
people don't put much thought into it and in many cases they deploy when
their hair is on fire.

Michael Hammer

>
> Barry
>

v2.23.0 | Report a Bug | By Email