IETF Logo Mail Archive

Re: [dmarc-ietf] Proposing an extension to DMARC to optionally requireSPF and DKIM

"J. Gomez" <jgomez@seryrich.com> Mon, 01 April 2013 23:13 UTC

Return-Path: <jgomez@seryrich.com>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15ABF21E8102 for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 16:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.949
X-Spam-Level:
X-Spam-Status: No, score=-1.949 tagged_above=-999 required=5 tests=[AWL=0.650, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rn4ssMMEyogA for <dmarc@ietfa.amsl.com>; Mon, 1 Apr 2013 16:13:46 -0700 (PDT)
Received: from eh.msi.es (eh.msi.es [213.27.239.123]) by ietfa.amsl.com (Postfix) with ESMTP id EB5C521E80FB for <dmarc@ietf.org>; Mon, 1 Apr 2013 16:13:45 -0700 (PDT)
Received: from servidor3 (62.82.191.195) by exchange01.exchange.msi.es (192.168.223.3) with Microsoft SMTP Server (TLS) id 8.3.213.0; Tue, 2 Apr 2013 01:13:44 +0200
Message-ID: <80FFAE6594A84EB9BDC60EA75BC91597@fgsr.local>
From: "J. Gomez" <jgomez@seryrich.com>
To: dmarc@ietf.org
References: <55b1222360ab4215a09a54da800d261b@BL2SR01MB605.namsdf01.sdf.exchangelabs.com>
Date: Tue, 02 Apr 2013 01:15:02 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.4657
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.4913
Subject: Re: [dmarc-ietf] Proposing an extension to DMARC to optionally requireSPF and DKIM
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dmarc>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2013 23:13:47 -0000

On Monday, April 01, 2013 11:15 PM [GMT+1=CET], Terry Zink wrote:

> I am proposing an extension to DMARC. Whereas today DMARC requires
> one of a DKIM pass or SPF pass, I propose we extend DMARC so that is
> has the *option* to require both.  
>
> (...)
>
> Let's assume that BigBank.com has been dutiful and has published a
> DMARC record. The problem occurs when Learning.edu gets compromised
> and starts sending out spam. If a user starts sending out spam from
> joe@learning.edu, we can detect this and shut it down. But what
> happens if they start sending out mail as security@bigbank.com?    
> 
> example.com ------------+
>                         |
> BigBank.com ------------+----> Microsoft Forefront IPs ----> Internet
>                         |
> Learning.edu            |
>  security@bigbank.com --+
>
> (...)
>
> Extending DMARC this way lets brands/domains protect their outbound
> reputation behind a shared service without worrying whether or not
> some other customer will spoof them.  
> 
> Make sense?

I does make sense. I also like the explanation in your blog:

http://blogs.msdn.com/b/tzink/archive/2012/10/18/how-should-large-financial-institutions-use-hosted-filtering.aspx

In a multitenant cloud environment, and/or when you are giving customers a MTA-smarthost service to gateway their mail to the Internet, you cannot be sure that they will always be signing their email with DKIM, and you usually will not have their private DKIM keys to sign their email yourself as it flows through the smarthost towards the Internet, so taking the DMARC oportunity to close this hole in SPF is golden.

When we will all be on IPv6, and sharing IPs will be a thing of the past, this will be a non issue. But it is an issue now, and will be even a bigger issue as we remain in IPv4 and more and more things move to the cloud. Your proposal for DMARC would solve this problem scenario of SPF just fine.

Also, your proposal has more benefits:

-- makes DMARC more resilient in case any of its underliying authentications mechanisms becomes compromised/broken/moot in the future.
-- future is hard to predict, this would build into the DMARC specification an optional more strict authentication threshold which may be useful in the future.

As to how to fit your suggestion in the syntax of the DMARC record, I would add an additional (and optional) tag to the specification, "m=" (mechanisms required to pass) with the possible values of "all" and "any", where "all" would require all the mechanisms of DMARC to pass for a DMARC pass itself to be gotten, and where "any" would be the default.

Regards,

J. Gomez

v2.23.0 | Report a Bug | By Email