IETF Logo Mail Archive

Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal

Florian.Kunkel@telekom.de Mon, 26 June 2023 12:52 UTC

Return-Path: <Florian.Kunkel@telekom.de>
X-Original-To: dmarc@ietfa.amsl.com
Delivered-To: dmarc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B713AC15107D for <dmarc@ietfa.amsl.com>; Mon, 26 Jun 2023 05:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.093
X-Spam-Level:
X-Spam-Status: No, score=-7.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPpHe9I7B5XE for <dmarc@ietfa.amsl.com>; Mon, 26 Jun 2023 05:52:20 -0700 (PDT)
Received: from mailout41.telekom.de (mailout41.telekom.de [194.25.225.151]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB0B8C14EB17 for <dmarc@ietf.org>; Mon, 26 Jun 2023 05:51:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1687783905; x=1719319905; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=CqhPlbAWVUI6bbaLZgOZO3jqd7hSgd0i7O5XnGstG6k=; b=voE8CbTiDM+UN38YUyAFHEBGZ58xK+zcMFL9U2cWEuwI/2btZVfefgZM LzEHjLONHtKoKDZdtSB8ULN+C/26Xb4/8VOH/umBnG7Fp0dumkRPnO9hL 7kn1Y/gobC34PFYHIekohxAgFMIAvqpN7e2Rrp/sqIBaLyMGvEaCwJdLm Kk492xP3jy0FXllFThBrQLN5iS7VhAayfth0SMUjWAgFwkO+w156OqSlk v072vuDjUpxnGYi2Te2akXCvHN2RUJwyxGSoVBDrJ0C+7VDOwx2PAEDHh wF4ku6FeGSh0U43GHWxu3duT+sXBkS0fw/uztVAtipwrG+/jAi7rFBmy6 w==;
Received: from qde8e4.de.t-internal.com ([10.171.255.33]) by mailout41.dmznet.de.t-internal.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jun 2023 14:51:41 +0200
IronPort-SDR: 649989d0_6MfwlecbQax1MHcXanWLLy2Dt3HwlAfVRvquKQp6Gaj75be sfWbeVDYAJcLxwMzLX6aDxgrjIK1OIk+MoXNjAw==
X-IronPort-AV: E=Sophos;i="6.01,159,1684792800"; d="scan'208";a="1442022604"
X-MGA-submission: MDHpRUoa344jOVAAjU3Lqhh/Ols2bRvimfserS1zyQsIw+BYGXl+neY4XM4keAwXcgPJJge7VVK30Rq5ZlmUzrCq5FmAHw87/CMKgaO8cJ4qHzOltSUDJwajtvGcIk6gyLI/H2JIRgPHMpLxjehE/2k0t620IAUSJ293HS8DyWpHcw==
Received: from he101393.emea1.cds.t-internal.com ([10.169.119.197]) by QDE8PP.de.t-internal.com with ESMTP/TLS/ECDHE-RSA-AES128-GCM-SHA256; 26 Jun 2023 14:51:28 +0200
Received: from HE126310.emea1.cds.t-internal.com (10.169.119.207) by HE101393.emea1.cds.t-internal.com (10.169.119.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Mon, 26 Jun 2023 14:51:08 +0200
Received: from HE102772.emea1.cds.t-internal.com (10.171.40.44) by HE126310.emea1.cds.t-internal.com (10.169.119.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26 via Frontend Transport; Mon, 26 Jun 2023 14:51:08 +0200
Received: from DEU01-BE0-obe.outbound.protection.outlook.com (104.47.7.171) by O365mail09.telekom.de (172.30.0.241) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Mon, 26 Jun 2023 14:51:07 +0200
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EQZ8BEF7JLvii4tkVof8DSH5eLNrXdEGZWJvHKgVIu5s2/7YlMj5Q0JZ15Jakf/F7iAmrOTyNnJHkzHfRXRnnszmUyhyPMIqqhBl0jZU4coVcgOs1AhfBWbOsudsNGljahgg4Zigr/ZZUMUjIy+KybTQVW0WqQrI1ffeoCcT0RDd2JYVHs0OAs8LKbYX8iTOcaPKJpvhz6kUVxk9y+cUoYURUZkOgtft7Xc7b2ogk8Ex7H35jmzWxDiz8WCS1hnyjimPND3b2f34JJvQ+38BYCgq91Bk6Gr2stxOQKbGNV1QeDEE1wIZkFir3FVSeolr1N7TluSxPha35KaHLmi2kA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CqhPlbAWVUI6bbaLZgOZO3jqd7hSgd0i7O5XnGstG6k=; b=I1zigOok9p3TvB1NH//5sVO8sl1psNEMITPzsfBlT2z3M5q+eUlrpOS5g4z+xvTBPRMnq0+Ox/ktvxAtNwWoFRLvE7m25Kx9pEOw0oaWpNmwRs5aojzNG/BljY4ZZxkELpfHp4Mi3/cdcduX79MxxiUUiB9N6eZgRXWepyvvyQw9S39RIPY95xibnA0o46GEx2AtPkJ9I91Go/58uyWYrDOB0H6trtwX6LOi9T8FAy3in/NnkxNJn0ClmRNl08+wIc116OFqZsdstvbaMalS5keVb5O2dEe5VcScV0rwsgV6nMhd8ft+SFhclnr5LMyaKKmeOdfCwBM1IjbZCRsjXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=telekom.de; dmarc=pass action=none header.from=telekom.de; dkim=pass header.d=telekom.de; arc=none
