Re: [dmarc-ietf] Is From spoofing an interoperability issue or not?

[Scott Kitterman <sklist@kitterman.com>]

On April 19, 2023 1:37:25 PM UTC, Laura Atkins <laura@wordtothewise.com> wrote:
>
>
>> On 19 Apr 2023, at 14:20, John Levine <johnl@taugh.com> wrote:
>> 
>> It appears that Jesse Thompson  <zjt@fastmail.com> said:
>>> -=-=-=-=-=-
>>> 
>>> On Mon, Apr 17, 2023, at 8:37 AM, Laura Atkins wrote:
>>>> Should the IETF make the interoperability recommendation that SaaS providers who send mail on behalf of companies support
>>> aligned authentication? That means custom SPF domains and custom DKIM signatures. 
>>>> 
>>>> And if they can’t, then do we make a different recommendation regarding spoofed mail that evades a company’s DMARC policy?
>>> 
>>> +1 to this question. It's entirely unclear to ESPs whether they're allowed to spoof a domain that has no DMARC policy. ESPs
>>> can furthermore conclude that Domain Owners who publish p=reject|quarantine are violating DMARCbis, and subsequentlly the
>>> domain's policy declaration is invalid, and can be ignored.
>> 
>> Please see my previous comment about trying to enumerate every dumb thing people might do.
>> 
>> I very strenuously do not want us trying to guess how ESPs think nor offering them advice beyond
>> the interop advice we offer everyone else.
>
>That was my question: is it an interop issue that ESPs (whether they be your traditional ESP or a SaaS provider that sends mail on behalf of their customers) cannot support custom domains in the SPF and DKIM and thus cannot support DMARC? Many of the current companies have made the decision that supporting DMARC is too hard, and so what they do is use their own domain for DMARC (some publish restrictive polices and some don’t). 
>
>> In this specific case, if the company publishes p=reject, and they hire an ESP, and the company
>> is too inept to figure out how to let the ESP send aligned mail, well, yeah, then the company's
>> actual policy is clearly not their published policy, and the ESP can do whatever it wants.  So
>> let's not go there.
>
>
>To me it’s not so much the company can’t delegate authentication - it’s how many SaaS providers (some of which are ESPs and some of which are 3rd parties that send through ESPs) are incapable of supporting DMARC alignment. Not it’s hard, not it’s challenging, but simply … can’t. They cannot sign with foreign DKIM domains, and they cannot support different domains for SPF authentication. 
>
>Should DMARCbis make the recommendation that if you are providing mail services that you SHOULD be able to support corporate customers using DMARC? 
>
No.  I don't think so, certainly not in DMARCbis.

There may be room for an email authentication BCP and this might fit in there, but I think that's something to think about after we get the current work done.

The current DKIM working group topic might also be something that should be addressed in such a BCP.

Scott K