Re: [spfbis] [dmarc-ietf] Should we encourage the use of SPF "soft include" for common platforms?

Brandon Long <blong@google.com> Sat, 09 March 2019 00:37 UTC

Return-Path: <blong@google.com>
X-Original-To: spfbis@ietfa.amsl.com
Delivered-To: spfbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3CB4130E77 for <spfbis@ietfa.amsl.com>; Fri, 8 Mar 2019 16:37:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.5
X-Spam-Level:
X-Spam-Status: No, score=-17.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CcjMuvXipXqF for <spfbis@ietfa.amsl.com>; Fri, 8 Mar 2019 16:37:07 -0800 (PST)
Received: from mail-vk1-xa2c.google.com (mail-vk1-xa2c.google.com [IPv6:2607:f8b0:4864:20::a2c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 758FD130DE6 for <spfbis@ietf.org>; Fri, 8 Mar 2019 16:37:04 -0800 (PST)
Received: by mail-vk1-xa2c.google.com with SMTP id v131so4996734vkd.3 for <spfbis@ietf.org>; Fri, 08 Mar 2019 16:37:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=gDBZUQsGuLcXRlFManK0ZV4FBVuB2uLbr8vY75gahYI=; b=h2Z+XEAQ4QcsL+1wyTN4aX2818VY6yysYZ0cavLIoGoz53HKJDjxhzCfsvXULXSHi9 VJNDNqwDGsWvcfyfGuPS2454VaIkHjA5lpX5PviDY1f1bppi0xfBii9BSPEVJ7Zcz60f gCGChZvyWGGpqxE/1mpApFmW9NsgtxR79NN205huRLIYZiXYFurYI03qqNBfbJeaxud1 OGx3ArDriGSxY7A5bYhBFZxjg7plufn5Ny+Ti4EGzfSLmKbXCyU1PpHS87Sp1w//hs2A OPI/BDxWDJiy2Mq98uI00XSfNeFRvoSVCm7K7kca47inaZoDwjDbElKKWoCbY6z0+h75 39cg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=gDBZUQsGuLcXRlFManK0ZV4FBVuB2uLbr8vY75gahYI=; b=NXHSp6pe4KIzIrvXXVBA0ISbbwr7BuHiSotXd/C5QPuKUrDPYcGA2dWtOmiQw+HKb0 h/FjKNVh+fL6g/WbQ7JeDpajwE0kd1SLwbHTd6uWIrhpAVyFYEjRwQOpJT2mxKw0t2Ss d9kzz/WGgvivVNeG81tWH2EcjpYt3vCUL9Y1O7Zxocw5QzqApL/Wb8TkFOZMmItWXAHE XJjuMxwa/Asp1+w3chhRNRDxIZXbeXvWF+x+BzW4PxM7khnChPLJHNNXSeYhKObXdNKA rL7hH+9Iuo4ee8HjtIEEtnG2FBU9J+3dgUr1vNRv4FHoxQkpfyHJLziwRKE6WLtfvhPp N3EQ==
X-Gm-Message-State: APjAAAVyXfDVbwB8c80YjMs+06BttmW/Vv3FNQj5P8HazWJ7D/osJKVN 9CKMygBOH3GxoTpNPa1sbLIY64F3pb3y7Kr/bcJg
X-Google-Smtp-Source: APXvYqwqLoh04D9YJ/LcYbzAx9KZe3Vd/rFH0b11m5iNAGawFUGTe2qc8xU5IVvHPuqyNckYjMYPp7YNlQgAk9LJB78=
X-Received: by 2002:a1f:b754:: with SMTP id h81mr10716866vkf.64.1552091822917; Fri, 08 Mar 2019 16:37:02 -0800 (PST)
MIME-Version: 1.0
References: <CABuGu1oxZvM+kf_pvE9B5LFVwr1wOrZGJDxDoGEgUqhHW9x9gQ@mail.gmail.com> <f4eb2ccc-466c-62d0-b5a7-77843d26dfb4@corp.mail.ru>
In-Reply-To: <f4eb2ccc-466c-62d0-b5a7-77843d26dfb4@corp.mail.ru>
From: Brandon Long <blong@google.com>
Date: Fri, 08 Mar 2019 16:36:49 -0800
Message-ID: <CABa8R6tMxT=XK6S6zpnfYzw6t3kg8cSwqgowsHc_9H0VNTW2Ng@mail.gmail.com>
To: Vladimir Dubrovin <dubrovin=40corp.mail.ru@dmarc.ietf.org>
Cc: "Kurt Andersen (b)" <kboth@drkurt.com>, "dmarc@ietf.org" <dmarc@ietf.org>, spfbis@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c3f6df05839e89ae"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spfbis/9gloArh2juj0WXJHBqon5_J8mk0>
Subject: Re: [spfbis] [dmarc-ietf] Should we encourage the use of SPF "soft include" for common platforms?
X-BeenThere: spfbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SPFbis discussion list <spfbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spfbis>, <mailto:spfbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spfbis/>
List-Post: <mailto:spfbis@ietf.org>
List-Help: <mailto:spfbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spfbis>, <mailto:spfbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Mar 2019 00:37:12 -0000