Received: from FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:84::7) by FR3P281MB1552.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:6d::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Mon, 26 Jun 2023 12:51:07 +0000
Received: from FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM ([fe80::42e1:92e2:78a7:767a]) by FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM ([fe80::42e1:92e2:78a7:767a%7]) with mapi id 15.20.6521.026; Mon, 26 Jun 2023 12:51:07 +0000
From: Florian.Kunkel@telekom.de
To: sklist@kitterman.com, dmarc@ietf.org
Thread-Topic: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
Thread-Index: AQHZow3KjNUX99o0Tk+DkitZaJ0bEK+Ts1yAgAE5PACAAFgiAIABc2iAgAAUgoCAAAVBgIAAA9AAgAAD+YCAAAJIgIAAIGuQ
Date: Mon, 26 Jun 2023 12:51:06 +0000
Message-ID: <FR0P281MB1564D3225C34252E16872FF5E926A@FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM>
References: <30BB83B2-B454-41B8-992B-8E2569802D9C@1und1.de> <CAHej_8=7M=zJB2ENbnEQfRMfwEXDnGo61jHE_qQPTc0V9tFMdA@mail.gmail.com> <d30d574d-0cb8-bfc4-0d9f-7176882fc81e@inboxsys.com> <3315842.y3rMdDZ7an@localhost>
In-Reply-To: <3315842.y3rMdDZ7an@localhost>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=telekom.de;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: FR0P281MB1564:EE_|FR3P281MB1552:EE_
x-ms-office365-filtering-correlation-id: 03c540fb-7a13-4505-8a54-08db76440239
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LR9bpLP4XNJEKWc10joMv9h6EE7v5YsawESoR9pr7wFULc7cR5vVDNbmac/f2LhOqL2r5niW+35edyZqPnK0xT4tHweghU9eGYBw17wHkzPDiXMTZwcBJJ5tYLTJI/STEeKeHRvLy3kxU9Wc/Ul41Wi5qy6aI7WKD7dXqFFnGsy2cqzm88bg9WV3Zklv7nFVjNtw7E3+D3QpOZca3P/W0SIvax84dDqKRYecIMNs7SW6JrIFYzjCLKopTOkyXXqw+xR7E1bUCI6kEjOYplz8l6/9nZZIyhgFuW3MjKVBFBH1fxJlIGdVn21lokEsRaBL3k9pqwpwXjSpnEujmGFfM4eXZi8i502BBS4DFzPoDg1pKqQ32dO3XcvgZTBDW3HK1iC+JkCbvWSUimyAmHBPf+HHrakHMYKu1LRodlP5r8njj3wGYUeNSyBBeZkYXjVvjfAaYgFpg2yK+3c2ozZca2UL7OWefx/Yy2sRfuMgAJXgRVFkIJj95dcCWeblc2HSa+h6e1uiTxAMQ7+6kl7UhLbTrMC3fK1ovskEH/eyvdSimjDyW7KHtCsusvlwSK3UEKUa31kxJQ/H1WwXNh7jhMhLfVcRh5jQB50ErY8OQ/UBBLU9myUaBvlcHDbcSakePKb5bB2rBqXhL1hoUtvkne613bwNqUVCIkInx18+G1g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230028)(4636009)(136003)(39860400002)(396003)(376002)(346002)(366004)(451199021)(110136005)(7696005)(478600001)(33656002)(2906002)(9686003)(26005)(186003)(6506007)(66476007)(66446008)(64756008)(71200400001)(66556008)(66946007)(316002)(76116006)(52536014)(8676002)(41300700001)(5660300002)(8936002)(38100700002)(122000001)(86362001)(82960400001)(55016003)(38070700005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: lZd7aaZ0FhYKVs5MqtjpUCFpvd/yNKwi61h1Zb+LkRh4EeFhXoJ+mDbrfYM/+vjx5vR9FSq+lyWJYcWQhXdQA4KGOt4aWDRk40eAR/LadUhssVAIB7ip8fzP+EHliHIxvbbxQMFUDoLtP4fg8LDisrww60rypaH2y3z3HebW7Pcc5Bna58VFOiPBJQuuuURxp0gDTOU9KYM7kb4+aW4EBtlLu8cI5Si+D+WwT7BIpaamZv0usxCZxkOFB8EFnkPxd0o176yTsXV2V994V7NTuoZbUq/pvjzf8PQVbYrqGQxMm5LONUVOk0AHy5RG3pbi1ncN57ssgBf899l9ve/8+/5HwtZ5JxBYtvADwD/QKrEFMSuCpH0Ai5I/Go/tkf7RX/iJ3fhgitbWjQAd5DXKGg7rmzRD40U5XvSotKJmC69BCgAGa1jsyVL57irdu4DewycTk9YdLibv3BLmE/PuHgybLsbKz4U4F6Vy6wJJHQEy4ngXVLgwVTNnVVtyH0s708/PdGp8+nT/XDPlwwcO7UArLHWnrMi4xh5+Mp5B0Oe3NaHRsbDGwueuzQQfR+HE8YwWoKwPCRn+aTQtPmSLGkReI+GNuAeYa34T7DfjY4+TMpPpplYK3nDQPMAiepwL7ptWXCR/Gd1