Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles
John Levine <johnl@taugh.com> Tue, 25 May 2021 01:23 UTC
Return-Path: <johnl@iecc.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7F4A3A07A5 for <ietf-smtp@ietfa.amsl.com>; Mon, 24 May 2021 18:23:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.85
X-Spam-Level:
X-Spam-Status: No, score=-1.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=iecc.com header.b=NsjyHHdl; dkim=pass (2048-bit key) header.d=taugh.com header.b=M/pxz9rA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lITrCURs0Fba for <ietf-smtp@ietfa.amsl.com>; Mon, 24 May 2021 18:23:51 -0700 (PDT)
Received: from gal.iecc.com (gal.iecc.com [IPv6:2001:470:1f07:1126:0:43:6f73:7461]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C833A0799 for <ietf-smtp@ietf.org>; Mon, 24 May 2021 18:23:50 -0700 (PDT)
Received: (qmail 74393 invoked from network); 25 May 2021 01:23:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=12297.60ac51a3.k2105; bh=51JaTg5xTDvgaY42qf3SgrC6Cg+WMXBfVixT6g/3Kas=; b=NsjyHHdl2kTk7FwesoKXYro6FFjdQao4slWvAxf6DxvoSNJEdsrsD52S3BbfdcoOImW6e1ih1ql42rqdRd97rPZybl9UUIYMP0j45rwqi4bOJp1M+LvcdyNbpbEglMmJyUZOiFFa245NH15tMeaxnzs6gezVGa+FiSa2PMxGvubRGGkq5LBBgsFbZIck+/mxu+2F5cz6wHgN+rblx/svr6vfsU8zo2xcB0ENW/Y0TVdw8qnDcYXin/r6ygZkuHp0dp1eTycoT9ZhGYzaKsysiXsPg9Yc4Sd2NYoARuGNqUHki2cebJxdSVAebU4fu0T+UBPQa/17t/wCejDyprzLhQ==
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:cleverness; s=12297.60ac51a3.k2105; bh=51JaTg5xTDvgaY42qf3SgrC6Cg+WMXBfVixT6g/3Kas=; b=M/pxz9rAS95nph5y8QK9bW3E6hx2eStgr8SO70Lk9m/bqlbogqAbwpHY/ONzsoofyG8xKv8mY+h2Lx6aOxMb0YxYQuN/eisR92TR6togkPLx7MydsbofzcmPQPcrw2L4qAU26ZtGG/dz+xeLbOdYlYm/iPwF2oFKATC0n6i/lffzCizPykEDjvo05TS35Rbv6lGOfoTZOHT2XnV12w2wR7NrZWZ5omHM0tCjSUzbHCew055Fz6fkxso3yu44AKguXLogZFaaaQtPikruk6oexCnfEW4dRisHcJIiypN4WqPxIgxyk3UvdfCinN16H+k9ZbIpHBoowQNg8/5/gZDhlw==
Received: from ary.qy ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.2 ECDHE-RSA AES-256-GCM AEAD) via TCP6; 25 May 2021 01:23:46 -0000
Received: by ary.qy (Postfix, from userid 501) id E42AE8A790D; Mon, 24 May 2021 21:23:45 -0400 (EDT)
Date: Mon, 24 May 2021 21:23:45 -0400
Message-Id: <20210525012345.E42AE8A790D@ary.qy>
From: John Levine <johnl@taugh.com>
To: ietf-smtp@ietf.org
Cc: mrsam@courier-mta.com
In-Reply-To: <cone.1621893989.618298.56868.1004@monster.email-scan.com>
Organization: Taughannock Networks
X-Headerized: yes
Cleverness: minimal
Mime-Version: 1.0
Content-type: text/plain; charset="utf-8"
Content-transfer-encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/NBfT6WU3YuebjJfDRf1MjO4stoM>
Subject: Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 01:23:57 -0000
It appears that Sam Varshavchik <mrsam@courier-mta.com> said: >I'm struggling to identify some tangible value-added that DKIM/DMARC brings >to the table. > >Ostensibly, these signatures prove that the mail really comes from the >domain it purported to come from. > >Ok, that's cool, but what is the point? For DKIM, the point is to have a reliable identifier for the message that is better than an IP address. Small mailers that share an IP can use separate signing domaisn to separate their mail streams, large mailers can aggregate the repuation of all of their outbound IPs. As you say, merely having a DKIM signature tells you nothing, but after you watch a mail stream for a while, you see that some DKIM signers send clean mail and some send lousy mail and adjust your filters appropriately. Large mail systems all do this. We hoped that there would be shared DKIM reputation lists like there are shared IP lists but so far that hasn't happened. The original point of DMARC was for B2C or B2B mail from heavily phished domains like