Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
On 6/14/21 10:09, Brotman, Alex wrote: > Does this make everyone cringe, or perhaps worth a larger discussion? This was considered (repeatedly) during the original DMARC work, and I believe again while it was being put into RFC7489 form. It was rejected because it increased the likelihood of broken/invalid records for the overwhelming majority, while providing complexity that relatively few senders wanted. And they could usually get what they wanted by other means. I would not be in favor of adding more complex policy expressions. --S. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
It appears that Brotman, Alex said: >Does this make everyone cringe, or perhaps worth a larger discussion? Cringe. If others have said, if you want DKIM to pass, sign everything with DKIM. I can promise you that anyone who says "all of our mail will always pass SPF" doesn't know where his mail is going. For other reasons it would be a good idea to publish SPF records and have them usually pass, but they don't have to be the same domain as the DKIM or DMARC. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
I think this is a bad idea as it adds unnecessary additional complexity. Currently, a domain owner can choose to only implement DKIM or SPF on a mail stream if they only wish one mechanism to be evaluated. Further, if there is a (renewed?) desire to apply a policy layer to DKIM signed messages, then isn't that what ADSP (RFC 5617) was intended for? Ken. From: dmarc on behalf of Brotman, Alex Sent: Monday 14 June 2021, 18:10 To: dmarc@ietf.org Subject: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC Hello, I was talking to some folks about DMARC, and a question came as to suggest as the domain holder that your messages should always pass DKIM. Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I will *always* sign my messages with DKIM." So the obvious answer may be "Just only use DKIM", but I'm not sure that completely answers the question. While discussing with someone else, "Tell me when DKIM fails, but SPF is fully aligned". There was recently an incident at a provider where they were allowing any sender to send as any domain (and I'm aware that's not specifically a DMARC issue). We all know brands that have just dumped in a pile of "include" statements without fully understanding the implications. In this case, other users could send as other domains, but perhaps they would not have been DKIM signed. Should there be a method by which a domain holder can say "We want all message to have both, or be treated as a failure", or "We'll provide both, but DKI M is a must"? >From a receiver side, it makes evaluation more complex. From a sender side, >it gives them more control over what is considered pass/fail. How does this look in practice? Maybe "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;" (pm=Policy Matrix) Does this make everyone cringe, or perhaps worth a larger discussion? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
This risks sendability with the fact that there are a lof of receivers that require SPF-RRs. So not providing SPF-RRs also fails with such an requirement. Besides that does SPF not help with any kind of 5322.From spoofing, but this ist he most important identifier for an enduser. / Tobias Herkula Senior Product Owner Mail Security Mail Application Security 1&1 Mail & Media GmbH | Mitte | 10115 Berlin | Deutschland E-Mail: tobias.herk...@1und1.de<mailto:tobias.herk...@1und1.de> | Web: www.1und1.de<http://www.1und1.de> Hauptsitz Montabaur, Amtsgericht Montabaur, HRB 7666 Geschäftsführer: Alexander Charles, Thomas Ludwig, Jan Oetjen, Sandra Vollmer Member of United Internet Diese E-Mail kann vertrauliche und/oder gesetzlich geschützte Informationen enthalten. Wenn Sie nicht der bestimmungsgemäße Adressat sind oder diese E-Mail irrtümlich erhalten haben, unterrichten Sie bitte den Absender und vernichten Sie diese E-Mail. Anderen als dem bestimmungsgemäßen Adressaten ist untersagt, diese E-Mail zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient of this e-mail, you are hereby notified that saving, distribution or use of the content of this e-mail in any way is prohibited. If you have received this e-mail in error, please notify the sender and delete the e-mail. Von: dmarc Im Auftrag von Seth Blank Gesendet: Montag, 14. Juni 2021 19:45 An: Brotman, Alex ; dmarc@ietf.org Betreff: Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC HUGE cringe ;-) DMARC has an explicit policy that either SPF or DKIM must pass aligned. This proposal breaks that foundationally. This is suggested quite frequently, but fails to understand just how few senders of email actually send with DKIM. Most email is sent from services that have a core business that's not in email, and when we're lucky, they manage to publish an SPF record for their customers to use. Only large volume sophisticated services tend to do DKIM. A domain owner that requires everything that sends on its behalf to use DKIM basically shoots itself in the foot, and makes most of the services they'd need to use unavailable to themselves. The correct answer is what you said: domain owners who want this should only authenticate services using DKIM. Seth On Mon, Jun 14, 2021 at 10:10 AM Brotman, Alex mailto:40comcast@dmarc.ietf.org>> wrote: Hello, I was talking to some folks about DMARC, and a question came as to suggest as the domain holder that your messages should always pass DKIM. Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I will *always* sign my messages with DKIM." So the obvious answer may be "Just only use DKIM", but I'm not sure that completely answers the question. While discussing with someone else, "Tell me when DKIM fails, but SPF is fully aligned". There was recently an incident at a provider where they were allowing any sender to send as any domain (and I'm aware that's not specifically a DMARC issue). We all know brands that have just dumped in a pile of "include" statements without fully understanding the implications. In this case, other users could send as other domains, but perhaps they would not have been DKIM signed. Should there be a method by which a domain holder can say "We want all message to have both, or be treated as a failure", or "We'll provide both, but DKI M is a must"? >From a receiver side, it makes evaluation more complex. From a sender side, >it gives them more control over what is considered pass/fail. How does this look in practice? Maybe "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;" (pm=Policy Matrix) Does this make everyone cringe, or perhaps worth a larger discussion? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast ___ dmarc mailing list dmarc@ietf.org<mailto:dmarc@ietf.org> https://www.ietf.org/mailman/listinfo/dmarc -- Seth Blank | VP, Product e: s...@valimail.com<mailto:s...@valimail.com> p: 415.273.8818 [https://hosted-packages.s3-us-west-1.amazonaws.com/Valimail+Logo.png] This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