RTNUfGrBbqzefEfJyAneTOwmrM8RaoZ9pMUSjwbQ/ioq/Y08QiXTeQ8k2BCWU5pvH1vDOmh7hq7wGCzEX7HIcldXm48PZOzaWlnzQnvXlod0rffamOVJFi7wSCoHgDCsMi2c6v5MkNkCSGWmsibGkor5WP4cu9Bj6JR3Pf6XXYmLVZU35oEX8z4+92ncbBvWiCFMJg2cam3RwXfWFjvwgD+A3QEzpAbBuQH/Y9xtIWCK+/oY+z4IbWKab/DxZwd5rR99iP8R+THuBC1owLAC/farmgd+ywGOyf/CUedCl4vV1iC2OMAQH51PPiTQXdAv1gPdiWfC4sPvOae1/Ky1whJB6FLu5u4QVQTHqgLBa97vnjBMDSofrT7HoqTLzJzOJzHXMXdqkdUX/DNgC2hrOzuDqkGCX0hlWFY3xcwib6hsCMvWwZn4KvrTZFhIurEq5yr/JTsAGyUTxOZZdAVc5QbseuHVmGYMq2blaCvNqUzhBGUFkHXhsVJ5LwzYBhZZcF+yRw+sg+hOgNXWoFePEskGYNIdCqCpChbyDxY4CToGWDfB88W1gWhOVxlE5MaKdOCll5DeGhuui2R4jCCIqnzCZgKKiphg03+H5yXxGCQfVUwXxqwFs0tIG7H4Ga3TslfRpJqgbCaxQxgeBEasQixEaO87dGeVkFAr773Jso9iZxVBrta3qhtkWMKvNnvisN76WLuFjqSE1b+2UFLI2jjPU0MB8YygGwyzlPPexoGrWW9J5RS+wqzsEAjP4mHHSWkKJUHG2BbVDeUW5puB/EJ36u/F+BNjxBtMFPFAXI5y2jaD8pQUHyz3hTAdBZx3odD6S1cogv6OA8om0B7eo5yMqKy4NgoN7rKquE/FCDXrjBrsOcnjNykhQ38dQewAYLfjHOzdoYnxecT2D51/3VKC+Cp8Kd19OskbLABWCUIRiW8/7vRZh
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: FR0P281MB1564.DEUP281.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 03c540fb-7a13-4505-8a54-08db76440239
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2023 12:51:06.9972 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bde4dffc-4b60-4cf6-8b04-a5eeb25f5c4f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Dh0L4bLV4XqC9dt1dBccuGvUlklqO92vbhybY513ZtzL7pcXfQQit7ktjqfGq9db7o5UTd56PjR1RTYmzSuEpdZesgZcpt9BuLsSULhAuyw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: FR3P281MB1552
X-OriginatorOrg: telekom.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/dmarc/zYwRJXFRXG4T65leAoVzBtfafj0>
Subject: Re: [dmarc-ietf] easier DKIM, DMARC2 & SPF Dependency Removal
X-BeenThere: dmarc@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Domain-based Message Authentication, Reporting, and Compliance \(DMARC\)" <dmarc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dmarc>, <mailto:dmarc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dmarc/>
List-Post: <mailto:dmarc@ietf.org>
List-Help: <mailto:dmarc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dmarc>, <mailto:dmarc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jun 2023 12:52:24 -0000

> In theory, DKIM is enough for DMARC (this was always true), but in practice it
> is not.

May be you can afford to use SPF, DKIM, DMARC in pure theory for your day job,
but people here expect to apply it to solve real problems with real email in real life.
*SCNR* ... do not take that personally.


> I don't think there's evidence of a systemic weakness in the protocol.  We've
> seen evidence of poor deployment of the protocol for SPF, but I think the
> solution is to fix that (see the separate thread on data hygiene).


The problem with DMARC is, there's no easy way to decide you can rely on SPF as long as it references shared IP infrastructure (because you can't decide whether an IP is shared or dedicated).
In my view this is a tremendous weakness of the SPF protocol.
(maybe only 'cause I do not trust shared infrastructure providers to get their customers right all the time, 'cause I know how hard that is from being an ISP mailer)

So to remove or at least ignore SPF from DMARC is minimal requirement for DMARC being worth mentioning supportive of sender authentication at all.
Meanwhile it's a pretty viable attack vector against DMARC, foiling the idea of sender authentication.


Florian

v2.23.0 | Report a Bug | By Email