Paypal, that could say please discard anything from us that fails DMARC and we understand that might be some real mail. (All of Paypal's mail just says "something happened, look at our web site".) It still works pretty well for that. Unfortunately, AOL and Yahoo had separate giant security failures and allowed crooks to steal people's address books, so spammers could take pairs of addresses and send spam that appeared to be from a friend, leading to huge numbers of support calls at AOL and Yahoo. They decided to outsource the cost of their security failures to the rest of the Internet by abusing DMARC p=reject to make that spam disappear, along with a lot of real person-to-person and list mail. They knew this would break every mailing list and they didn't care, according to someone who was in the room at the time. The people who designed DKIM and DMARC knew then and know now what it can and can't do, but we have done a poor job of explaining them to people who want them to be a magic FUSSP. R's, John
- [ietf-smtp] Email explained from first principles Kaspar Etter
- Re: [ietf-smtp] Email explained from first princi… Bron Gondwana
- Re: [ietf-smtp] Email explained from first princi… Alessandro Vesely
- Re: [ietf-smtp] Email explained from first princi… Viktor Dukhovni
- Re: [ietf-smtp] Email explained from first princi… Viktor Dukhovni
- Re: [ietf-smtp] Email explained from first princi… Kaspar Etter
- Re: [ietf-smtp] Email explained from first princi… Peter J. Holzer
- Re: [ietf-smtp] Email explained from first princi… John Levine
- Re: [ietf-smtp] Email explained from first princi… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… John Levine
- Re: [ietf-smtp] Email explained from first princi… Dave Crocker
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Dave Crocker
- Re: [ietf-smtp] Email explained from first princi… John R Levine
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… John Levine
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Dave Crocker
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Dave Crocker
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Dave Crocker
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Matthias Leisi
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Dave Crocker
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… John Levine
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Sam Varshavchik
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… Nathaniel Borenstein
- Re: [ietf-smtp] DKIM and DMARC, Email explained f… John C Klensin
- Re: [ietf-smtp] Email explained from first princi… Kaspar Etter
- Re: [ietf-smtp] Email explained from first princi… John R Levine
- Re: [ietf-smtp] Email explained from first princi… John R Levine
- Re: [ietf-smtp] Email explained from first princi… Kaspar Etter
- Re: [ietf-smtp] Email explained from first princi… John R Levine
- Re: [ietf-smtp] Email explained from first princi… Richard Clayton
- Re: [ietf-smtp] Email explained from first princi… Alessandro Vesely
- Re: [ietf-smtp] Email explained from first princi… John C Klensin
- Re: [ietf-smtp] the point of domain authentication John R Levine
- Re: [ietf-smtp] mailing lists are complicated, wa… John Levine
- Re: [ietf-smtp] the point of domain authentication Sam Varshavchik
- Re: [ietf-smtp] the point of domain authentication John Levine
- Re: [ietf-smtp] mailing lists are complicated, wa… Alessandro Vesely
- Re: [ietf-smtp] mailing lists are complicated, wa… John R Levine
- Re: [ietf-smtp] mailing lists are complicated, wa… Dave Crocker
- Re: [ietf-smtp] Email explained from first princi… Richard Clayton
- Re: [ietf-smtp] mailing lists are complicated, wa… Alessandro Vesely