Barry, sorry if it sounded like I was pushing back. The short version is - no I don't have any big concerns. But if we discover something, we'll let you know ASAP.
The longer version: Regarding #1: what I've seen in our data matches your observation. It is a small subset of cases where there would be a change in DMARC policy. Regarding #2: I don't (yet) have an exhaustive evaluation for this on our end. I think we can make assumptions that always makes a more secure assumption and in the rare cases that is not inline with the sender's intentions - we would have to deal with that. I think that sticking with v=DMARC1 vs changing it to v=DMARC2 both have pros and cons. And based on all the discussions I don't think there is an objectively preferred way (when we consider the PSL tree walk only) since it depends on what each of us value. I've always said that I think changing the version is preferred based on what I value - but if the consensus is to not do that - I understand and will support that decision too. If we add the removal of SPF from DMARC I think that is similar to the PSL tree walk discussion. That could be done both with or without a version change I think. Depending on what you value - one is preferred over the other. I got a response from JohnL privately and apparently the VLMP he mentioned is not Google so my clarification was not needed. But I think it is good that we got our standpoint clarified to avoid misunderstandings. /E On Fri, Jun 9, 2023 at 5:41 PM Barry Leiba <barryle...@computer.org> wrote: > Keep in mind that we have looked at this extensively, and what we've > found is this: > > 1. Almost all [1] of the DMARC senders out there will see the same > results when recipients look them up using the tree walk as they have > using the PSL. In other words, the change will be different an > *extremely* small set of DMARC domains. > > 2. In *all* -- by that I mean 100% -- of the cases that we've actually > *seen* where there's a difference, the difference is *better*: that > is, the difference is a better reflection of the intent of the sending > domain. > > 3. We can find theoretical cases where the tree walk will be *worse*: > that is, where the PSL is a better reflection of the intent than the > tree walk is. But *all* of these are theoretical, and we have not > found *any* such cases that actually exist in the real world. It is, > though, possible that they do exist. > > Emil, given those three points, do you still think you need to be > concerned about the risk of making the change? > > Barry > > [1] In mathematics, we use "almost all" as an actual technical term > that applies to an infinite set and means "all but a finite number", > since removing a finite number of entries from an infinite set still > leaves an infinite set. That's kind of what I mean here. That is, > the vast, vast, VAST majority. > > On Sat, Jun 10, 2023 at 12:26 AM Emil Gustafsson > <emgu=40google....@dmarc.ietf.org> wrote: > > > > Not sure if I am that someone mentioned. In case I am - I'd like to > clarify what I meant; > > > > Without a version change for the tree-walk, I think we (Google) would > need to support both approaches (the old one plus the tree-walk) and based > on what we see - make a best guess which version we should use. > > Having two explicit versions still means we have two implementations, > but at least we don't have to guess which one to use whenever there would > be ambiguity with a single version. > > > > I'm always concerned about what bad people do to gain an advantage. But > in this case I'm more worried about somebody having an ambiguous DMARC > setup where VLMPs end up guessing the wrong intention. The most likely > outcome there would be rejected emails and an upset sender the VLMP need to > deal with. But atleast they are not spoofed. I think explicit versioning > helps mitigate that risk too (but it wont help companies making bad > configurations - but that we always have to live with). > > > > /E > > > > On Thu, Jun 8, 2023 at 10:21 AM John Levine <jo...@taugh.com> wrote: > >> > >> It appears that Tobias Herkula <tobias.herk...@1und1.de> said: > >> >However, such a fundamental shift in the protocol's architecture > warrants a clear signifier. I suggest we upgrade > >> >our DMARC version string from the current state to 'DMARC2.' This > upgrade would not only denote the change of SPF > >> >removal, but also the switch from the Public Suffix List (PSL) to the > Tree-Walk algorithm. > >> > >> I was talking with someone from a Very Large Mail Provider who told me > that > >> if we keep the same version number, they won't change what they do now, > so > >> no tree walk even if we keep SPF. > >> > >> They understand that as things stand now, the results of the PSL and > >> the tree walk are in practice the same. Their concern is that if some > >> people do it the old way and some the new, and you can't tell which > >> the domain expects, bad guys will create records with deliberately > >> inconsistent results. > >> > >> I'm not sure how likely that is, but arguing with a gorilla rarely > >> turns out well. I will see if I can talk to people at other VLMPs > >> and see how widespread this concern is. > >> > >> R's, > >> John > >> > >> PS: If we do bump the version number, it needs to go into the > >> aggregate reports, too. > >> > >> _______________________________________________ > >> dmarc mailing list > >> dmarc@ietf.org > >> https://www.ietf.org/mailman/listinfo/dmarc > > > > _______________________________________________ > > dmarc mailing list > > dmarc@ietf.org > > https://www.ietf.org/mailman/listinfo/dmarc > > _______________________________________________ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc >
_______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