On Sat, Feb 23, 2019 at 11:35 AM Vladimir Dubrovin <dubrovin=
40corp.mail.ru@dmarc.ietf.org> wrote:

>
> It's bad idea, because "?" does not grant SPF authentication. SPF is
> important even if message is DKIM signed and regardless of DMARC, because
> it authenticates envelope address. As an example, NDR/MDN  may not be
> generated to envelope address which is not SPF authenticated, we actually
> use this rule in practice to eliminate secondary spam.
>
> GSuite, O365 and large ESPs should not allow to use unvalidated/spoofed
> e-mail address. If somebody allows to spoof sender, there is also a good
> chance it DKIM signs spoofed message, because DKIM signature is applied by
> the same party.
>

Although we go through great pains not to allow you to generate new
messages with spoofed addresses, and we also are very particular about what
we will DKIM sign... we haven't been as particular with SPF.  I kept
meaning to create a new smtp-out IP pool that wasn't in our SPF record, but
given our SPF record was "all our IPs", that was never an easy task.  We
then could have used that pool for any message where we don't want to
potentially validate with SPF.

As to why we have any messages like that, its because of forwarding and
relaying.  And the cases where you should use your non-SPF IPs include
"same domain", ie if you get a spoofed message to a mailing list on the
domain, it shouldn't acquire SPF auth by virtue of going through the list.

The solution we've used for that now is ARC, we'll "remove" the spf auth of
a message if it has an spf=fail for the same domain in the ARC chain.

Brandon


>
> 23.02.2019 21:07, Kurt Andersen (b) пишет:
>
> With the growth of huge platforms that emit mail from the same common set
> of IPs (such as GSuite, O365, or large ESPs), regular SPF "include" ends up
> granting a DMARC pass to a lot more potential authors than most
> organizations would necessarily choose to grant.
>
> Instead of using the standard "(+)include:" approach, if domain owners
> used "?include:" as their mechanism, then that would prevent the SPF result
> from granting a DMARC PASS result when traffic is coming from one of these
> massively included platforms. It would essentially force the DMARC result
> to be driven only by the DKIM evaluation.
>
> Thoughts?
>
> --Kurt Andersen
>
> (I'm copying the spfbis list too because there may be folks lurking there
> who are not on the DMARC list)
>
> _______________________________________________
> dmarc mailing listdmarc@ietf.orghttps://www.ietf.org/mailman/listinfo/dmarc
>
>
> --
> Vladimir Dubrovin
> @Mail.Ru
>
> _______________________________________________
> spfbis mailing list
> spfbis@ietf.org
> https://www.ietf.org/mailman/listinfo/spfbis
>