HUGE cringe ;-) DMARC has an explicit policy that either SPF or DKIM must pass aligned. This proposal breaks that foundationally. This is suggested quite frequently, but fails to understand just how few senders of email actually send with DKIM. Most email is sent from services that have a core business that's not in email, and when we're lucky, they manage to publish an SPF record for their customers to use. Only large volume sophisticated services tend to do DKIM. A domain owner that requires everything that sends on its behalf to use DKIM basically shoots itself in the foot, and makes most of the services they'd need to use unavailable to themselves. The correct answer is what you said: domain owners who want this should only authenticate services using DKIM. Seth On Mon, Jun 14, 2021 at 10:10 AM Brotman, Alex wrote: > Hello, > > I was talking to some folks about DMARC, and a question came as to suggest > as the domain holder that your messages should always pass DKIM. > Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I > will *always* sign my messages with DKIM." So the obvious answer may be > "Just only use DKIM", but I'm not sure that completely answers the > question. While discussing with someone else, "Tell me when DKIM fails, > but SPF is fully aligned". There was recently an incident at a provider > where they were allowing any sender to send as any domain (and I'm aware > that's not specifically a DMARC issue). We all know brands that have just > dumped in a pile of "include" statements without fully understanding the > implications. In this case, other users could send as other domains, but > perhaps they would not have been DKIM signed. Should there be a method by > which a domain holder can say "We want all message to have both, or be > treated as a failure", or "We'll provide both, but DKI > M is a must"? > > >From a receiver side, it makes evaluation more complex. From a sender > side, it gives them more control over what is considered pass/fail. > > How does this look in practice? Maybe > "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;" > (pm=Policy Matrix) > > Does this make everyone cringe, or perhaps worth a larger discussion? > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy > Comcast > > ___ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > -- *Seth Blank* | VP, Product *e:* s...@valimail.com *p:* 415.273.8818 This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system. ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
Re: [dmarc-ietf] Sender-supplied decision matrix for passing DMARC
This rings to me like something that would look like the simple/relaxed alignment option currently in DMARC. "Require aligned DKIM" being something along the lines of "rdkim=y; rspf=n;" with the not-included/default value being "n." If you agree that adding it is simple enough, the real question is what value does this really add to DMARC and/or will it improve DMARC adoption? Personally, I think it would be generally welcomed among senders who like really granular control over their authentication or who don't fully understand DMARC's "defaults" (for example, senders who use "p=reject; pct=100;"). On Mon, Jun 14, 2021 at 1:10 PM Brotman, Alex wrote: > Hello, > > I was talking to some folks about DMARC, and a question came as to suggest > as the domain holder that your messages should always pass DKIM. > Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I > will *always* sign my messages with DKIM." So the obvious answer may be > "Just only use DKIM", but I'm not sure that completely answers the > question. While discussing with someone else, "Tell me when DKIM fails, > but SPF is fully aligned". There was recently an incident at a provider > where they were allowing any sender to send as any domain (and I'm aware > that's not specifically a DMARC issue). We all know brands that have just > dumped in a pile of "include" statements without fully understanding the > implications. In this case, other users could send as other domains, but > perhaps they would not have been DKIM signed. Should there be a method by > which a domain holder can say "We want all message to have both, or be > treated as a failure", or "We'll provide both, but DKI > M is a must"? > > >From a receiver side, it makes evaluation more complex. From a sender > side, it gives them more control over what is considered pass/fail. > > How does this look in practice? Maybe > "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;" > (pm=Policy Matrix) > > Does this make everyone cringe, or perhaps worth a larger discussion? > > -- > Alex Brotman > Sr. Engineer, Anti-Abuse & Messaging Policy > Comcast > > ___ > dmarc mailing list > dmarc@ietf.org > https://www.ietf.org/mailman/listinfo/dmarc > ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
[dmarc-ietf] Sender-supplied decision matrix for passing DMARC
Hello, I was talking to some folks about DMARC, and a question came as to suggest as the domain holder that your messages should always pass DKIM. Effectively, the asker wants to say "I intend to deploy SPF and DKIM, but I will *always* sign my messages with DKIM." So the obvious answer may be "Just only use DKIM", but I'm not sure that completely answers the question. While discussing with someone else, "Tell me when DKIM fails, but SPF is fully aligned". There was recently an incident at a provider where they were allowing any sender to send as any domain (and I'm aware that's not specifically a DMARC issue). We all know brands that have just dumped in a pile of "include" statements without fully understanding the implications. In this case, other users could send as other domains, but perhaps they would not have been DKIM signed. Should there be a method by which a domain holder can say "We want all message to have both, or be treated as a failure", or "We'll provide both, but DKI M is a must"? >From a receiver side, it makes evaluation more complex. From a sender side, >it gives them more control over what is considered pass/fail. How does this look in practice? Maybe "v=DMARC1;p=quarantine;rua=...;pm=dkim:must,spf:should;" (pm=Policy Matrix) Does this make everyone cringe, or perhaps worth a larger discussion? -- Alex Brotman Sr. Engineer, Anti-Abuse & Messaging Policy Comcast ___ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc