IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM

Franck Martin <fmartin@linkedin.com> Tue, 02 April 2013 00:37 UTC

Return-Path: <prvs=797119cd4=fmartin@linkedin.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA50821F8F31 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:37:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.965
X-Spam-Level:
X-Spam-Status: No, score=-5.965 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_74=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jn8D6kfYmRki for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 17:37:27 -0700 (PDT)
Received: from esv4-mav04.corp.linkedin.com (esv4-mav04.corp.linkedin.com [69.28.149.80]) by ietfa.amsl.com (Postfix) with ESMTP id 4115911E80E2 for <dmarc@ietf.org>; Mon, 1 Apr 2013 17:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linkedin.com; i=@linkedin.com; q=dns/txt; s=proddkim1024; t=1364863047; x=1396399047; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=bRRd/8VMWT2Q2HArEIW2gWJQ1kU1q+vx2MmV78BNKZE=; b=BAh5N5pQYfa3j9VFFboM5MJ9FBwyAvjoa+8R8eBusS00PqK1ww58bM9k mdR3nUD7Mc8eYPMTPNtzXArJYaCqwh6ZZvsMDtQoy0xjaFg1XqvBIyRmu i4plN4oFgCx4xGp98hqFy2czWCe+7zw4KBfDsZYqsc9TAGb6qtRVyJ8RV 0=;
X-IronPort-AV: E=Sophos;i="4.87,390,1363158000"; d="scan'208";a="42730805"
Received: from ESV4-HT02.linkedin.biz (172.18.46.236) by esv4-cas02.linkedin.biz (172.18.46.142) with Microsoft SMTP Server (TLS) id 14.2.328.11; Mon, 1 Apr 2013 17:37:20 -0700
Received: from ESV4-MBX01.linkedin.biz ([fe80::d029:a1fa:62c4:2641]) by ESV4-HT02.linkedin.biz ([::1]) with mapi id 14.02.0328.009; Mon, 1 Apr 2013 17:37:20 -0700
From: Franck Martin <fmartin@linkedin.com>
To: Terry Zink <tzink@exchange.microsoft.com>, "dmarc@ietf.org" <dmarc@ietf.org>
Thread-Topic: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
Thread-Index: AQHOLzo7WIcKgMm6jkaL17mX29pwBQ==
Date: Tue, 02 Apr 2013 00:37:19 +0000
Message-ID: <77426B543150464AA3F30DF1A91365DE52EA0E87@ESV4-MBX01.linkedin.biz>
In-Reply-To: <3ba7c7a04f5f45cb95930ec99926ccc9@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.18.46.254]
Content-Type: text/plain; charset="utf-8"
Content-ID: <250FE33FDB28EA41997D7C44D2F47F51@linkedin.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally require SPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2013 00:37:28 -0000


On 4/1/13 5:31 PM, "Terry Zink" <tzink@exchange.microsoft.com> wrote:

>Thanks for the responses, everyone. I am going to respond to them one at
>a time but combine multiple email responses.
>
>John Levine:
>
>> bigbank.com txt "v=spf1 ?ip4:157.55.158.0/23 ?ip4:157.55.234.0/24
>>?ip4:157.56.112.0/24 ~all"
>>
>> Those question marks in the record on the Frontbridge ranges make them
>>neutral rather than pass,
>> which is appropriate in this case.  Since all of the real mail the
>>client sends through your
>> system will have a DKIM signature, it will still pass DMARC.
>> 
>> If the bank has its own private ranges for its non-bulk mail, those
>>could go in as SPF pass, e.g.
>> 
>> bigbank.comm txt "v=spf1 +ip4:22.22.22.22 ?ip4:157.55.158.0/23
>>?ip4:157.55.234.0/24
>> ?ip4:157.56.112.0/24 ~all"
>
>BigBank.com puts both Frontbridge/Forefront's IPs into its SPF records as
>well as its own IPs. We validate BigBank.com's IPs when it hits us the
>first time, and then 3rd parties validate our IPs when it hits them.
>
>But yes, I think you understand our issue (I think).
>
>> If you insist on both SPF and DKIM, you lose the path independence and
>>break the forwarding
>> while > gaining nothing, since the DKIM signature still tells you what
>>you need to know.
>> If the bank sends its own unsigned mail through its own mail servers,
>>the SPF record reflects
>> that, and it'll pass DMARC, too (give or take the known SPF forwarding
>>issues.)
>
>You are correct that you lose the path independence. But it is incorrect
>to say you gain nothing - you gain the ability to say "Nobody else can
>spoof me." Shouldn't it be the choice of the sender whether or not they
>want to make this assertion and subsequent trade-off?
>

We did SPF or DKIM because both were not solving the problem on their own.
So both combined together has all the advantages less the inconveniences.

If you want to say, nobody else can spoof me, then you can do SPF -all,
but then no large receiver never really trusted this policy assertion.
Also, you can put a DMARC record and SPF and not DKIM sign, you will get
the same benefits.

v2.23.0 | Report a Bug | By Email