IETF Logo Mail Archive

Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles

Sam Varshavchik <mrsam@courier-mta.com> Tue, 25 May 2021 10:52 UTC

Return-Path: <mrsam@courier-mta.com>
X-Original-To: ietf-smtp@ietfa.amsl.com
Delivered-To: ietf-smtp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4ACC53A0B16 for <ietf-smtp@ietfa.amsl.com>; Tue, 25 May 2021 03:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.437
X-Spam-Level: *
X-Spam-Status: No, score=1.437 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_PBL=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U0pYUYDKJefF for <ietf-smtp@ietfa.amsl.com>; Tue, 25 May 2021 03:52:19 -0700 (PDT)
Received: from mailx.courier-mta.com (mailx.courier-mta.com [68.166.206.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9636E3A0B17 for <ietf-smtp@ietf.org>; Tue, 25 May 2021 03:52:19 -0700 (PDT)
Received: from monster.email-scan.com (monster.email-scan.com [::ffff:192.168.0.2]) (TLS: TLSv1.3,256bits,TLS_AES_256_GCM_SHA384) by www.courier-mta.com with UTF8SMTPS id 000000000030000A.0000000060ACD6DD.0000702B; Tue, 25 May 2021 06:52:13 -0400
Received: from monster.email-scan.com (localhost [127.0.0.1]) (IDENT: uid 1004) by monster.email-scan.com with UTF8SMTP id 0000000000020394.0000000060ACD6DC.00010466; Tue, 25 May 2021 06:52:12 -0400
References: <20210525012345.E42AE8A790D@ary.qy>
Message-ID: <cone.1621939932.396187.66265.1004@monster.email-scan.com>
X-Mailer: http://www.courier-mta.org/cone/
From: Sam Varshavchik <mrsam@courier-mta.com>
To: ietf-smtp@ietf.org
Date: Tue, 25 May 2021 06:52:12 -0400
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=_monster.email-scan.com-66265-1621939932-0001"; micalg="pgp-sha1"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf-smtp/WzZqk7FLq7tnXuNnKrPutHyO5s8>
Subject: Re: [ietf-smtp] DKIM and DMARC, Email explained from first principles
X-BeenThere: ietf-smtp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussion of issues related to Simple Mail Transfer Protocol \(SMTP\) \[RFC 821, RFC 2821, RFC 5321\]" <ietf-smtp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf-smtp/>
List-Post: <mailto:ietf-smtp@ietf.org>
List-Help: <mailto:ietf-smtp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf-smtp>, <mailto:ietf-smtp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 10:52:24 -0000

John Levine writes:

> As you say, merely having a DKIM signature tells you nothing, but
> after you watch a mail stream for a while, you see that some DKIM
> signers send clean mail and some send lousy mail and adjust your
> filters appropriately.

To me that's not fundamentally different from filtering based on the sending  
IP address.

I do not see both bad and clean mail coming out of the same IP address,  
differing only in the sending domain. In that situation, and where the  
signatures are applied by the mail host to their users, then I could see  
this argument.

I should clarify this. I see that occasionally. But when it does, I seem to  
always end up moving my goalposts, and conclude that the mail provider  
itself is rogue, and made a business decision to go into the business of  
providing spam outsourcing services, with some non-spam mail services on the  
side. So I treat it as a bad mail source.

Ss long as mail recipients are willing to tolerate spam-friendly mail  
service providers, and relying on the domain signature to filter out their  
spamming customers, this situation will never change.

I don't accept the premise that accepts bad and clean mail coming out of the  
same IP address using "oh well just use a domain signature" as a solution.

> Large mail systems all do this. We hoped that
> there would be shared DKIM reputation lists like there are shared IP
> lists but so far that hasn't happened.

This is never going to happen. Domains are relatively cheap. If a domain  
acquires negative social credit it'll be discarded and replaced by a new one.

> The original point of DMARC was for B2C or B2B mail from heavily
> phished domains like Paypal, that could say please discard anything
> from us that fails DMARC and we understand that might be some real
> mail. (All of Paypal's mail just says "something happened, look at our
> web site".) It still works pretty well for that.

Eh, no. A large majority of user-facing mail clients are now hiding the  
sending mail address, and showing only the name, up front.

From: "Paypal Customer Service" <kjsdfjklk@934iowero.us>

Most people will see "Paypal Customer Service". Valid domain signature for  
934iowero.us, and straight it goes into your Inbox.

v2.23.0 | Report a Bug | By Email